OpenVPN is leaking my Ipv6 Address and DNS too.

OpenVPN is leaking my Ipv6 Address and sometimes leaking DNS too. Any solution to resolve this issue?

IIRC this behavior was seen recently on systemd-resolved ...

(EDIT - heres some stuff I found ..)

@slovakian, the easy solution is to turn off IPv6 in the GRUB kernel line. I've been doing that since IPv6 came out, as I don't trust it. (I use a VPN too, but I was doing the !IPv6 thing beforehand.)

To do this, go to your /etc/default directory & find the grub file, then using your favorite text editor with root privileges, add the following to the beginning of the line: ipv6.disable=1 quiet

I have nothing else on the line so mine looks like this:

GRUB_CMDLINE_LINUX_DEFAULT=" ipv6.disable=1 quiet"

After you have done that, save the file, then you need to generate a new '''grub.cfg''' by using the following command at the terminal prompt:

sudo grub-mkconfig -o /boot/grub/grub.cfg

Then after a reboot, IPv6 won't work anymore. :slight_smile:

3 Likes

https://wiki.archlinux.org/index.php/IPv6#Privacy_extensions

2 Likes

IP6 leaks are easily disabled - just like @handy points out.

You can find scripts on Arch Wiki which changes system DNS to VPN DNS

...or just sudo update-grub :wink:

1 Like

@Yochanan, that's much easier. :slight_smile:

How long have we been able to do it like that?
It works across distros I take it - came in a GRUB update?

@slovakian, & anyone else who's interested, you can test whether IPv6 is enabled or not via the command line using the following at your command prompt:

test -f /proc/net/if_inet6 && echo "IPv6 supported" || echo "IPv6 not supported"

It's been around since before grub2, so quite a long time.

Yes and yes.

I've updated my personal wiki. Thanks. :slight_smile:

1 Like

I realise i am going onto a tangent here, but threads like this interest me semi-philosophically. The interwebz have oodles of websites explaining how to disable IPv6 / eliminate IPv6 leaks, & every single time i read one of them they prompt this question in my mind:

Huh? I thought IPv6 was created explicitly because the world was running rapidly out of IPv4 addresses, so what's the future if "everyone" is being advised to cripple the means of lifting the address limit?

To tangentialise my tangent [sigh, i really feel bad for sines & cosines, they never get the glory], this prognostication seems giggle-worthy in context of everyone stampeding to disable IPv6 on "security" grounds:

  1. Security

When networking gurus and researchers developed IPv4 security hadn't really crossed their minds. IPv4 was never meant to be secure.

IPv6 has been built from the ground up with security in mind. Many of the security features that have been duct-taped after the fact onto IPv4 as optional features are integrated into IPv6 as default requirements. IPv6 encrypts traffic and checks packet integrity to provide VPN-like protection for standard Internet traffic.

@kdemeoz, too long ago since I read about the problems with IPv6. I expect that as the years have gone by, the infrastructure that it has to use & that interfaces with IPv6 has come a very long way (in the right direction).

That said, VPN's that I've used either turn off IPv6, or make it really easy to in their GUI interface. I've been turning it off on the GRUB kernel line for years & will continue to do so until IPv4 runs out of addresses.

Here's a link to some of what the Private Internet Access VPN people have to say on the matter:

https://www.privateinternetaccess.com/helpdesk/kb/articles/why-do-you-block-ipv6-2

I just did a search on the AirVPN site, & they have just released Hummingbird v1.0, which was made by taking OpenVPN & forking it (they are at OpenVPN 3.3 at this stage, they are a mile ahead of the OpenVPN devs). Fixing all of the bugs, & taking it into new territory (stuff that no one has ever done!). & it runs like a rocket on Raspian on the Pi. :slight_smile:

It is much faster, much smaller (3MB RAM), & (please refer to my link above) it can put IPv4 & IPv6 data in the same encrypted tunnel.

I'll study this some more & watch it for a while. Then I expect that I'll use it & run IPv4 & IPv6 when I'm online & using VPN. I very rarely have to use internet without a VPN.

So thanks kdemeoz, you caused me to do some research & maybe strike gold. :slight_smile:

1 Like

To clarify, my post was not about querying / doubting the merits of disabling IPv6, nor querying / doubting if IPv6 has security issues. I readily accept these. I was instead being a bit whimsical about what to me seems like a supreme irony... the early proponents of IPv6 touted enhanced security as one of its benefits, when instead perceived lack of security has caused its widespread pillory & disabling. I know i am weird, but that manifest irony simply tickles my funnybone. Meanwhile, the thing designed to solve the imminent IPv4 exhaustion, because of this irony, is in fact effectively unavailable, thus implying we're creeping ever closer to that IPv4 cliff. :woman_facepalming: :sweat_smile:

IPv4 & v6 will be around together for many years. A problem that we have to be careful of, is the fragmentation of the internet. Here is a quick read on what we have to deal with:

https://ipv6friday.org/blog/2012/08/why-bother-with-ipv6/

I think the clever invention of network segmentation, NAT routing etc has postponed the inevitable.

I am also convinced we are falling of another cliff (metaphor) before we run out of IPv4 addresses.

(Specifically referring to the growing environmental issues, the general mental instability of world leaders, the growing instability of radical religion and the growing instability of the population in various parts of the world.)

3 Likes

Most VPN Provider doesn't support IPv6 because they simply doesn't care about security/privacy or anything else than making money. Special the once with nice logos, big promises and modern looking home pages. They just want to earn as much money as possible with the least effort possible.

Supporting IPv6 cost money. All Server must support it. Many VPN provider even use VMs, which makes it not easier. They have to create new configs and add this to their automation. This is all much more complicated than to train the user that IPv6 is insecure and it needs to be disabled. Specially since it is only a topic if you have local IPv6 form your provider. Which is something you often don't get and it changed only in recent years.

OpenVPN has full support for a Dual Stack IPv4 and IPv6 tunnel since version 2.3 (released 2013), there is no excuse to not use it. IPv6 was even possible with 2.2, but it wan't that simple to use. The customers don't even need to have IPv6 connectivity form the local ISP to use a Dual Stack VPN tunnel.

I used a VPN tunnel for years to get IPv6 connectivity at places without local IPv6.

1 Like

As can OpenVPN since years. This is nothing new.

The OpenVPN 3 project is a complete rewrite of the OpenVPN protocol in c++. The lase release is actually 3.5, from November last year. So I would not call this miles behind.

The main problem at the moment is no OpenVPN server support. This is also the main reason it is not considered stable. The OpenVPN 3 library supports only the client part. And that is what AirVPN has forked. The Hummingbird software is also just the client. You can not run your own VPN server with it. AirVPN still need to run OpenVPN 2 Servers, probably patched to support "CHACHA20-POLY1305" at the data channel. Or some other software that supports the OpenVPN protocol as a server.

The only real improvement is the support for a non AES cipher on the data channel. Since the control channel already supports it (OpenVPN 2.4). This makes OpenVPN faster on embed systems that doesn't have hardware accelerated AES.

1 Like

@xabbu, you are wrong on at least two counts in your posts (though I agree that "most" vpn providers are only interested in making money - like most other people in business at least).

I'm not going to argue with you, as I really don't have the energy to spare to do it properly. :slight_smile:

All the best. :wink:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by