OpenVPN IPv6 address information leaks

[summerjob]

I'm on OS X connected via OpenVPN-direct using Tunnelblick (plus custom DNS) and IPv4 is assigned correctly to my Streisand VPN servers IP. However IPv6 shows my original IP & provider info as you can test here: http://test-ipv6.com What to do?

[jlund]

If I'm remembering right, you are using DigitalOcean. Most DigitalOcean regions don't support IPv6 yet, so the OpenVPN server doesn't (and can't) send IPv6 routing information. Because of this, Tunnelblick is only routing IPv4 traffic through the VPN.

You can disable IPv6 support in your OS X settings to prevent this type of leak.

IPv6 adoption is definitely trending upwards. Hopefully DigitalOcean, AWS, and other major server providers will get on board soon.

[mndfcked]

Just a little reminder on this issue. IPv6 is officially supported by DO but only via APIv2. Since v1 is sunsetting (#156) and this issue may render streisand useless for naive users we may push the adpotion of v2.

[SyedAmerGilani]

this is not only a possible leak, it is one. When creating a streisand instance on DO with APIv2, the droplet is created without ipv6 support. Then the OpenVPN config does not disable ipv6 routing on the client. When the client does have a native ipv6 connection, all ipv6 traffic is routed around the VPN. Since ipv6 adoption is very high, most of the traffic is routed around the VPN, which makes it pointless.

example with a OpenVPN connection to my fresh streisand instance: ipv4

tracepath -n google.de
 1?: [LOCALHOST]                                         pmtu 1500
 1:  10.8.0.1                                             28.613ms 
 1:  10.8.0.1                                             27.775ms <- OpenVPN Tunnel
 2:  46.101.128.xxx                                       28.608ms <- DO droplet
 3:  5.101.109.28                                         29.065ms 
 4:  5.101.109.21                                         28.524ms asymm  3 
...

ipv6:

tracepath6 -n google.de
 1?: [LOCALHOST]                        0.189ms pmtu 1492
 1:  2003:4c:6832:4100:224:xxxx:xxxx:xxxx                  4.166ms <- local ipv6 router
 1:  2003:4c:6832:4100:224:xxxx:xxxx:xxxx                  1.252ms 
 2:  2003:0:1203:207::1                                   19.143ms 
 3:  2003:0:1203:248::2                                   21.455ms 
 4:  2003:0:1206::1                                       19.743ms 
...

[jlund]

Adding full IPv6 support and documentation is high on my list of things to do.

[alxlion]

Waiting for ipv6 for DO... someone is working on it ?

[msteindorfer]

I'd be also interested to see IPv6 support. I setup streisand yesterday, it is an awesome tool!

[alxlion]

I do not know for L2TP/IPsec but for OpenVPN config files may contains proto udp6 to route on both ipv4 and ipv6. It does not seem too complicated to implement.

https://community.openvpn.net/openvpn/wiki/IPv6

[DavidWittman]

Until IPv6 support is added, it'd be nice to see these commands added to the documentation:

Linux

sysctl -w net.ipv6.conf.all.disable_ipv6=1

Mac

networksetup -setv6off Ethernet && networksetup -setv6off Wi-Fi

[brightonbob]

Just installed and noticed leak of IPv6 info from my DO server. I didn't see this issues flagged or the temp solution (as noted by DavidWhittman - sysctl -w net.ipv6.conf.all.disable_ipv6=1 ) in the docs yet? Is there any progress or plans for this?

[weyert]

Yes, I noticed the same issue when using Linode to create a Streisand server. Connecting with OpenVN then it will show a IPv6 ip address from my ISP (Sky UK)

[sebastienbarre]

Just a quick note that for Mac/OSX users, the above command by @DavidWittman:

networksetup -setv6off Ethernet && networksetup -setv6off Wi-Fi

might fail to disable IPv6 for your Wi-Fi adapter on recent laptops, which do not have an Ethernet adapter (the first call to networksetup will fail, preventing the second from executing).

Better safe than sorry, execute them separately:

networksetup -setv6off Ethernet
networksetup -setv6off Wi-Fi

BTW, this is the error message you might get:

networksetup -setv6off Ethernet
Ethernet is not a recognized network service.
** Error: The parameters were not valid.

[Lexy2]

@sebastienbarre , you could use a command networksetup -setv6off Ethernet; networksetup -setv6off Wi-Fi This way the second command will execute even if the first one fails.

[grigorig]

In this day and age, it is a horrible idea to disable IPv6 system-wide. Nobody should ever recommend this!

It should be quite easy to push IPv6 configuration to clients and then null-route it on the Streisand server side, though. This should always work and does not require any special client configuration.

[asomov]

@grigorig : (I am one of those who disabled IP6 in order to use Streisand) Can you please provide a descriptions of steps to follow your proposal ?

[grigorig]

I think it should be enough to add command to OpenVPN to have clients add a route for all global IPv6 addresses. Add push "route-ipv6 2000::/3" to the OpenVPN server configuration. That way, all globally routable IPv6 traffic should be sent over the VPN interface, but it will end up nowhere because the VPN server cannot route it. You might also need to add a bogus IPv6 server configuration (as described in the OpenVPN documentation), not sure.