search

schwabe / ics-openvpn

OpenVPN for Android
3.31k stars 1.19k forks source link

IPv6 leak #1507

Closed 2011 closed 2 years ago

2011 commented 2 years ago

General information

  1. Android Version: 6.0.1
  2. Android Vendor/Custom ROM: LineageOS 13.0-20180211
  3. Device: Samsung Galaxy Tab 2
  4. Version of the app (version number/play store version/self-built): 0.7.37 (F-Droid)

Description of the issue

I have (in the routing tab) "Block IPv6 (or IPv4) if not used by the VPN" checked. Every web site leak test reveals the IPv6 address of the device.

Yes, I saw #1464 (don't know if this represents the same issue or not)

Log (slightly anonymized):

2022-07-08 21:45:36 F-Droid built and signed version 0.7.37 running on Android Galaxy Tab 2 (piranha), Android 6.0.1 (MOI10E) API 23, ABI armeabi-v7a, (samsung/espresso10wifixx/espresso10wifi:4.2.2/JDQ39/P5110XXDML1:user/release-keys)
2022-07-08 21:45:36 Building configuration…
2022-07-08 21:45:36 started Socket Thread
2022-07-08 21:45:37 Network Status: CONNECTED  to WIFI "ssid"
2022-07-08 21:45:37 Debug state info: CONNECTED  to WIFI "ssid", pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-07-08 21:45:37 Debug state info: CONNECTED  to WIFI "ssid", pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-07-08 21:45:37 Current Parameter Settings:
2022-07-08 21:45:37   config = 'stdin'
2022-07-08 21:45:37   mode = 0
2022-07-08 21:45:37   show_ciphers = DISABLED
2022-07-08 21:45:37   show_digests = DISABLED
2022-07-08 21:45:37   show_engines = DISABLED
2022-07-08 21:45:37   genkey = DISABLED
2022-07-08 21:45:37   genkey_filename = '[UNDEF]'
2022-07-08 21:45:37   key_pass_file = '[UNDEF]'
2022-07-08 21:45:37   show_tls_ciphers = DISABLED
2022-07-08 21:45:37   connect_retry_max = 0
2022-07-08 21:45:37 Connection profiles [0]:
2022-07-08 21:45:37   proto = udp
2022-07-08 21:45:37   local = '[UNDEF]'
2022-07-08 21:45:37   local_port = '[UNDEF]'
2022-07-08 21:45:37   remote = '23.82.193.66'
2022-07-08 21:45:37   remote_port = '1194'
2022-07-08 21:45:37   remote_float = DISABLED
2022-07-08 21:45:37   bind_defined = DISABLED
2022-07-08 21:45:37   bind_local = DISABLED
2022-07-08 21:45:37   bind_ipv6_only = DISABLED
2022-07-08 21:45:37   connect_retry_seconds = 2
2022-07-08 21:45:37   connect_timeout = 120
2022-07-08 21:45:37   socks_proxy_server = '[UNDEF]'
2022-07-08 21:45:37   socks_proxy_port = '[UNDEF]'
2022-07-08 21:45:37   tun_mtu = 1500
2022-07-08 21:45:37   tun_mtu_defined = ENABLED
2022-07-08 21:45:37   link_mtu = 1500
2022-07-08 21:45:37   link_mtu_defined = DISABLED
2022-07-08 21:45:37   tun_mtu_extra = 32
2022-07-08 21:45:37   tun_mtu_extra_defined = ENABLED
2022-07-08 21:45:37   tls_mtu = 1250
2022-07-08 21:45:37   mtu_discover_type = -1
2022-07-08 21:45:37   fragment = 0
2022-07-08 21:45:37   mssfix = 1492
2022-07-08 21:45:37   mssfix_encap = ENABLED
2022-07-08 21:45:37   mssfix_fixed = DISABLED
2022-07-08 21:45:37   explicit_exit_notification = 0
2022-07-08 21:45:37   tls_auth_file = '[INLINE]'
2022-07-08 21:45:37   key_direction = 1
2022-07-08 21:45:37   tls_crypt_file = '[UNDEF]'
2022-07-08 21:45:37   tls_crypt_v2_file = '[UNDEF]'
2022-07-08 21:45:37 Connection profiles END
2022-07-08 21:45:37   remote_random = DISABLED
2022-07-08 21:45:37   ipchange = '[UNDEF]'
2022-07-08 21:45:37 Waiting 0s seconds between connection attempt
2022-07-08 21:45:37   dev = 'tun'
2022-07-08 21:45:37   dev_type = '[UNDEF]'
2022-07-08 21:45:37   dev_node = '[UNDEF]'
2022-07-08 21:45:37   lladdr = '[UNDEF]'
2022-07-08 21:45:37   topology = 1
2022-07-08 21:45:37   ifconfig_local = '[UNDEF]'
2022-07-08 21:45:37   ifconfig_remote_netmask = '[UNDEF]'
2022-07-08 21:45:37   ifconfig_noexec = DISABLED
2022-07-08 21:45:37   ifconfig_nowarn = ENABLED
2022-07-08 21:45:37   ifconfig_ipv6_local = '[UNDEF]'
2022-07-08 21:45:37   ifconfig_ipv6_netbits = 0
2022-07-08 21:45:37   ifconfig_ipv6_remote = '[UNDEF]'
2022-07-08 21:45:37   shaper = 0
2022-07-08 21:45:37   mtu_test = 0
2022-07-08 21:45:37   mlock = DISABLED
2022-07-08 21:45:37   keepalive_ping = 0
2022-07-08 21:45:37   keepalive_timeout = 0
2022-07-08 21:45:37   inactivity_timeout = 0
2022-07-08 21:45:37   inactivity_minimum_bytes = 0
2022-07-08 21:45:37   ping_send_timeout = 15
2022-07-08 21:45:37   ping_rec_timeout = 0
2022-07-08 21:45:37   ping_rec_timeout_action = 2
2022-07-08 21:45:37   ping_timer_remote = ENABLED
2022-07-08 21:45:37   remap_sigusr1 = 0
2022-07-08 21:45:37   persist_tun = ENABLED
2022-07-08 21:45:37   persist_local_ip = DISABLED
2022-07-08 21:45:37   persist_remote_ip = DISABLED
2022-07-08 21:45:37   persist_key = DISABLED
2022-07-08 21:45:37   passtos = DISABLED
2022-07-08 21:45:37   resolve_retry_seconds = 1000000000
2022-07-08 21:45:37   resolve_in_advance = ENABLED
2022-07-08 21:45:37   username = '[UNDEF]'
2022-07-08 21:45:37   groupname = '[UNDEF]'
2022-07-08 21:45:37   chroot_dir = '[UNDEF]'
2022-07-08 21:45:37   cd_dir = '[UNDEF]'
2022-07-08 21:45:37   writepid = '[UNDEF]'
2022-07-08 21:45:37   up_script = '[UNDEF]'
2022-07-08 21:45:37   down_script = '[UNDEF]'
2022-07-08 21:45:37   down_pre = DISABLED
2022-07-08 21:45:37   up_restart = DISABLED
2022-07-08 21:45:37   up_delay = DISABLED
2022-07-08 21:45:37   daemon = DISABLED
2022-07-08 21:45:37   log = DISABLED
2022-07-08 21:45:37   suppress_timestamps = DISABLED
2022-07-08 21:45:37   machine_readable_output = ENABLED
2022-07-08 21:45:37   nice = 0
2022-07-08 21:45:37   verbosity = 4
2022-07-08 21:45:37   mute = 0
2022-07-08 21:45:37   gremlin = 0
2022-07-08 21:45:37   status_file = '[UNDEF]'
2022-07-08 21:45:37   status_file_version = 1
2022-07-08 21:45:37   status_file_update_freq = 60
2022-07-08 21:45:37   occ = ENABLED
2022-07-08 21:45:37   rcvbuf = 0
2022-07-08 21:45:37   sndbuf = 0
2022-07-08 21:45:37   sockflags = 0
2022-07-08 21:45:37   fast_io = ENABLED
2022-07-08 21:45:37   comp.alg = 0
2022-07-08 21:45:37   comp.flags = 24
2022-07-08 21:45:37   route_script = '[UNDEF]'
2022-07-08 21:45:37   route_default_gateway = '[UNDEF]'
2022-07-08 21:45:37   route_default_metric = 0
2022-07-08 21:45:37   route_noexec = DISABLED
2022-07-08 21:45:37   route_delay = 0
2022-07-08 21:45:37   route_delay_window = 30
2022-07-08 21:45:37   route_delay_defined = DISABLED
2022-07-08 21:45:37   route_nopull = DISABLED
2022-07-08 21:45:37   route_gateway_via_dhcp = DISABLED
2022-07-08 21:45:37   allow_pull_fqdn = DISABLED
2022-07-08 21:45:37   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2022-07-08 21:45:37   management_port = 'unix'
2022-07-08 21:45:37   management_user_pass = '[UNDEF]'
2022-07-08 21:45:37   management_log_history_cache = 250
2022-07-08 21:45:37   management_echo_buffer_size = 100
2022-07-08 21:45:37   management_write_peer_info_file = '[UNDEF]'
2022-07-08 21:45:37   management_client_user = '[UNDEF]'
2022-07-08 21:45:37   management_client_group = '[UNDEF]'
2022-07-08 21:45:37   management_flags = 16678
2022-07-08 21:45:37   shared_secret_file = '[UNDEF]'
2022-07-08 21:45:37   key_direction = 1
2022-07-08 21:45:37   ciphername = 'AES-256-CBC'
2022-07-08 21:45:37   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
2022-07-08 21:45:37   authname = 'SHA512'
2022-07-08 21:45:37   engine = DISABLED
2022-07-08 21:45:37   replay = ENABLED
2022-07-08 21:45:37   mute_replay_warnings = DISABLED
2022-07-08 21:45:37   replay_window = 64
2022-07-08 21:45:37   replay_time = 15
2022-07-08 21:45:37   packet_id_file = '[UNDEF]'
2022-07-08 21:45:37   test_crypto = DISABLED
2022-07-08 21:45:37   tls_server = DISABLED
2022-07-08 21:45:37   tls_client = ENABLED
2022-07-08 21:45:37   ca_file = '[INLINE]'
2022-07-08 21:45:37   ca_path = '[UNDEF]'
2022-07-08 21:45:37   dh_file = '[UNDEF]'
2022-07-08 21:45:37   cert_file = '[UNDEF]'
2022-07-08 21:45:37   extra_certs_file = '[UNDEF]'
2022-07-08 21:45:37   priv_key_file = '[UNDEF]'
2022-07-08 21:45:37   pkcs12_file = '[UNDEF]'
2022-07-08 21:45:37   cipher_list = '[UNDEF]'
2022-07-08 21:45:37   cipher_list_tls13 = '[UNDEF]'
2022-07-08 21:45:37   tls_cert_profile = 'legacy'
2022-07-08 21:45:37   tls_verify = '[UNDEF]'
2022-07-08 21:45:37   tls_export_cert = '[UNDEF]'
2022-07-08 21:45:37   verify_x509_type = 0
2022-07-08 21:45:37   verify_x509_name = '[UNDEF]'
2022-07-08 21:45:37   crl_file = '[UNDEF]'
2022-07-08 21:45:37   ns_cert_type = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 65535
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_ku[i] = 0
2022-07-08 21:45:37   remote_cert_eku = 'TLS Web Server Authentication'
2022-07-08 21:45:37   ssl_flags = 192
2022-07-08 21:45:37   tls_timeout = 2
2022-07-08 21:45:37   renegotiate_bytes = -1
2022-07-08 21:45:37   renegotiate_packets = 0
2022-07-08 21:45:37   renegotiate_seconds = 0
2022-07-08 21:45:37   handshake_window = 60
2022-07-08 21:45:37   transition_window = 3600
2022-07-08 21:45:37   single_session = DISABLED
2022-07-08 21:45:37   push_peer_info = DISABLED
2022-07-08 21:45:37   tls_exit = DISABLED
2022-07-08 21:45:37   tls_crypt_v2_metadata = '[UNDEF]'
2022-07-08 21:45:37   server_network = 0.0.0.0
2022-07-08 21:45:37   server_netmask = 0.0.0.0
2022-07-08 21:45:37   server_network_ipv6 = ::
2022-07-08 21:45:37   server_netbits_ipv6 = 0
2022-07-08 21:45:37   server_bridge_ip = 0.0.0.0
2022-07-08 21:45:37   server_bridge_netmask = 0.0.0.0
2022-07-08 21:45:37   server_bridge_pool_start = 0.0.0.0
2022-07-08 21:45:37   server_bridge_pool_end = 0.0.0.0
2022-07-08 21:45:37   ifconfig_pool_defined = DISABLED
2022-07-08 21:45:37   ifconfig_pool_start = 0.0.0.0
2022-07-08 21:45:37   ifconfig_pool_end = 0.0.0.0
2022-07-08 21:45:37   ifconfig_pool_netmask = 0.0.0.0
2022-07-08 21:45:37   ifconfig_pool_persist_filename = '[UNDEF]'
2022-07-08 21:45:37   ifconfig_pool_persist_refresh_freq = 600
2022-07-08 21:45:37   ifconfig_ipv6_pool_defined = DISABLED
2022-07-08 21:45:37   ifconfig_ipv6_pool_base = ::
2022-07-08 21:45:37   ifconfig_ipv6_pool_netbits = 0
2022-07-08 21:45:37   n_bcast_buf = 256
2022-07-08 21:45:37   tcp_queue_limit = 64
2022-07-08 21:45:37   real_hash_size = 256
2022-07-08 21:45:37   virtual_hash_size = 256
2022-07-08 21:45:37   client_connect_script = '[UNDEF]'
2022-07-08 21:45:37   learn_address_script = '[UNDEF]'
2022-07-08 21:45:37   client_disconnect_script = '[UNDEF]'
2022-07-08 21:45:37   client_config_dir = '[UNDEF]'
2022-07-08 21:45:37   ccd_exclusive = DISABLED
2022-07-08 21:45:37   tmp_dir = '/data/data/de.blinkt.openvpn/cache'
2022-07-08 21:45:37   push_ifconfig_defined = DISABLED
2022-07-08 21:45:37   push_ifconfig_local = 0.0.0.0
2022-07-08 21:45:37   push_ifconfig_remote_netmask = 0.0.0.0
2022-07-08 21:45:37   push_ifconfig_ipv6_defined = DISABLED
2022-07-08 21:45:37   push_ifconfig_ipv6_local = ::/0
2022-07-08 21:45:37   push_ifconfig_ipv6_remote = ::
2022-07-08 21:45:37   enable_c2c = DISABLED
2022-07-08 21:45:37   duplicate_cn = DISABLED
2022-07-08 21:45:37   cf_max = 0
2022-07-08 21:45:37   cf_per = 0
2022-07-08 21:45:37   max_clients = 1024
2022-07-08 21:45:37   max_routes_per_client = 256
2022-07-08 21:45:37   auth_user_pass_verify_script = '[UNDEF]'
2022-07-08 21:45:37   auth_user_pass_verify_script_via_file = DISABLED
2022-07-08 21:45:37   auth_token_generate = DISABLED
2022-07-08 21:45:37   auth_token_lifetime = 0
2022-07-08 21:45:37   auth_token_secret_file = '[UNDEF]'
2022-07-08 21:45:37   port_share_host = '[UNDEF]'
2022-07-08 21:45:37   port_share_port = '[UNDEF]'
2022-07-08 21:45:37   vlan_tagging = DISABLED
2022-07-08 21:45:37   vlan_accept = all
2022-07-08 21:45:37   vlan_pvid = 1
2022-07-08 21:45:37   client = ENABLED
2022-07-08 21:45:37   pull = ENABLED
2022-07-08 21:45:37   auth_user_pass_file = 'stdin'
2022-07-08 21:45:37 OpenVPN 2.6-icsopenvpn [git:icsopenvpn/v0.7.37-0-g53560170] armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 10 2022
2022-07-08 21:45:37 library versions: OpenSSL 3.0.3 3 May 2022, LZO 2.10
2022-07-08 21:45:37 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2022-07-08 21:45:37 MANAGEMENT: CMD 'version 3'
2022-07-08 21:45:37 MANAGEMENT: CMD 'hold release'
2022-07-08 21:45:37 MANAGEMENT: CMD 'bytecount 2'
2022-07-08 21:45:37 MANAGEMENT: CMD 'state on'
2022-07-08 21:45:37 MANAGEMENT: CMD 'username 'Auth' user'
2022-07-08 21:45:37 MANAGEMENT: CMD 'password [...]'
2022-07-08 21:45:37 MANAGEMENT: CMD 'proxy NONE'
2022-07-08 21:45:38 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2022-07-08 21:45:38 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA2-512' for HMAC authentication
2022-07-08 21:45:38 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA2-512' for HMAC authentication
2022-07-08 21:45:38 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 headroom:126 payload:1600 tailroom:126 ET:0 ]
2022-07-08 21:45:38 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 headroom:136 payload:1768 tailroom:562 ET:32 ]
2022-07-08 21:45:38 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1633,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA2-512,keysize 256,tls-auth,key-method 2,tls-client'
2022-07-08 21:45:38 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1633,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA2-512,keysize 256,tls-auth,key-method 2,tls-server'
2022-07-08 21:45:38 TCP/UDP: Preserving recently used remote address: [AF_INET]23.82.193.66:1194
2022-07-08 21:45:38 Socket Buffers: R=[112640->112640] S=[112640->112640]
2022-07-08 21:45:38 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2022-07-08 21:45:38 UDP link local: (not bound)
2022-07-08 21:45:38 UDP link remote: [AF_INET]23.82.193.66:1194
2022-07-08 21:45:38 MANAGEMENT: >STATE:1657316738,WAIT,,,,,,
2022-07-08 21:45:38 MANAGEMENT: >STATE:1657316738,AUTH,,,,,,
2022-07-08 21:45:38 TLS: Initial packet from [AF_INET]23.82.193.66:1194, sid=023eb3ff 5a8c43fd
2022-07-08 21:45:39 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2022-07-08 21:45:39 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA7
2022-07-08 21:45:39 VERIFY KU OK
2022-07-08 21:45:39 Validating certificate extended key usage
2022-07-08 21:45:39 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-07-08 21:45:39 VERIFY EKU OK
2022-07-08 21:45:39 VERIFY OK: depth=0, CN=us8957.nordvpn.com
2022-07-08 21:45:39 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
2022-07-08 21:45:39 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
2022-07-08 21:45:39 WARNING: 'auth' is used inconsistently, local='auth SHA2-512', remote='auth SHA512'
2022-07-08 21:45:39 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2022-07-08 21:45:39 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2022-07-08 21:45:39 [us8957.nordvpn.com] Peer Connection Initiated with [AF_INET]23.82.193.66:1194
2022-07-08 21:45:40 MANAGEMENT: >STATE:1657316740,GET_CONFIG,,,,,,
2022-07-08 21:45:40 SENT CONTROL [us8957.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2022-07-08 21:45:40 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.3.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.3.6 255.255.255.0,peer-id 3,cipher AES-256-GCM'
2022-07-08 21:45:40 OPTIONS IMPORT: timers and/or timeouts modified
2022-07-08 21:45:40 OPTIONS IMPORT: explicit notify parm(s) modified
2022-07-08 21:45:40 OPTIONS IMPORT: compression parms modified
2022-07-08 21:45:40 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2022-07-08 21:45:40 Socket Buffers: R=[112640->262142] S=[112640->262142]
2022-07-08 21:45:40 OPTIONS IMPORT: --ifconfig/up options modified
2022-07-08 21:45:40 OPTIONS IMPORT: route options modified
2022-07-08 21:45:40 OPTIONS IMPORT: route-related options modified
2022-07-08 21:45:40 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-07-08 21:45:40 OPTIONS IMPORT: peer-id set
2022-07-08 21:45:40 OPTIONS IMPORT: data channel crypto options modified
2022-07-08 21:45:40 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-07-08 21:45:40 Data Channel MTU parms [ mss_fix:1367 max_frag:0 tun_mtu:1500 headroom:136 payload:1768 tailroom:562 ET:32 ]
2022-07-08 21:45:40 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-07-08 21:45:40 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-07-08 21:45:40 ROUTE_GATEWAY 127.100.103.119 IFACE=android-gw
2022-07-08 21:45:40 do_ifconfig, ipv4=1, ipv6=0
2022-07-08 21:45:40 MANAGEMENT: >STATE:1657316740,ASSIGN_IP,,10.8.3.6,,,,
2022-07-08 21:45:40 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2022-07-08 21:45:40 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2022-07-08 21:45:40 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2022-07-08 21:45:40 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2022-07-08 21:45:40 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2022-07-08 21:45:40 Opening tun interface:
2022-07-08 21:45:40 Local IPv4: 10.8.3.6/24 IPv6: (not set) MTU: 1500
2022-07-08 21:45:40 DNS Server: 103.86.96.100, 103.86.99.100, Domain: null
2022-07-08 21:45:40 Routes: 0.0.0.0/0, 10.8.3.0/24 
2022-07-08 21:45:40 Routes excluded: 192.168.0.1/24 0123:4567:89ab:cdef:323:45ff:fe67:89ab/64, fe80:0:0:0:323:45ff:fe67:89ab/64
2022-07-08 21:45:40 VpnService routes installed: 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.168.1.0/24, 192.168.2.0/23, 192.168.4.0/22, 192.168.8.0/21, 192.168.16.0/20, 192.168.32.0/19, 192.168.64.0/18, 192.168.128.0/17, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3
2022-07-08 21:45:40 Disallowed VPN apps: 
2022-07-08 21:45:40 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2022-07-08 21:45:40 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-07-08 21:45:40 Initialization Sequence Completed
2022-07-08 21:45:40 MANAGEMENT: >STATE:1657316740,CONNECTED,SUCCESS,10.8.3.6,23.82.193.66,1194,,
2022-07-08 21:45:41 Debug state info: CONNECTED  to WIFI "ssid", pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED

(Generated) configuration file:

# Config for OpenVPN 2.x
# Enables connection to GUI
management /data/user/0/de.blinkt.openvpn/cache/mgmtsocket unix
management-client
management-query-passwords
management-hold
setenv IV_GUI_VER "de.blinkt.openvpn 0.7.37" 
setenv IV_SSO openurl,webauth,crtext
setenv IV_PLAT_VER "23 6.0.1 armeabi-v7a Android piranha Galaxy Tab 2"
setenv IV_HWADDR 01:23:45:67:89:ab:cd
tls-cert-profile legacy
machine-readable-output
allow-recursive-routing
ifconfig-nowarn
client
verb 4
connect-retry 2 300
resolv-retry 60
dev tun
remote 23.82.193.66 1194 udp
tun-mtu-extra 32 
auth-user-pass
key-direction 1
mssfix
nobind
remote-cert-tls server
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
cipher AES-256-CBC
auth SHA512
persist-tun
# persist-tun also enables pre resolving to avoid DNS resolve problem
preresolve
# Use system proxy setting
management-query-proxy
# Custom configuration options
# You are on your on own here :)
# These options found in the config file do not map to config settings:
ping 15 
fast-io 
ping-restart 0 
reneg-sec 0 
resolv-retry infinite 
ping-timer-rem

Suggestions for improvements in the configuration file gladly accepted. :)

schwabe commented 2 years ago

The function to block the other protocol if not used by the VPN is an Android OS function. Considering that you have a Samsung device, I am not really suprised that they broke that feature. Your only way is to route IPv6 over the VPN and then block/icmp reject it on the VPN server side or use the block-ipv6 configuration option.