1

I'm setting up a VPN tunnel for some services. I created a vpntunnel/vpntunnel user/group that is routed to the tun0 interface based on the group ID. That works quite fine. Commands below run as regular user:

curl -4 ifconfig.io <= returns my public IPv4 ip
curl -6 ifconfig.io <= returns my public IPv6 ip

Because my VPN provider doesn't support IPv6 yet, my IP could be exposed. So I added an ip6tables rule:

 ip6tables -A OUTPUT -o tun0 -m owner --gid-owner vpntunnel -j REJECT

Now the same commands run as the vpntunnel user

sudo -u vpntunnel -i -- curl -4 ifconfig.io <= returns my VPN ip
sudo -u vpntunnel -i -- curl -6 ifconfig.io <= connection refused

The refused connection is normal as I blocked IPv6 OUTPUT on tun0. So I thought everything was fine but I did a last check: I went on https://torguard.net/checkmytorrentipaddress.php, copied the magnet link and waited for the results. I was very surprised to see my IPv6 appear. My IPv4 is the VPN IP though so my routing is not completely broken, Transmission uses the VPN tunnel.

I tried to add more rules:

ip6tables -A INPUT -i tun0  -j DROP
ip6tables -I FORWARD -i tun0 -o enp3s0 -j REJECT

But nothing did the trick.

I don't want to disable IPv6 on the machine, I need it.

Any idea? Thanks!

Axel
  • 11
  • 3
  • You won't talk IPv6 over a interface without IPv6. What you need to do is to block the user from talking IPv6 on the interfaces that has it. – vidarlo Nov 14 '21 at 09:18
  • just disable ipv6? – djdomi Nov 14 '21 at 10:01
  • 1
    @djdomi no, I use IPv6, can't disable it. – Axel Nov 14 '21 at 12:54
  • @djdomi you gave me an idea, and it worked. I added a net.ipv6.conf.tun0.disable_ipv6 = 1 into systectl. Just fine now. Thanks – Axel Nov 14 '21 at 13:02
  • If you have an answer, you should post the answer and accept it. – Ron Maupin Nov 14 '21 at 14:53
  • @axel if you agree i will add tomorrow this as an answer. – djdomi Nov 14 '21 at 16:16
  • @djdomi, sure, sorry I didn't find how to accept as a solution. – Axel Nov 14 '21 at 17:28
  • its weird, a reject should NOT give you a timeout. you may have a problems with your icmp in ipv6. a DROP give a timeout, but not a reject. – dominix Nov 15 '21 at 06:03
  • @dominix I said "timeout" but that wasn't right. It's a connection refused – Axel Nov 16 '21 at 09:03
  • Well it get back to you because it is actually not fixed! When I disabled IPv6 for Tun0, I checked again on Torguard.net: it shows my IPv4 but not my IPv6. I thought I won. But a couple of hours (days) later, I checked again and unfortunately my IPv6 is back (?????). I rebooted my server, checked again on Torguard, no IPv6. Two days later, my IPv6 is back. I really don't get it. Any idea? Thanks – Axel Nov 18 '21 at 20:07
  • when connecting to torguard.net are you sure that your connection get through your vpn ? your browser may, but not your torrent client. (check wit tcpdump) – dominix Nov 23 '21 at 23:39

0 Answers0