0

I have a OpenVPN server which has IPv4 only. I have a OpenVPN client which has IPv6 and IPv4.

While connected to the VPN the client is exposed to "IPv6 leak". When client visits IPv6 enabled web sites, the Internet traffic does not go through the VPN tunnel and his real IP address is exposed to the IPv6 web site in question.

How can I push parameters via the OpenVPN server that will either shut down/block IPv6 traffic, or will route it to no where so that his Internet will failover to IPv4, with the goal to stop IPv6 leak while connected to IPv4 only VPN server.

Note: I know how to block IPv6 traffic manually in Windows and Mac there are many articles about that. I want to achieve that via the OpenVPN server config, or via the OpenVPN client config if the first is not possible.

(You can test if you have IPv6 leak at ipv6leak dot com)

Thank you

user2489483
  • 39
  • 1
  • 1
  • 5

2 Answers2

2

Whilst the most correct answer is Michael Hampton's comment that you should get IPv6 to your OpenVPN server, you could instead cause the OpenVPN server to push a route for 2000::/3, and then reject any IPv6 traffic that arrives. You may need to twiddle what sort of rejection you send back to cause the client to fallback to IPv4 rather than just saying "lolidunno" and giving up, but it'll give a better user experience than just dropping all the IPv6 traffic on the floor (unless your clients all implement Happy Eyeballs, in which case, reach for the DROP).

womble
  • 96,255
  • 29
  • 175
  • 230
0

I had the same issue and it looks like OpenVPN now has a way to fix this. Here is a snippet from the OpenVPN docs.

--block-ipv6    
On the client, instead of sending IPv6 packets over the VPN tunnel, all IPv6 packets are 
answered with an ICMPv6 no route host message. On the server, all IPv6 packets from 
clients are answered with an ICMPv6 no route to host message. This options is intended for 
cases when IPv6 should be blocked and other options are not available. --block-ipv6 will 
use the remote IPv6 as source address of the ICMPv6 packets if set, otherwise will use 
fe80::7 as source address.

For this option to make sense you actually have to route traffic to the tun interface. The 
following example config block would send all IPv6 traffic to OpenVPN and answer all requests 
with no route to host, effectively blocking IPv6 (to avoid IPv6 connections from 
dual-stacked clients leaking around IPv4-only VPN services).

Client config
--ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1
--redirect-gateway ipv6
--block-ipv6
Server config
Push a "valid" ipv6 config to the client and block on the server

--push "ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1"
--push "redirect-gateway ipv6"
--block-ipv6
j7skov
  • 111
  • 3