Menu
What's new
By:
Filters Better Search

IPv6 leak through VPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

Jimbo

Occasional Visitor
Hi all,


I managed to get my AC56U to run both OpenVPN client and Server.
For the client, I have setup the firewall rules to drop any connection outside in case the VPN drops. All working well until I enabled IPV6.

The router is doing DHCP6 (IPV6 enabled), since my I receive IPV6 from my ISP. (!)

The surprise comes because now my IPV6 is visible, instead of being obscured by the VPN tunnel just like my IPV4. -> Leak!

I'm wondering if this is already a bug from the firmware that should not be there. But in any other case, does anyone have a clue on how to prevent this?.
IPV6 are bound to interfaces, which is shared with my IPV4 of course, so not sure how to block/drop the connection via ipv6tables for example, while keeping the VPN alive via IPV4 of course.

Appreciated if any input is available. As well as I'd like to hear a piece of mind message from @RMerlin, in case this is an unintended leak and users might not be aware, or only a false alarm. FW I'm running is 378.54_alpha3, which was so far so good till now.
 
OpenVPN only supports IPv4.
 
That's not really right, you can run the proto tcp6-server, etc rules, can't you?.

At least I anabled listening to IPv6 port via the IPv4 VPN connection with proto tcp6.

But what I'm asking has nothing to do with IPv6 support on OpenVPN. How would the router allow to publish my IPv6, when there is an OpenVPN tunnel running, for which I have policy rules (IPv4 of course). This should not happen in my opinion.

Could you tell me how to prevent this leak?....IPv6 address & DNS6 being exposed outside the tunnel?. Otherwise this looks like a serious vulnerability from the firmware, in my opinion as I mentioned.
 
Jimbo said:
That's not really right, you can run the proto tcp6-server, etc rules, can't you?.
Click to expand...

I meant the OpenVPN implementation in Asuswrt.

Jimbo said:
But what I'm asking has nothing to do with IPv6 support on OpenVPN. How would the router allow to publish my IPv6, when there is an OpenVPN tunnel running, for which I have policy rules (IPv4 of course). This should not happen in my opinion.
Click to expand...

IPv6 and IPv4 run on separate stacks, each with its own routing tables. There's no simple solution there beside disabling IPv6 support (that includes Teredo on Windows clients).

To reroute IPv6 traffic, you'd need a tunnel that is also connected through IPv6. https://community.openvpn.net/openvpn/wiki/IPv6

Note that the problem will also affect people running the tunnel provider's own client in many cases.

https://www.bestvpn.com/blog/21935/report-raps-vpns-for-ipv6-dns-leakage/
 
You must log in or register to reply here.

Similar threads

zquestz
Dual WAN IPv6
Replies
2
Views
313
zquestz
zquestz
M
DNS Leak due to Wireguard DNS and PiHole Upstream DNS
Replies
8
Views
1K
mehravishay
M
I
Router have connectivity but client doesn't
Replies
1
Views
475
iTheMask
I
Groot
WireGuard VPN leaking DNS with DNS Director / RT-AX88U
Replies
5
Views
973
Groot
Groot
B
IPv6 and NextDNS Configuration Assistance Request
Replies
19
Views
926
easyriider
easyriider
Similar threads
Thread starter Title Forum Replies Date
zquestz Dual WAN IPv6 Asuswrt-Merlin 2
N IPv6 6RD tunnel block/allow by mac/IP Asuswrt-Merlin 3
S How to obtain and change the IPv6 prefix Asuswrt-Merlin 3
J IPv6 WAN Prefix Length Setting in WebGUI (3004.388.8_2)? Asuswrt-Merlin 14
L Adaptive QoS support ipv6? Asuswrt-Merlin 0
L IPV6 and PPPoE Asuswrt-Merlin 9
Zigster IPV6 and OpenVPN on Asus Merlin on Asus GT-AXE11000 Asuswrt-Merlin 0
C VPN doing a lot of unrecognized options without them even being in the config IPV6 issue Asuswrt-Merlin 3
U DDNS and ipv6: eth0 not getting WAN ipv6 address. Asuswrt-Merlin 0
jorhett IPv6 Traceroute broken in 388.6 ? Asuswrt-Merlin 11

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 659 (members: 23, guests: 636)
Top