Quickly kill IPv6 leaks on your OpenVPN server

You might be running an OpenVPN server and found that your IPv6 clients get their IP leaked. I have a quick fix!

The problem

If your client machine has IPv4 only, you won’t notice any problems. But if your client machine has IPv6, and your OpenVPN server is IPv4 only, IPv6 on the client side will connect to the internet directly and thus effectively “leak” the IPv6 address and thus allow to identify the person behind the VPN.

The solution

We can quickly solve this by giving our OpenVPN server a local IPv6 address, and push an IPv6 route to all clients.

Editing our current OpenVPN config

You will simply have to add two lines to your OpenVPN server config, which is usually found at /etc/openvpn/server.conf or /etc/openvpn/server/server.conf or similar. Simply edit using nano or vim or your favorite editor:

nano /etc/openvpn/server/server.conf

And add the following two lines:

server-ipv6 2001:db8:0:123::/64
push "route-ipv6 2000::/3"

This will assign the network address of 2001:db8:0:123::/64 to your OpenVPN server, and then push a route so that all IPv6-internet addresses on the client side will be connected to through the VPN server.

Killing off IPv6

You might have IPv6 internet on the OpenVPN server but don’t want to support it. Now comes the part where we kill it off!

First, make sure IPv6 forwarding is disabled. Edit /etc/sysctl.conf and uncomment net.ipv6.conf.all.forwarding=1 and change the 1 to a 0 to make sure IPv6 forwarding is not allowed.

Before:

#net.ipv6.conf.all.forwarding=1

After:

net.ipv6.conf.all.forwarding=0

And to apply the changes, execute sysctl --system which will display all variables that were loaded and applied.

Rejecting IPv6 on the firewall to mitigate timeouts

Now, while we could leave it at that, you might notice that some sites will load slowly and some things will time out. This is because your client is trying to connect to an IPv6 address. To prevent this, we have to specifically reject all IPv6 connections from the OpenVPN clients.

On a firewall manager like ufw, you will want to execute:

ufw reject from 2001:db8:0:123::/64 to any

Restarting and reconnecting

Now, to apply these changes you will want to restart your OpenVPN server. One of the following should do:

systemctl restart openvpn
systemctl restart [email protected]
systemctl restart openvpn-server
systemctl restart [email protected]

If none of those worked, just restart your machine altogether with systemctl reboot and then try to reconnect.

Testing that IPv6 is now gone on the client side

After your server restarted and you reconnected, it’s time to test things out!

I recommend simply going on a site like https://ipv6-test.com/ to see if IPv6 will still show up. If not, all is good! You can check further sites or look online for specific “IPv6 leak test” sites like http://ipv6leak.com/ and test some more to be sure.

Conclusion

Yet another effortless way to boost security and privacy. Go ahead and fix up your IPv6 leaks right now!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.