Re: VPN, IPv4 and leak over IPv6

From: John Ioannidis <ji tla org>
To: Paul Menzel <paulepanter users sourceforge net>
Cc: networkmanager-list gnome org
Subject: Re: VPN, IPv4 and leak over IPv6
Date: Mon, 5 Jun 2017 13:20:29 -0400

On Mon, Jun 5, 2017 at 11:46 AM, Paul Menzel <paulepanter@users.sourceforge.net> wrote:

Dear NetworkManager folks,

With NetworkManager 1.6.2 and the NetworkManager Applet 1.4.6 from
Debian Sid/unstable, I set up an VPN connection with the OpenVPN plugin
to the VPN server SoftEther [1].

The VPN server is configured in a way, that it only assigns an IPv4
address and no IPv6. But from the router the system gets an IPv4 *and*
IPv6 address.

Now it looks like, that the browser prefers using the IPv6 connection,
and therefore I browse *outside* the VPN on Web sites supporting IPv6.

This is not (really) a NM issue. Address selection and ordering is done by getaddrinfo(3), as configured by gai.conf(5).

I'm pretty certain that Chrome, at least, does not obey that and will always prefer a v6 address if available.

Is that the expected behavior, or can NetworkManager do something about
it, that it deactivates the IPv6 connection, when the VPN connection
only “supports” IPv4?

At the very least, you can run scripts whenever NM brings a "connection" up or down. Look at the docs for what goes into /etc/NetworkManager/dispatch.d/. The pre-up script for your vpn connection could save and remove all ipv6 routes, and the pre-down could restore them.

/ji

Follow-Ups:
- Re: VPN, IPv4 and leak over IPv6
  - From: Paul Menzel

References:
- VPN, IPv4 and leak over IPv6
  - From: Paul Menzel

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]