Dear John, Am Montag, den 05.06.2017, 13:20 -0400 schrieb John Ioannidis:
On Mon, Jun 5, 2017 at 11:46 AM, Paul Menzel wrote:
With NetworkManager 1.6.2 and the NetworkManager Applet 1.4.6 from Debian Sid/unstable, I set up an VPN connection with the OpenVPN plugin to the VPN server SoftEther [1]. The VPN server is configured in a way, that it only assigns an IPv4 address and no IPv6. But from the router the system gets an IPv4 *and* IPv6 address. Now it looks like, that the browser prefers using the IPv6 connection, and therefore I browse *outside* the VPN on Web sites supporting IPv6.This is not (really) a NM issue. Address selection and ordering is done by getaddrinfo(3), as configured by gai.conf(5). I'm pretty certain that Chrome, at least, does not obey that and will always prefer a v6 address if available.Is that the expected behavior, or can NetworkManager do something about it, that it deactivates the IPv6 connection, when the VPN connection only “supports” IPv4?At the very least, you can run scripts whenever NM brings a "connection" up or down. Look at the docs for what goes into /etc/NetworkManager/dispatch.d/. The pre-up script for your vpn connection could save and remove all ipv6 routes, and the pre-down could restore them.
The “normal” doesn’t understand this, and it depends on a lot of variables, so in my opinion the applet needs to show a big fat warning, if by default traffic could be send not over the VPN due to a missing IPv6 address for example. The next solution could be, that NetworkManager, for example, removes the IPv6 by default, if the system only gets an IPv4 address over the VPN. That could be deactivated by the user, but that is a “safer” default, isn’t it? Thanks, Paul
Attachment:
signature.asc
Description: This is a digitally signed message part