VPNs and IPv6, part 2

As I've written before, VPNs can lead to insecure situations when used with IPv6 enabled networks.

The easiest way to mitigate that problem is actually just to enable IPv6 tunneling over the VPN itself, provided your VPN gateway has IPv6 connectivity and you have a spare /64 subnet you can dedicate to the VPN clients. (Unfortunately, this is the smallest subnet size OpenVpn is willing to accept). My provider has agreed to make an appropriate subnet available to my server, but I haven't been able to try it so far.

If that's not possible for you, e.g. due to IPv6 being unavailable at your VPN gateway, there is a simple workaround that breaks IPv6 connectivity for all connected clients: Just hand out bogus IPv6 addresses and routes to all clients, and drop all IPv6 traffic on the server. This is of course not as nice as an option to cleanly disable IPv6 connectivity, but at least for the Android client, I'm not aware of any other solution so far.

The following two lines in the OpenVPN server.conf should do the trick:

server-ipv6 ::1/64

Make sure to disable IPv6 forwarding on the VPN server to avoid any surprises (e.g. link-local IPv6 connectivity to other servers on the same subnet):

sysctl net.ipv6.conf.all.forwarding=0

Try the setup by connecting to the VPN and accessing one of the innumerable "what-is-my-IPv6"–services from your client to make sure it works as expected.

Comments !