How can I keep ipv6 disabled?

NSAandYou · 18 June 2021 21:32

HI,

I want to use a VPN and I added it do to this tutorial: [how-to] ProtonVPN on Sailfish OS - together.jolla.com

It worked fine but as soon as I reboot the phone or switch to Cellular data my ipv6 is leaked again. The settings doesn’t seem to change. If I repeat Step 7 everything is fine again. Can someone help me because typing in this commands(Step 7) every time is pretty much impossible.

Looking forward for an answer!
Thanks in advance!!!

Maus · 19 June 2021 07:32

Why would anyone want to disable IPv6 for this? It’ll be dysfunctional after disabling it …
Did you think about sending IPv6 the same route as IPv4, through a VPN? If configured properly, an OpenVPN service will tunnel IPv4 and IPv6 at the same time, being accessible via IPv4 and IPv6 at the same time, with the very same client configuration. I don’t know whether Proton supports this, but I manage some VPN endpoints and they worked like this for years …

NSAandYou · 20 June 2021 15:21

Hi Maus,

thank you for your answer! Do to this articel: How to prevent IPv6 leaks on your device - ProtonVPN Support ProtonVPN doesn’t support ipv6 or did I understood it wrong? I’m honestly not an expert on VPNs but right now I leak my IPv6 so how can I fix this if I got it wrong?

Maus · 20 June 2021 20:15

They’re not very precise at ProtonVPN, reading up from the link you gave:

ProtonVPN applications block all IPv6 traffic by default. To be precise, IPv6 traffic gets rerouted to the VPN server and never leaves it, only IPv4 traffic does in order to ensure that your real IP address is not leaked.

If they indeed re-route all IPv6 traffic to the VPN server and drop it there, you’d be “safe”, wouldn’t you? But the rest of the text tells a different tale, it’s not coherent …

Anyway, you can check your routes after enabling your VPN. If IPv6 gets routed to your VPN service provider, all is OK. On the other hand, if they really silently discard that traffic, you’d have to wait for connection timeouts – only on second attempt, traffic would be re-tried as IPv4, because IPv6 is being tried first.

NSAandYou · 20 June 2021 21:39

Yes, ProtonVPN isn’t to precise but when I check ipleak.com or myip.is my ipv6 is leaked… so I don’t think I’m “save”. maybe the ProtonVPN Applicationens solve this problem but they don’t have a sailfish app. And over openVPN my ipv6 seems to leak… i’m pretty sure it’s leaked so how could I solve this? I know disabling ipv6 isn’t the best way but I don’t see a different solution as long as I stick with ProtonVPN. Again thanks for your answer!

Maus · 21 June 2021 05:34

I’d try to experiment with your client configuration, e.g. by adding redirect-gateway ipv6 to it. Anyway, you should check your routes, for example by using ip -6 r.

NSAandYou · 21 June 2021 13:21

I checked my routes now and this is the output:

Command: /sbin/route -A inet
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 vpn0
10.21.0.0 * 255.255.0.0 U 0 0 0 vpn0
~VPN IP~ 192.168.178.1 255.255.255.255 UGH 0 0 0 wlan0
192.168.178.0 * 255.255.255.0 U 0 0 0 wlan0
192.168.178.1 * 255.255.255.255 UH 0 0 0 wlan0

Command: /sbin/route -A inet6
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
200116b822b3bb000000000000000000.dip.versatel-1u1.de/64 * UA 256 8 0 wlan0
fe80::/64 * U 256 7 0 wlan0
*/0 fe80::cece:1eff:fe7a:dcd2 UGDA 1024 134 7 wlan0
200116b822b3bb003a7862fffe5aebb3.dip.versatel-1u1.de/128 * U 0 24 2 lo
fe80::3a78:62ff:fe5a:ebb3/128 * U 0 4 2 lo
ff00::/8 * U 256 7 2 wlan0

For this looks like the first one(ipv4) is fine(it’s the right ip) but the second one routes to my provider. I really don’t know much about this topic so please warn me before I publish private information. And where do I find the configuration file? Sorry I’m pretty new to VPNs

martinh · 21 June 2021 16:05

What about abusing the firewall?

Add a file 01-block-ipv6-firewall.conf to /etc/connman/firewall.d with content:

[General]

IPv6.OUTPUT.RULES = -o lo -j ACCEPT

and 02-block-ipv6-firewall.conf with content:

[General]

    IPv6.OUTPUT.RULES = -j REJECT

After restarting connman (# systemctl restart connman), locally initiated outgoing IPv6 traffic should be blocked.

# ip6tables -nvL
...
Chain connman-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      lo      ::/0                 ::/0                
   15  1064 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-port-unreachable
...

Edit: Fix order of rules.

NSAandYou · 28 June 2021 20:02

This seems to work for me. Thanks for your answers! I hope now the VPN works properly. Have a nice day and thanks again for your efford!