Mobile VPN usage, ipv6 not routed and DNS leaks

I was trying out the VPN feature of SailfishOS (4.1.0.23). The used VPN is enabled for ipv4 and ipv6. However when checking via ipleak.net I see that only the ipv4-IP goes through the VPN but not the ipv6-IP. Here the one of my mobile provider is detected. Also the DNS is leaking. My mobile provider is Vodafone Germany which has switched to ipv6 a year ago. But the same also happens if I use Sailfish VPN in a Wifi.
If I change the mobile network protocol in Sailfish settings from “dual” to “IP”, the ipv6 seems getting blocked by the phone and consequently ipleak.net doesn’t detect a ipv6-IP anymore. The DNS leak persists however. Checked on Brave browser (chromium based) and the native browser.
Using the same VPN on my PC everything is fine and works as expected, so I kinda blame the phone here.

I am no expert on all this, so maybe some of you can help out. Does Sailfish not facilitate ipv6 VPN usage? How can I avoid the DNS leaks? Do I choose the wrong settings?

4 Likes

Asking again, sorry for spam. I guess this is serious if the Sailfish VPN is leaking information.

So ipv6 works trough the VPN or other platforms, or do they just block it when connected?
There is a big stack of commits that seems to deal with blocking ipv6 for this reason on Aug 27 and before…

@jlaakkonen is this one of the fixed problems?
4.2 is already branched out, so is guess that means it is slated for 4.3…

Um. Ipleak is not really a reliable way to determine, well, anything. What is the question?

I, for my part, only use static ipv4, and tunnel ipv6 on a dedicated link. So, my ipv4 (from the telecom), I use to connect to a proxy server (that I control), which, in turn, has multiple vpn providers connected to give my ip ‘from coast to coast’. Sadly, I no longer have a server parked at mae west.

In any case, my phone, when connected using 4g, will never be anonymous. Except when using wlan at home. Using a vpn feature on a telephone that is NOT using wifi, is not anonymous.

vpn on a phone is silly.

I don’t understand your point. If Sailfish offers a VPN functionality it should work as expected. Ipleak seems to see my IP despite having a VPN connection activated which indicates that the Sailfish VPN is errorneous. Happens in 4G connection as well as in Wifi connection. The arising questions were clearly stated at the end of the opening post.

Sorry. It was ‘too many questions’. I don’t know of a vpn provider that does ‘dual stack’, in a way that I would trust. But I’m probably ignorant.

So, is the question… ‘Under what circumstances can one securely use ‘A’ vpn service on Sailfish’?

There are also a number of VPN types listed in SFOS:
L2TP
OpenConnect
OpenVPN
PPTP
VPNC

all of which have different characteristics. Could you please specify:

  1. Which type?
  2. Which provider?

EDIT, just looking on the old jolla Forum there was a mention of disabling ipv6 to get rid of dns queries leaks. VPN client [closed] - together.jolla.com

EDIT 2: I just did https://jolla.zendesk.com/hc/en-us/articles/360017612820-A-basic-example-on-using-VPN and followed it exactly. Visited ipleak.net. I get:

  • both IPs (connected via o2 mobile since my cable from vodafone is ipv4 only)
  • both transparent,
  • no leaks via webrtc and
  • the dns servers are both in france.

So, openVPN works as advertised . Please supply some details of your setup.

But it could be that my tests won’t help you if you are using SFOS 4.1? I’m still on 3.4. Maybe someone with 4.1 can chime in.

My test screenshot:

1 Like

Why???

Post must have at least 20 characters.

Well, since it is well known that even Tor traffic is being de-anonymized by Chinese DPI and that ‘at least’ the US and probably also the UK have similar level’s of intrusion AND the area where law enforcement is getting ever more traction (it is legal in the UK and Germany to install trojans, as just one example) … I don’t see the point of ‘hiding’ my IP. I see a dire need for political action. And I fear it is too late, when we see the EU, in lock step with apple, going in the direction of MANDATING spy ware/back doors.

In the main, I’m very distrustful of the ‘appearance’ of security. And I see a lot of people are liable to fall for ‘snake oil’ salesmen.

I do use vpns, just not on clients. I rent servers (also have some donated gear/bandwidth in the states) and use those to proxy where I feel it’s necessary. Even though I have more control here then you do with a vpn ‘service’, there are lot’s of weak links.

I don’t use Tor anymore because I’M the weak link.

So, that’s why I would say that using VPNs is silly. If I were advising a dissident in Belarus, I would not say, oh, use a vpn client on you device XXX. I would advise them to not use any device of their own for anything critical at all.

EDIT: Although it’s secondary, I’m also just not so sure about the protocols. I’ve been doing X forwarding over SSH since the 1990s to get around Geo blocks, so I’m also just a bit other qualified.

EDIT2: Do you think that my demonstration that Jollas how-to ‘just works’ and the believable demonstration that it ‘appears’ safe to an external website make SFOS vpn usage ‘safe’? For what purpose?

1 Like

I fully agree, VPN is not a save data communication. I use it only for simple purposes:

  1. better data & download speed when downloading big files, e.g. a Linux installation image,
  2. On webpages, (commercials) edit: advertising from my home country and in my language and not from country xy in language xy, when on travel,
  3. less interruptions when listening to Internet radio.

Hi!

Yes there are a lot of commits regarding that case to allow disabling of IPv6 when VPN is connected. Most of the VPN plugins in ConnMan do support only IPv4 (OpenConnect supports both whereas the most used OpenVPN does only IPv4 networking). This is not a system forced feature but comes from an option in the advanced settings of VPNs.

Unfortunately the options in the UI come in 4.3.0 whereas the implementation to ConnMan comes in 4.2.0. Each VPN has a type specific setting as most of the VPNs do support disabling of IPv6 (OpenVPN in 2.5.x, which is coming also in 4.3.0). Therefore the feature is implemented to support these options to inform ConnMan about IPv6 use properly.

The actual cause here was that when IPv4 only VPN was enabled over a IPv6 supporting transport and being how the networks and ConnMan operate the DNS query was also sent to the DNS of the transport medium, which in this case can respond back with an IPv6 address for an hostname. If there is an IPv6 address available for the hostname it will get preferred over IPv4 thus, data is leaked bypassing VPN connection. There was an attempt to fix this by filtering DNS queries (there is a WIP branch in git) but this deemed to be more feasible approach as of now. If you have a IPV4 only VPN then the traffic should not be let to traverse to other networks if the VPN is set as a default route in the settings.

This is a difficult issue as people may have different needs and quite personal setups so we decided to have that option as user selectable one. Maybe it could be considered as enabled for all VPNs by default when it has been given some more testing with 4.3.0 and changed to utilize undefined routes to IPv6 when the feature is enabled instead of relying on disabling IPv6 (disable_ipv6 = 1 and autoconf = 0 in /proc/sys/net/ipv6/conf) for the connected networking interfaces.

2 Likes

I just wanted to note that the IPv4 and IPv6 dual stack worked with version 3.4 of SFOS using openVPN … I wasn’t expecting it to, but it did.

So, maybe a regression thing? Or am I missing something?

Can you please elaborate? I can seem to find the place I need to disable ipv6 to stop it from leaking DNS on the Android Layer.

disabling IPv6 for all interfaces and setting the autoconf to 0 did not work.
After two month’s of struggling with the DNS leak I finally came close to a solution. Installing DNSCrypt.

Kudo’s to the real hero’s here @wickedsp1d3r and @kan_ibal who figured out and shared how to make DNSCrypt work on Sailfish OS.

I followed the instructions on Dnscrypt on Sailfish - together.jolla.com and after I successfully removed any DNS leaks on a WIFI network.

I download the last linux-arm release (for my Sony Xperia XA2) from: https://github.com/DNSCrypt/dnscrypt-proxy/releases

tar -xzvf ./dnscrypt-proxy-linux_arm-{FILL_IN_YOUR_VERSION_NR}.tar.gz -C /tmp

set attribute

chmod +x /tmp/linux-arm/dnscrypt-proxy

then install dnscrypt-proxy service

/tmp/linux-arm/dnscrypt-proxy -service install

move the example-dnscrypt-proxy conf file

cp /tmp/linux-arm/dnscrypt-proxy/example-dnscrypt-proxy.toml /etc/

edit the file by adding the DNS Crypt info. (I use decloudus.com)

vi /etc/dnscrypt-proxy/dnscrypt-proxy.toml

I disabled ConnMan’s DNS proxy and override its systemd service:

  1. create a folder named “connman.service.d”

mkdir /etc/systemd/system/connman.service.d

  1. Put a file named “override.conf” to the folder with the following content using vi

[Service] ExecStart= ExecStart=/usr/sbin/connmand -n -W nl80211 --nobacktrace --systemd --noplugin=wifi --nodnsproxy $SYSCONF_ARGS $CONNMAN_ARGS

make immutable by issuing

/etc/resolv.conf chattr +i /etc/resolv.conf

from the terminal on the phone (not ssh) after a reboot (in case it does not work directly, see: Permission denied for chattr +i command - #2 by Levone1). Also applies to:

/var/run/connman/resolv.conf

and force connman to use local dnscrypt-proxy DNS address for network connections, I prefer to set it globaly, for example for all wifi connections edit

vi /home/.system/var/lib/connman/settings

and in [WiFi] section add

Nameservers=127.0.0.1;

Then I rebooted the device. And finally I got rid of the DNS leaks. It also works in combination with OpenVPN.

But when I turn off the wifi it leaked the DNS and with some trial and error now the VPN no longer connects. It tries to resolve the vpn domainname to connect and it times-out.

Two month’s in and so far I could not really circumvent this security issue. Glad though I learned about DNSCrypt and its advantages. Something I would not have looked into otherwise.

1 Like

Thanks a lot for your effort! It seems Jolla tried to fix the issue with the just annouced 4.3.0. Lets see.

DNS leaks haven’t been resolved on the Sailfish OS Suomenlinna 4.3 release :sob: :sob:

Sorry about the long delay in answering to this. I apologize.

There is a VPN provider specific option on each VPN type on Sailfish OS 4.3.0 ->. This was a bit problematic to implement similarly for each VPN type as they do tend to have different requirements each.

If you disable IPv6 support / enable IPv6 leak protection on the advanced settings pages the feature to prevent DNS leaks to IPv6 networks is enabled for the duration the VPN is connected. Unfortunately this has to be done for each VPN you are using.

And as of now, only OpenConnect does support both IPv4 and IPv6, all others support IPv4 only. This restriction comes from the ConnMan plugins.

But please try the feature and let us know how it works. All information regarding this is valuable.