Join Log in
Score:1
Axel avatar Server

Block IPv6 on Tun0

ru flag
Axel

I'm setting up a VPN tunnel for some services. I created a vpntunnel/vpntunnel user/group that is routed to the tun0 interface based on the group ID. That works quite fine. Commands below run as regular user:

curl -4 ifconfig.io <= returns my public IPv4 ip
curl -6 ifconfig.io <= returns my public IPv6 ip

Because my VPN provider doesn't support IPv6 yet, my IP could be exposed. So I added an ip6tables rule:

 ip6tables -A OUTPUT -o tun0 -m owner --gid-owner vpntunnel -j REJECT

Now the same commands run as the vpntunnel user

sudo -u vpntunnel -i -- curl -4 ifconfig.io <= returns my VPN ip
sudo -u vpntunnel -i -- curl -6 ifconfig.io <= connection refused

The refused connection is normal as I blocked IPv6 OUTPUT on tun0. So I thought everything was fine but I did a last check: I went on https://torguard.net/checkmytorrentipaddress.php, copied the magnet link and waited for the results. I was very surprised to see my IPv6 appear. My IPv4 is the VPN IP though so my routing is not completely broken, Transmission uses the VPN tunnel.

I tried to add more rules:

ip6tables -A INPUT -i tun0  -j DROP
ip6tables -I FORWARD -i tun0 -o enp3s0 -j REJECT

But nothing did the trick.

I don't want to disable IPv6 on the machine, I need it.

Any idea? Thanks!

117
0 + 0
vpn
vidarlo avatar
ar flag
vidarlo
You won't talk IPv6 over a interface without IPv6. What you need to do is to block the user from talking IPv6 on the interfaces that has it.
0
Reply
djdomi avatar
za flag
djdomi
just disable ipv6?
0
Reply
Axel avatar
ru flag
Axel
@djdomi no, I use IPv6, can't disable it.
1
Reply
Axel avatar
ru flag
Axel
@djdomi you gave me an idea, and it worked. I added a net.ipv6.conf.tun0.disable_ipv6 = 1 into systectl. Just fine now. Thanks
0
Reply
Ron Maupin avatar
us flag
Ron Maupin
If you have an answer, you should post the answer and accept it.
0
Reply
djdomi avatar
za flag
djdomi
@axel if you agree i will add tomorrow this as an answer.
0
Reply
Axel avatar
ru flag
Axel
@djdomi, sure, sorry I didn't find how to accept as a solution.
0
Reply
dominix avatar
gf flag
dominix
its weird, a reject should NOT give you a timeout. you may have a problems with your icmp in ipv6. a DROP give a timeout, but not a reject.
0
Reply
Axel avatar
ru flag
Axel
@dominix I said "timeout" but that wasn't right. It's a connection refused
0
Reply
Axel avatar
ru flag
Axel
Well it get back to you because it is actually not fixed! When I disabled IPv6 for Tun0, I checked again on Torguard.net: it shows my IPv4 but not my IPv6. I thought I won. But a couple of hours (days) later, I checked again and unfortunately my IPv6 is back (?????). I rebooted my server, checked again on Torguard, no IPv6. Two days later, my IPv6 is back. I really don't get it. Any idea? Thanks
0
Reply
dominix avatar
gf flag
dominix
when connecting to torguard.net are you sure that your connection get through your vpn ? your browser may, but not your torrent client. (check wit tcpdump)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.