How to disable IPv6 when connecting to an OpenVPN server using Network Manager on a dual-stack system?

Question

I'm using the OpenVPN client through the OpenVPN Network Manager plugin on a dual stack (meaning configured both for IPv4 and IPv6 connectivity) Ubuntu 13.10 to redirect all traffic through the VPN (redirect-gateway). It generally works fine.

However, due to the fact that IPv6 is preferred by the system, the VPN "leaks" and when connecting to sites that are also available over IPv6 (like Google, or Wikipedia), the browser connects directly.

One solution would be to configure the OpenVPN server to provide IPv6 connectivity. While possible with OpenVPN, the plugin for Network Manager currently doesn't support it.

Since IPv6 connectivity over the VPN is not strictly necessary, I'd like to simply disable IPv6 on the client when connecting to the OpenVPN server. Is it possible? If so, how can I do it?

Answer 1

Add this to your kernel line in your boot loader to disable IPv6 altogether:

ipv6.disable=1

If you're using Grub (if you haven't installed your own boot-loader, then you are using Grub), your kernel line should look something like this:

linux /boot/vmlinuz-linux root=UUID=978e3e81-8048-4ae1-8a06-aa727458e8ff ipv6.disable=1

The recommended approach, for adding something to the kernel line, is to add the desired kernel parameter to the GRUB_CMDLINE_LINUX_DEFAULT variable in the /etc/default/grub file:

GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"

Once you've added that to /etc/default/grub, run the following command to regenerate your grub.cfg:

sudo grub-mkconfig -o /boot/grub/grub.cfg

Alternatively, adding ipv6.disable_ipv6=1 instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.

OR

To disable IPv6 via sysctl, place the following into your /etc/sysctl.conf file:

net.ipv6.conf.all.disable_ipv6 = 1

Don't forget to comment out any IPv6 hosts in your /etc/hosts file:

#::1        localhost.localdomain   localhost

NOTE

a reboot may be required for the sysctl method, and a reboot is definitely required for the kernel line approach.

OR

To temporarily disable ipv6:

sysctl -w net.ipv6.conf.all.disable_ipv6=1

To temporarily enable it:

sysctl -w net.ipv6.conf.all.disable_ipv6=0

So if you need to disable ipv6 on a given condition, then write a bash script somewhere along these lines:

#!/bin/bash
ipv6_disabled="$(sysctl net.ipv6.conf.all.disable_ipv6 | awk '{print $NF}')"
if (connected_to_vpn &> /dev/null); then
  (($ipv6_disabled)) || sysctl -w net.ipv6.conf.all.disable_ipv6=1
else
  (($ipv6_disabled)) && sysctl -w net.ipv6.conf.all.disable_ipv6=0
fi

NOTE

You might need to disable any ipv6 hosts in your /etc/hosts file for this method too, just as I recommended in the previous method.

Answer 2

You can disable ipv6 at the client level for a specific Network Manager connection by setting the IPv6 option ipv6.method to "ignore"

// SOP: Recreate my LAN connection using FIXED IP 192.168.0.95 to Ethernet.
nmcli connection delete lan-ethernet
nmcli connection add con-name lan-ethernet 

    ifname enp0s31f6 

    type ethernet 

    ip4 192.168.0.95/24  gw4 192.168.0.1
nmcli connection modify lan-ethernet  ipv6.method "ignore"
nmcli connection modify lan-ethernet  ipv4.dns "8.8.8.8 8.8.4.4"
nmcli connection up lan-ethernet
sleep 1
nmcli device status
nmcli connection show
ifconfig enp0s31f6

Answer 3

I think it is less intrusive to disable ip6 in the client file (edit client_conf_file.ovpn) that modify the kernel tcp stack.

Open your conf_file.ovpn and add follow lines:

#disable ipv6
#https://community.openvpn.net/openvpn/ticket/849
pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "route-ipv6 "

I tried it and after this the ipv6 disappears.

Before. I run ip a |grep global and result is:

    inet 192.168.43.39/24 brd 192.168.43.255 scope global dynamic noprefixroute wlan0
    inet 10.8.0.6/24 brd 10.8.0.255 scope global tun0
    inet6 2a00:1630:66:16::1004/64 scope global

After. I run ip a |grep global and result is:

    inet 192.168.1.14/24 brd 192.168.1.255 scope global dynamic noprefixroute wlan0
    inet 10.8.0.7/24 brd 10.8.0.255 scope global tun0

Answer 4

Edit the OpenVPN profile in NetworkManager, open the IPv6 tab and manually add a route:

Address: 2000 Prefix: 3 Gateway: 0100::1

2000::/3 captures all publicly routable IPv6 addresses. 0100::/64 prefix is a special prefix designated to discarding traffic. Essentially you'll be sending all IPv6 traffic to a gateway that doesn't exist.

Upside: easy and completely automatic.

Downside: some apps, namely command-line tools, may not fall-back to IPv4 as quickly as one would like when this method is used.

Answer 5

I'm on Ubuntu 16.04.03 LTS, connecting to a Pi-Hole server through PiVPN.

This is what I did to switch IPv6 automatically on and off when connecting to a VPN through the Network Manager:

1. Create a script in /etc/NetworkManager/dispatcher.d:

   $ sudo vi /etc/NetworkManager/dispatcher.d/99vpn-ipv6-switch
   

2. Add the following content into the file (modify the contents for your requirements):

   #!/bin/sh
   # Network Manager Dispatcher Hook:
   # enables/disables ipv6 on vpn-down/vpn-up respectively
   #
   # Copyright (c) 2017 ooknosi
   # Apache License 2.0
   
   # Args
   INTERFACE="$1"
   ACTION="$2"
   
   case $ACTION in
       vpn-up)
       # vpn connected; disable ipv6
       sysctl -w net.ipv6.conf.all.disable_ipv6=1
       ### UNCOMMENT AND EDIT BELOW IF NECESSARY
       ## add pi-hole nameserver
       #echo -n "nameserver 192.168.1.1" | /sbin/resolvconf -a "tun0.openvpn"
       ### UNCOMMENT AND EDIT ABOVE IF NECESSARY
       ;;
   
       vpn-down)
       # vpn disconnected; enable ipv6
       sysctl -w net.ipv6.conf.all.disable_ipv6=0
       ### UNCOMMENT AND EDIT BELOW IF NECESSARY
       ## remove pi-hole nameserver
       #/sbin/resolvconf -d "tun0.openvpn"
       ### UNCOMMENT AND EDIT ABOVE IF NECESSARY
       ;;
   esac
   
   exit 0
   

3. Make the script executable:

   $ sudo chmod 755 /etc/NetworkManager/dispatcher.d/99vpn-ipv6-switch
   

That's it. I had to manually add my Pi-Hole DNS because of a dnsmasq bug that prevents resolv.conf from being updated correctly, so modify the lines indicated if you find your DNS leaking.

Answer 6

If you are using this solution (Address: 2000:: Prefix: 3 Gateway: 0100::1)

You can set DNS to :: to prevent DNS leaks.

Answer 7

I'd like to simply disable IPv6 on the client when connecting to the OpenVPN server. Is it possible?

Try my straight-forward script I just made now, this will,

• Deal with the entire interfaces.
• Disable ipv6 when OpenVPN is started.
• Enable ipv6 when OpenVPN is ended.
• Better compatibility with NetworkManager argument.

If there is still ipv6 address on certain interfaces, the client still try ipv6 routing but as DNS uses UDP, there are chances of DNS Leak that TCPwrapper can't manage to disable.

This script also works well with other interfaces because it doesn't rely on NetworkManager's argument anymore, such as vpn-up vpn-down.

create an executable file in /etc/NetworkManager/dispatcher.d/

sudo vim /etc/NetworkManager/dispatcher.d/v6d

paste the code below

#!/bin/bash
IF=$1
STATUS=$2
if [ "$IF" = "tun0" ];
then
case "$2" in
up)
for v6 in $(sysctl -a |grep ipv6|grep disable|sed 's/ \= 0/=1/'); do
sysctl -w $v6
done
;;
down)
for v6 in $(sysctl -a |grep ipv6|grep disable|sed 's/ \= 1/\=0/'); do
sysctl -w $v6
done
;;
esac
fi

then make it executable

sudo vim /etc/NetworkManager/dispatcher.d/v6d

P.S. OpenVPN with Network Manager loses lot's of OpenVPN benefit options from command line versions.

Answer 8

If anyone still needs this info and none of the other options work; I've solved this issue by going into Openvpn's server config file.

First type in sudo chmod a+w /etc/openvpn/server.conf since server.conf doesn't let you edit it, without making it writable.

Then type in vim /etc/openvpn/server.conf ; you can interchange vim for any-other text editor, just note we're going to edit this file.

Then comment out by adding an # to the beginning of these lines:

server-ipv6 fd[ip info]
tun-ipv6
push tun-ipv6
push route-ipv6 [ip info]
push redirect-gateway ipv6

After saving the file, we're going to restart Openvpn by using the following command: sudo systemctl restart openvpn

At this point, the issue at hand should be fixed. When I execute my ovpn file, it shows no info about ivp6 being in use. Hope this works for you.