Disable IPv6 when connected to VPN

pmcarrion

Occasional Visitor
My ISP provides a native IPv6 connection.
I also use Asuswrt-Merlin's VPN client with VPN Director.
However, when enabling the VPN client, only the IPv4 address is changed and the IPv6 address is leaked. This is expected as the Asuswrt-Merlin VPN client doesn't support IPv6.
I would like the router to block the device's IPv6 connection when the VPN client is enabled.
Is there a way to do that without disabling IPv6 completely?
 

Frank Monroe

Regular Contributor
I agree. This is a problem for me too. It was discussed earlier this year in this thread: https://www.snbforums.com/threads/i...rtain-lan-ips-using-vpn-director-rules.77809/. According to the thread, the issue is fixed for routers that support IPv6 with VPN connections. However, those of us with older models that do not have IPv6 support with VPN connections, still have the issue. With the older routers, VPN director rules are bypassed or ignored because the clients may sometimes use or prefer to use IPv6.
 

eibgrad

Part of the Furniture
I don't see why you couldn't create an openvpn-event script that used ip6tables to block access to the WAN by specific IPv6 addresses (or MAC addresses). When the VPN comes up, you insert the rule(s), when it comes down, you remove them.

In effect, create your own IPv6 kill switch.

But if you're looking for something that's going to magically make it happen, iow some sort of switch to turn ON/OFF this feature, I don't see it coming. The only way to know if a given device on IPv4 is the same one on IPv6 is if they happen to resolve to the same MAC address. But the routing doesn't work at the ethernet level (layer 2), only IP level (layer 3).
 

pmcarrion

Occasional Visitor
I don't see why you couldn't create an openvpn-event script that used ip6tables to block access to the WAN by specific IPv6 addresses (or MAC addresses). When the VPN comes up, you insert the rule(s), when it comes down, you remove them.

In effect, create your own IPv6 kill switch.

But if you're looking for something that's going to magically make it happen, iow some sort of switch to turn ON/OFF this feature, I don't see it coming. The only way to know if a given device on IPv4 is the same one on IPv6 is if they happen to resolve to the same MAC address. But the routing doesn't work at the ethernet level (layer 2), only IP level (layer 3).
Do you have a script sample I can use?
Thanks.
 

pmcarrion

Occasional Visitor
I agree. This is a problem for me too. It was discussed earlier this year in this thread: https://www.snbforums.com/threads/i...rtain-lan-ips-using-vpn-director-rules.77809/. According to the thread, the issue is fixed for routers that support IPv6 with VPN connections. However, those of us with older models that do not have IPv6 support with VPN connections, still have the issue. With the older routers, VPN director rules are bypassed or ignored because the clients may sometimes use or prefer to use IPv6.
IPv6 is only supported by the router's VPN server, not the client. :confused:
 

Tech9

Part of the Furniture
IPv6 is only supported by the router's VPN server, not the client.

I remember it was supported in Asuswrt-Merlin 386.5_2, but loaded 386.7_2 yesterday on my AX86U to check something and this is what I see in OpenVPN server configuration page (IPv6 VPN subnet option gone?):

1661084959833.png
 

Tech9

Part of the Furniture
The same configuration page in Asuswrt-Merlin 386.5_2 (with VPN IPv6 prefix option):

1661086208562.png


Not familiar with IPv6 OpenVPN server, perhaps @RMerlin can share some details how it works in 386.7_2.
 

Tech9

Part of the Furniture
Not sure what's going on. 386.7_2 VPN server is super slow. 386.5_2 works well with the same settings. May need to hit Reset again and investigate.
 

RMerlin

Asuswrt-Merlin dev
The OpenVPN server IPv6 settings will only appear if you have IPv6 enabled on your WAN connection.
 

Tech9

Part of the Furniture
Got it, thank you. I guess, valid for 386.7_2 release. I see IPv6 settings in 386.5_2 with IPv6 disabled.

By the way, OpenVPN performance in 386.7_2 was back to normal only after factory reset. Not measured, visually normal speed.
 

pmcarrion

Occasional Visitor
The OpenVPN server IPv6 settings will only appear if you have IPv6 enabled on your WAN connection.
Thanks for chiming in.

I would like the router to block the device's IPv6 connection when the VPN client is enabled.
Is there a way to do that without disabling IPv6 completely?
Thanks.
 

SomeWhereOverTheRainBow

Part of the Furniture
Thanks for chiming in.

I would like the router to block the device's IPv6 connection when the VPN client is enabled.
Is there a way to do that without disabling IPv6 completely?
Thanks.
You should be able to add a client override to your client config file.
e.g.

Code:
push-remove ifconfig-ipv6
push-remove route-ipv6
 

pmcarrion

Occasional Visitor
You should be able to add a client override to your client config file.
e.g.

Code:
push-remove ifconfig-ipv6
push-remove route-ipv6
Thanks, but it didn't work.

Here's the log:
Aug 21 20:50:18 rc_service: httpds 1565:notify_rc restart_vpnclient1
Aug 21 20:50:18 ovpn-client1[2613]: event_wait : Interrupted system call (code=4)
Aug 21 20:50:18 ovpn-client1[2613]: ovpn-route-pre-down tun11 1500 1624 10.117.250.25 255.255.254.0 init
Aug 21 20:50:18 ovpn-client1[2613]: Closing TUN/TAP interface
Aug 21 20:50:18 ovpn-client1[2613]: /usr/sbin/ip addr del dev tun11 10.117.250.25/23
Aug 21 20:50:18 ovpn-client1[2613]: ovpn-down 1 client tun11 1500 1624 10.117.250.25 255.255.254.0 init
Aug 21 20:50:18 openvpn-routing: Configured killswitch on VPN client 1
Aug 21 20:50:18 ovpn-client1[2613]: SIGTERM[hard,] received, process exiting
Aug 21 20:50:18 openvpn-routing: Clearing routing table for VPN client 1
Aug 21 20:50:18 ovpn-client1[32446]: Options error: option 'push-remove' cannot be used in this context (config.ovpn)
Aug 21 20:50:18 ovpn-client1[32446]: Use --help for more information.
Aug 21 20:50:18 openvpn: Starting OpenVPN client 1 failed!
Aug 21 20:50:18 openvpn-routing: Clearing routing table for VPN client 1
Aug 21 20:50:50 rc_service: httpds 1565:notify_rc start_vpnclient1
Aug 21 20:50:50 ovpn-client1[32654]: Options error: option 'push-remove' cannot be used in this context (config.ovpn)
Aug 21 20:50:50 ovpn-client1[32654]: Use --help for more information.
Aug 21 20:50:50 openvpn: Starting OpenVPN client 1 failed!
Aug 21 20:50:50 openvpn-routing: Clearing routing table for VPN client 1
 

SomeWhereOverTheRainBow

Part of the Furniture
Thanks, but it didn't work.

Here's the log:
Aug 21 20:50:18 rc_service: httpds 1565:notify_rc restart_vpnclient1
Aug 21 20:50:18 ovpn-client1[2613]: event_wait : Interrupted system call (code=4)
Aug 21 20:50:18 ovpn-client1[2613]: ovpn-route-pre-down tun11 1500 1624 10.117.250.25 255.255.254.0 init
Aug 21 20:50:18 ovpn-client1[2613]: Closing TUN/TAP interface
Aug 21 20:50:18 ovpn-client1[2613]: /usr/sbin/ip addr del dev tun11 10.117.250.25/23
Aug 21 20:50:18 ovpn-client1[2613]: ovpn-down 1 client tun11 1500 1624 10.117.250.25 255.255.254.0 init
Aug 21 20:50:18 openvpn-routing: Configured killswitch on VPN client 1
Aug 21 20:50:18 ovpn-client1[2613]: SIGTERM[hard,] received, process exiting
Aug 21 20:50:18 openvpn-routing: Clearing routing table for VPN client 1
Aug 21 20:50:18 ovpn-client1[32446]: Options error: option 'push-remove' cannot be used in this context (config.ovpn)
Aug 21 20:50:18 ovpn-client1[32446]: Use --help for more information.
Aug 21 20:50:18 openvpn: Starting OpenVPN client 1 failed!
Aug 21 20:50:18 openvpn-routing: Clearing routing table for VPN client 1
Aug 21 20:50:50 rc_service: httpds 1565:notify_rc start_vpnclient1
Aug 21 20:50:50 ovpn-client1[32654]: Options error: option 'push-remove' cannot be used in this context (config.ovpn)
Aug 21 20:50:50 ovpn-client1[32654]: Use --help for more information.
Aug 21 20:50:50 openvpn: Starting OpenVPN client 1 failed!
Aug 21 20:50:50 openvpn-routing: Clearing routing table for VPN client 1
Okay ditch those lines and try

block-ipv6 in the same config, but place it at the bottom of the .ovpn or .conf file
 

RMerlin

Asuswrt-Merlin dev
I would like the router to block the device's IPv6 connection when the VPN client is enabled.
Is there a way to do that without disabling IPv6 completely?
You'd probably need to implement it through an openvpn-event script, adding firewall rules to drop outbound IPv6 traffic. This might cause a problem however for your network clients that may be attempting to use IPv6 if they already had an IPv6 allocated to them.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top