How to disable IPv6 when connecting to an OpenVPN server using Network Manager on a dual-stack system?

networking network-manager vpn openvpn ipv6

64,114

Solution 1

Add this to your kernel line in your boot loader to disable IPv6 altogether:

ipv6.disable=1

If you're using Grub (if you haven't installed your own boot-loader, then you are using Grub), your kernel line should look something like this:

linux /boot/vmlinuz-linux root=UUID=978e3e81-8048-4ae1-8a06-aa727458e8ff ipv6.disable=1

The recommended approach, for adding something to the kernel line, is to add the desired kernel parameter to the GRUB_CMDLINE_LINUX_DEFAULT variable in the /etc/default/grub file:

GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"

Once you've added that to /etc/default/grub, run the following command to regenerate your grub.cfg:

sudo grub-mkconfig -o /boot/grub/grub.cfg

Alternatively, adding ipv6.disable_ipv6=1 instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.

OR

To disable IPv6 via sysctl, place the following into your /etc/sysctl.conf file:

net.ipv6.conf.all.disable_ipv6 = 1

Don't forget to comment out any IPv6 hosts in your /etc/hosts file:

#::1        localhost.localdomain   localhost

NOTE

a reboot may be required for the sysctl method, and a reboot is definitely required for the kernel line approach.

OR

To temporarily disable ipv6:

sysctl -w net.ipv6.conf.all.disable_ipv6=1

To temporarily enable it:

sysctl -w net.ipv6.conf.all.disable_ipv6=0

So if you need to disable ipv6 on a given condition, then write a bash script somewhere along these lines:

#!/bin/bash
ipv6_disabled="$(sysctl net.ipv6.conf.all.disable_ipv6 | awk '{print $NF}')"
if (connected_to_vpn &> /dev/null); then
  (($ipv6_disabled)) || sysctl -w net.ipv6.conf.all.disable_ipv6=1
else
  (($ipv6_disabled)) && sysctl -w net.ipv6.conf.all.disable_ipv6=0
fi

NOTE

You might need to disable any ipv6 hosts in your /etc/hosts file for this method too, just as I recommended in the previous method.

Solution 2

You can disable ipv6 at the client level for a specific Network Manager connection by setting the IPv6 option ipv6.method to "ignore"

// SOP: Recreate my LAN connection using FIXED IP 192.168.0.95 to Ethernet. ````

nmcli connection delete lan-ethernet
nmcli connection add con-name lan-ethernet \
    ifname enp0s31f6 \
    type ethernet \
    ip4 192.168.0.95/24  gw4 192.168.0.1

nmcli connection modify lan-ethernet  ipv6.method "ignore"
nmcli connection modify lan-ethernet  ipv4.dns "8.8.8.8 8.8.4.4"
nmcli connection up lan-ethernet
sleep 1
nmcli device status
nmcli connection show
ifconfig enp0s31f6

````

Solution 3

I think it is less intrusive to disable ip6 in the client file (edit client_conf_file.ovpn) that modify the kernel tcp stack.

Open your conf_file.ovpn and add follow lines:

#disable ipv6
#https://community.openvpn.net/openvpn/ticket/849
pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "route-ipv6 "

I tried it and after this the ipv6 disappears.

Before. I run ip a |grep global and result is:

    inet 192.168.43.39/24 brd 192.168.43.255 scope global dynamic noprefixroute wlan0
    inet 10.8.0.6/24 brd 10.8.0.255 scope global tun0
    inet6 2a00:1630:66:16::1004/64 scope global

After. I run ip a |grep global and result is:

    inet 192.168.1.14/24 brd 192.168.1.255 scope global dynamic noprefixroute wlan0
    inet 10.8.0.7/24 brd 10.8.0.255 scope global tun0

Solution 4

Edit the OpenVPN profile in NetworkManager, open the IPv6 tab and manually add a route:

Address: 2000 Prefix: 3 Gateway: 0100::1

2000::/3 captures all publicly routable IPv6 addresses. 0100::/64 prefix is a special prefix designated to discarding traffic. Essentially you'll be sending all IPv6 traffic to a gateway that doesn't exist.

Upside: easy and completely automatic.

Downside: some apps, namely command-line tools, may not fall-back to IPv4 as quickly as one would like when this method is used.

Solution 5

I'm on Ubuntu 16.04.03 LTS, connecting to a Pi-Hole server through PiVPN.

This is what I did to switch IPv6 automatically on and off when connecting to a VPN through the Network Manager:

Create a script in /etc/NetworkManager/dispatcher.d:

$ sudo vi /etc/NetworkManager/dispatcher.d/99vpn-ipv6-switch

Add the following content into the file (modify the contents for your requirements):

#!/bin/sh
# Network Manager Dispatcher Hook:
# enables/disables ipv6 on vpn-down/vpn-up respectively
#
# Copyright (c) 2017 ooknosi
# Apache License 2.0

# Args
INTERFACE="$1"
ACTION="$2"

case $ACTION in
    vpn-up)
    # vpn connected; disable ipv6
    sysctl -w net.ipv6.conf.all.disable_ipv6=1
    ### UNCOMMENT AND EDIT BELOW IF NECESSARY
    ## add pi-hole nameserver
    #echo -n "nameserver 192.168.1.1" | /sbin/resolvconf -a "tun0.openvpn"
    ### UNCOMMENT AND EDIT ABOVE IF NECESSARY
    ;;

    vpn-down)
    # vpn disconnected; enable ipv6
    sysctl -w net.ipv6.conf.all.disable_ipv6=0
    ### UNCOMMENT AND EDIT BELOW IF NECESSARY
    ## remove pi-hole nameserver
    #/sbin/resolvconf -d "tun0.openvpn"
    ### UNCOMMENT AND EDIT ABOVE IF NECESSARY
    ;;
esac

exit 0

Make the script executable:

$ sudo chmod 755 /etc/NetworkManager/dispatcher.d/99vpn-ipv6-switch

That's it. I had to manually add my Pi-Hole DNS because of a dnsmasq bug that prevents resolv.conf from being updated correctly, so modify the lines indicated if you find your DNS leaking.

View more solutions

64,114

Damn Terminal

Updated on September 18, 2022

Comments

Damn Terminal over 1 year

I'm using the OpenVPN client through the OpenVPN Network Manager plugin on a dual stack (meaning configured both for IPv4 and IPv6 connectivity) Ubuntu 13.10 to redirect all traffic through the VPN (redirect-gateway). It generally works fine.

However, due to the fact that IPv6 is preferred by the system, the VPN "leaks" and when connecting to sites that are also available over IPv6 (like Google, or Wikipedia), the browser connects directly.

One solution would be to configure the OpenVPN server to provide IPv6 connectivity. While possible with OpenVPN, the plugin for Network Manager currently doesn't support it.

Since IPv6 connectivity over the VPN is not strictly necessary, I'd like to simply disable IPv6 on the client when connecting to the OpenVPN server. Is it possible? If so, how can I do it?
- Admin about 10 years
  
  Your VPN isn't carrying IPv6 traffic also?
- Admin about 10 years
  
  Related: How do I run a script after OpenVPN has connected successfully?
- Admin about 10 years
  
  My VPN could well be carrying IPv6 traffic but Network Manager doesn't support IPv6 configuration currently for OpenVPN as far as I can tell.
- Admin over 7 years
  
  Just for the record, if your VPN provider is leaking like this, you need a new provider. There are plenty of them who get this right. IPv6 isn't going away, and disabling it is only going to cut you off from parts of the Internet.
- Admin over 7 years
  
  @MichaelHampton Sadly, it's my server. I am the provider in this case. It does support IPv6 but only comes with one /64 so I would need to splice it first which is a bit of a pain. More importantly (at the time, I haven't checked since) network manager had some troubles handling IPv6-enabled OpenVPN connections (IPv6 over VPN does however work with tap and bridged network setup which is what I use now).
- Admin over 7 years
  
  Aha. Mostly my comment was meant as a warning to others, who will buy OpenVPN service from public providers, and not realize the danger they are in until perhaps it's too late.
Damn Terminal about 10 years

Yeah, OK. But I want to disable IPv6 when connecting to the VPN using Network Manager, not kill it entirely on my system. Maybe I should have made it clearer.
Alexej Magura about 10 years

@DamnTerminal, so you only want to disable it when you're connected to your VPN, as in disabling it system-wide is fine, as long as it only happens while you're connected to your VPN?
Alexej Magura about 10 years

@DamnTerminal I updated my answer to include an example of how to disable ipv6 using a bash script that would check a condition. You probably could use NetworkManager's command-line interface: nmcli to check if your connected to your VPN; if that doesn't work then I'm sure there's a command-line net utility out there that will give access to that info.
Alexej Magura almost 7 years

Why the downvote?
Igor Mikushkin over 5 years

Unfortunately this solution does not re-enable IPv6 for WiFi properly. You need to reconnect to access point to enable it.
Igor Mikushkin over 5 years

Unfortunately it has no effect for VPN connections.
Igor Mikushkin over 5 years

Unfortunately this solution (sysctl) does not re-enable IPv6 for WiFi properly. You need to reconnect to access point to enable it.
Ian Petts about 4 years

This seems the best solution to me. Simply add two lines to your VPN config.
seanlano over 3 years

I've just done a similar thing with 20.04, it does the job (i.e. definitely no IPv6 "leaks"), but as mentioned in the comment above it does require reconnecting to the network (Wi-Fi or Ethernet) to re-enable IPv6 after disconnecting from the VPN. I suppose it might be possible to have the script bring down and restart the connection, but manually is enough for me for now.
John almost 3 years

So "ignore" did not work for me. I still got IPv6 addresses. However, using "link-local" worked for me, since the address I got was quite useless. After that connections to domain names have been established through IPv4 and hence through the IPv4-only VPN (vpnc). BTW: The setting can also be done in the Network Manager GUI.
Admin almost 2 years

@John: I tried link-local and that did not work for me. IPv6 connections still bypassed the VPN.