this post was submitted on 05 Oct 2024

51 points (100.0% liked)

Linux

48186 readers

1970 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

nooter692@lemmy.ml

AgreeableLandscape@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

Need help with NetworkManager, VPN and IPv6 (lemm.ee)

submitted 1 month ago by axzxc1236@lemm.ee to c/linux@lemmy.ml

18 comments fedilink hide all child comments

I was setting up my laptop for traveling and adding Wireguard VPN configuration.

The Wireguard config generated by router only contains IPv4 address (10.0.5.x), and while testing the VPN to my surprise "what is my ip" websites can find my IPv6 address (I USB tethered mobile connection to my laptop).

It looks like NetworkManager does nothing about IPv6 connection if VPN doesn't have IPv6 settings, which is bad for road warrior type of VPN configuration.

Is there an easy toggle to turn of IPv6 if VPN is connected and otherwise? Or is only option to disable all IPv6 no matter what?

all 20 comments

sorted by: hot top controversial new old

[–] axzxc1236@lemm.ee 3 points 1 month ago (1 children)

I tried the same setup with Ubuntu 24.04.1 desktop live system and I can replicate this IP leak issue, I guess I will have to disable IPv6.

[–] sunzu2@thebrainbin.org 2 points 1 month ago (1 children)

Disable in network manager?

[–] axzxc1236@lemm.ee 2 points 1 month ago

That is what I was thinking, yes.

[–] Supermariofan67@programming.dev 3 points 1 month ago

Best to set a firewall rule with nftables to block non-vpn traffic from leaving (you should also do the save for IPv4 traffic to prevent leaks in case the tunnel disconnects)

[–] cypherpunks@lemmy.ml 2 points 1 month ago* (last edited 1 month ago) (1 children)

You could edit your configuration to change the wireguard connection's AllowedIPs from 0.0.0.0/0 to 0.0.0.0/0,::/0 so that IPv6 traffic is routed over it. Regardless of if your wireguard endpoint actually supports it, this will at least stop IPv6 traffic from leaking.

[–] axzxc1236@lemm.ee 2 points 1 month ago (1 children)

Wireguard config already includes "::/0"

[–] cypherpunks@lemmy.ml 1 points 1 month ago

If you have ::/0 in your AllowedIPs and v6 connections are bypassing your VPN, that is strange.

What does ip route get 2a00:1450:400f:801::200e (an IPv6 address for google) say?

I haven't used wireguard with NetworkManager, but using wg-quick it certainly adds a default v6 route when you have ::/0 in AllowedIPs.

[+] LainTrain@lemmy.dbzer0.com -6 points 1 month ago* (last edited 1 month ago) (3 children)

I'd also like to know, is there a way to just turn off this ipv6 trashfire? Preferably in a universal, cross-distro way?

Seems like the most universal way is: GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"

[–] Supermariofan67@programming.dev 9 points 1 month ago (3 children)

Or you could just... learn to use the modern internet that 60% of internet traffic uses? Not everyone has a dedicated IPv4 anymore, we are in the days of mobile networks and CGNAT. IPv4 exhaustion is here today.

[–] cypherpunks@lemmy.ml 2 points 1 month ago (1 children)

Or you could just… learn to use the modern internet that 60% of internet traffic uses? Not everyone has a dedicated IPv4 anymore, we are in the days of mobile networks and CGNAT. IPv4 exhaustion is here today.

Where are you getting 60%? Google's IPv6 Adoption page has it under 50% still:

Screenshot of Google saying "IPv6 Adoption / We are continuously measuring the availability of IPv6 connectivity among Google users. The graph shows the percentage of users that access Google over IPv6." with a graph climbing from near 0% in 2008 to 45% in September 2024

(while other stats pages from big CDNs show even less)

[–] Supermariofan67@programming.dev 1 points 1 month ago (2 children)

Huh, I misremembered then. I stand corrected.

Notable though that there are specific countries (such as India) where adoption is far higher at 72%

[–] LainTrain@lemmy.dbzer0.com 1 points 1 month ago

Dunno why my comment was removed but I remarked that it's either fed to them as scraps or it's in use by scammers and bots.

[–] LainTrain@lemmy.dbzer0.com 2 points 1 month ago (1 children)

Idk why my comment was removed. I just said most internet traffic is chinese bots which are not sentient so they're okay with using IPv6 instead of IPv4 like people do.

IPv4 exhaustion is ofc a problem. But IPv6 discarding NAT is like throwing the baby out with the bathwater.

[–] Supermariofan67@programming.dev 1 points 1 month ago

Huh weird that it would be removed, that's a fair comment.

For Web scraping and other activities by so-called "legitimate" companies to varying degrees, this may be the case. But for general bots, they are generally attempting to scan and probe the entire IPv4 range, since it can be exhaustively checked in a reasonable amount of time and the majority of IPs have hosts on them. Enumerating the entire IPv6 space is quite literally impossible without some external list of hosts known to exist, due to the number of hosts. This happens, but it's a much higher hanging fruit for an attacker so far fewer will bother. So you generally see few to no continuous probes on things like sshd over IPv6 unless you have a domain name. I'm guessing a lot of bots (in botnets) are dumb old technology that doesn't even have IPv6.

NAT was always a hacky workaround. And although it effectively ends up functioning as a firewall under normal usage when combined with a typical "drop invalid incoming packets" rule, it was not designed to be a firewall and shouldn't be assumed to always function as one. A simple accept established, default drop firewall rule should do the trick and should be used on both v4 and v6 regardless of NAT (and probably is on your router already).

If your goal is privacy in the sense of blending in, you can still use NATv6 and this is a good use case for it. This is what VPNs like Mullvad use. If your goal is privacy in the sense of being more difficult to track across sessions, you can enable IPv6 privacy extensions which essentially generates a new IPv6 address for every connection your device makes. So in this sense it's more private than IPv4

[–] axzxc1236@lemm.ee 0 points 1 month ago* (last edited 1 month ago)

In my case just disable IPv6 in WiFi is enough.

sysctl looks like the most universal way.

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

[–] corsicanguppy@lemmy.ca 0 points 1 month ago (2 children)

I keep hoping someone will come up with a half-measure that looks like ipv4 with an extra octet and writable in hex.

Let people stew a bit on their 00c0a8011f IP which is like a 192.168.1.31 IP.
increment the big number. Oh shit, we've got lots.
repeat
start adding the cool parts of ipv6
moar
add a 00 to the end that old shit just skips
somewhere in there, switch the engine

We can either take yeeeears to do it well, or we can take more decades to try and big-bang it. This ain't 1983.

[–] cypherpunks@lemmy.ml 3 points 1 month ago

ipv4 with an extra octet

that was proposed as "IPv4.1" on April 1, 2011: https://web.archive.org/web/20110404094446/http://packetlife.net/blog/2011/apr/1/alternative-ipv6-works/

[–] LainTrain@lemmy.dbzer0.com 2 points 1 month ago

Hmm, how about we have public facing IPv6 to gateway and then NAT to IPv4 internally. I wouldn't have a problem with it then. In general I wouldn't even have a problem with IPv6 or v8 or whatever even internally as long as we'll always have NAT.