How To Pretect Against IPv6 Leakage in an IPv4 VPN Environment – Part 3 (Raspi VPN Gateway)

In the previous two parts on IPv6 leakage in IPv4-only VPN environments I’ve taken a look at how things can be fixed on the client side (part 1) and on the network side (part 2). While being at conferences and in hotels I often use a Raspberry Pi Wi-Fi VPN client gateway to connect all my Wi-Fi devices to the local network with a single sign-in. Once connected the Raspberry Pi then establishes a secure VPN connection that is then used by all my devices. In other words, the VPN tunnel is not established from my PC but from the gateway. The big question is, does IPv6 leakage occur here as well?

A gave it a quick try and everything is o.k. Per default, Raspian does not activate IPv6 at all. When activated manually (sudo modprobe ipv6) the Raspi will request an IPv6 address on the backhaul interface. If it gets one it doesn’t share it with the local Wi-Fi link to which all my devices are connected. In other words, no bridge is created, no IPv6 leakage can occur and any traffic to and from all local Wi-Fi devices pass through the VPN tunnel.

Good, one thing less to deal with…