IPv6 Is Nice But It Circumvents My VPN Tunnel

I like IPv6 and I think it’s going to be a big help to overcome the problem NAT (Network Address Translation) causes for self hosted services at home for the average user. But on the way to full IPv6 support there are a couple of pitfalls one needs to be aware of. When I am not at home I use an IPv4 based VPN tunnel back to my home network and from there to the Internet to make sure Deep Packet Inspection and eavesdroppers on the Wi-Fi link are thoroughly frustrated. But if the network supports IPv6, packets to and from IPv6 capable web sites do not go through the IPv4 VPN tunnel but are exchanged directly between my computer and the website as I recently had to experience. The only way to fix this is to have a VPN for both IPv4 and IPv6. Unfortunately, both my VPN gateway at home and my DSL line do not yet support IPv6. Definitely a chink in the armor one has to be aware of.

IPv6, 6to4, Ubuntu and Windows 7

Last week I got a software update for my VDSL Router at home which included IPv6 functionality. Very nice, so finally I could finally get some hands-on IPv6 experience. Here are some of my findings of this exercise:

6to4 Tunnel Setup on the VDSL Router

As my network provider does not yet offer IPv6 natively, I decided to activate the IPv6 6to4 tunnel option on the VDSL router which then gets an IPv6 address space and redistributes that into the local network. Each device in my home network that is IPv6 capable can then assign itself a public IPv6 address out of that pool. Very easy to set up with nothing but to configure the router and then let my Windows 7 and Ubuntu machines grab IPv6 addresses automatically.

IPv6 Firewalling

As the local machines now have public IPv6 addresses they can be reached by any outside node. As this might be a security risk, the VDSL router also has a built in IPv6 firewall and any unsolicited incoming IPv6 packets are discarded unless allowed via a configuration table. In effect, this is a similar scheme as the individual incoming port forwarding of traditional IPv4 NAT (Network Address Translation) but with fewer potential application issues, as IP addresses and TCP/UDP ports don’t have to be mapped.

Allow IPv6 use in Firefox again

You might remember that some time ago, I wrote a post of how to disable IPv6 DNS support in Firefox to speed up web loading times. For details see here. Obviously, that this needs to be disabled again when you have real IPv6 connectivity and want to make use of it.

Ubuntu – Activate IPv6 Privacy Extensions

Strangely enough unlike Windows 7, Ubuntu doesn’t have the IPv6 privacy extensions enabled by default. With the feature, the host part of the IPv6 address is changed regularly to ensure that a particular device can’t be identified over days based on the IP address. To enable the feature, the following to lines need to be added to /etc/sysctl.conf to activate it for the Wi-Fi (wlan0) interface:

  net.ipv6.conf.default.use_tempaddr=2
net.ipv6.conf.wlan0.use_tempaddr=2

To see the privacy extensions in action, i.e. to verify that the interface has now several global IPv6 addresses the “ip -6 addr” command is quite helpful.

Ubuntu – Prefer an IPv6 address of a 6to4 tunnel over IPv4

Another thing that stands in the way of is that IPv6 addresses generated out of 6to4 tunnels are recognizable by hosts. This means that in case a website offers both IPv4 and IPv6 connectivity, IPv4 will be preferred by the operating system. This makes sense as the IPv6 packet is tunneled and hence performance with IPv4, which is not tunneled, is likely to be better. However, there is a way to change this preference and make IPv6 addresses of 6to4 tunnels preferable to IPv4 addresses. This is done by uncommeting following lines in /etc/gai.conf:

label ::1/128         0
label ::/0               1
#label 2002::/16    2
label ::/96             3
label ::ffff:0:0/96  4
label fec0::/10       5
label fc00::/7         6
label 2001:0::/32    7

Ensure that the label for 2002:: remains commented! Afterwards, a reboot is required. For details see RFC 3484 chapter 2.1 (Policy Table).

Windows – Prefer an IPv6 address of a 6to4 tunnel over IPv4

The same preference of IPv4 over 4to6 IPv6 applies to Windows 7 as well. Here’s how to change it via an admin comannd line here:

1. Start -> Run -> “cmd” -> “netsh” -> “interface” -> “ipv6”
2. To set IPv6 (6to4) as the default protocol on Microsoft Windows…

set prefix 2002::/16 30 1
–> Only the 2002::/16 line (6to4 prefix policy) is changed.

3. To make things goes back to original mode (IPv4 preference)…
set prefix 2002::/16 30 2

Firefox Add-On to Show IPv6 in Action

The best way to monitor IPv6 in action is of course to use Wireshark. But in case it is not running all the time while you experiment and you just want to know when IPv6 is used while web browsing, the “ShowIP” add-on for Firefox is most helpful as it shows the IPv4 or IPv6 address from which the current web page was delivered.

There you go, hope you’ll find this helpful. And for a general introduction on IPv6, I’ve written a 4 piece intro some time ago. For deatils see here, here, here and here.