Prevent leaking of IPv6 and DNS



  • I'm using pfSense as an OpenVPN client for strongVPN. Everything works fine with two exceptions:

    1.  While connected to StrongVPN, If I do a check of my IP via one of the any sites to verify my external IP, my IPv4 IP shows the strongVPN IP, but my real IPv6 ip leaks through.  I've tried checking the box to disable IPv6 in the OpenVPN client configuration screen, but that seems to have no impact.

    How can I prevent my IPv6 IP from leaking through my VPN connection to StrongVPN?

    2.  My DNS is also leaking through my StrongVPN connection. What can I do to prevent this?

    In terms of my configuration:

    I have my strongVPN connection setup as a gateway.

    I have an alias setup for specific hosts that I want to connect through my strongVPN connection and then have a LAN firewall rule that sets the gateway for those hosts to the strongVPN connection.

    I'm using the pfSense DNS Resolver with no specific DNS servers configured.

    I'm glad to post additional configuration details to assist but would need some guidance as to what details would be relevant.


  • LAYER 8 Global Moderator

    So you don't want to use IPv6?  Both linux and windows if they have a ipv6 address will prefer that.  And guessing your policy based routing is not sending all your ipv6 traffic down the tunnel..

    If your not wanting/using ipv6 why don't you just disable it completely.  Make sure pfsense doesn't get any ipv6 from your isp, and disable it on your machines on your network.  If you don't want windows to do ipv6, just put in the reg key this will get rid all the teredo and 6to4 crap as well

    elevated prompt
    reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255
    reboot

    put it back to how it was

    elevated prompt
    reg delete hklm\system\currentcontrolset\services\tcpip6\parameters\ /v DisabledComponents /f
    reboot

    linux can be a bit more tricky to actually disable, but it doesn't do all the nonsense windows does with 3 different types of tunneling ipv6 over ipv4

    As to your dns leakage..  I really really don't see how using a resolver is an issue, your not sending your dns to your ISP, your not sending it googledns, etc..  So are you worried your isp is sniffing your dns queries to the root serves and authoritative servers for what your looking up?  Seems like pretty tight tinfoil hat..



  • Thanks for the fast reply.

    I want to use IPv6, but I don't want that to compromise the privacy of  the hosts that use the VPN connection as their gateway.  Is that possible?

    As for the DNS, I see what you're saying and it makes sense. The concern I have is that when using those DNS leak tests, it's able to resolve my WAN IP. So, for the hosts using the VPN connection, shouldn't they use the VPNs DNS servers?


  • LAYER 8 Global Moderator

    but your hosts are not using dns through the tunnel they are using pfsense.  Pfsense is not sending the resolver traffic through the tunnel is just sending it out your wan.

    As to sending your ipv6 traffic through a tunnel.. Yeah how are you going to do that?  Your clients would or pfsense would have to have a Ipv6 address from the tunnel connection, and then you would have to route IPv6 though the tunnel.. That gets tricky because your client doesn't have an IP from the ipv6 tunnel it has whatever IPv6 address your getting from your isp and, to send it down the tunnel you would have to nat your isp ipv6 to the tunnel ipv6.

    If your worried about this sort of thing, then your going to have to have your clients connect directly to the vpn, and let them use their ipv6 they get from the vpn for ipv6 connectivity not your isp ipv6.

    I really don't understand the privacy concerns of a place your going knowing what IP your coming from..  So what if they know your in the US and using isp XYZ..  Most likely your logged into their site anyway - did you just make up shit for your account that you login with?

    VPN's provide couple of things.  Yes they can hide your traffic from local network, say a wifi network your on where its possible there are hostiles.  You could hide the traffic from your ISP.  It makes for a easy way to circumvent geographic restrictions since you can make it look like your coming country X while your really in country Y.

    But what exactly is your privacy concerns with?  Your isp, the websites your hitting knowing what about you??  Why are you worried that your isp knows you looked up www.pfsense.org?  I don't really get all the concern over dns leaks..  What do you think someone is doing with this info exactly?  So you don't trust your isp, but you trust this vpn service that is selling you life time subscription or 2 years for $5, etc.  How do you know they are not selling their users habits to the highest bidder?

    Most of the internet is encrypted these days anyway.  I am sitting here on pfsense via https.. My isp doesnt' know that I am typing here for example..

    To be honest imho all the vpn services for "privacy" reasons is just a bunch of hype to get users to pay for vpn services that serve no real purpose other than slow down your connectivity and maybe let you watch netflix us library vs their ca one, etc..

    Explain what your wanting to hide and from whom and we can figure out if possible and how best to do it.  But off the cuff maybe you should just adjust the fit of the tinfoil hat ;)



  • but your hosts are not using dns through the tunnel they are using pfsense.  Pfsense is not sending the resolver traffic through the tunnel is just sending it out your wan.

    Yes, I know and this is what I want to change. I want the VPN Clients (and only the VPN clients) to send their DNS queries down the tunnel to the VPN provider.

    as for IPv6, I only want to prevent VPN clients, as defined by their alias, from getting or using IPv6.


Log in to reply