Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    V2.4.2 - IPV6 Leak using OpenVPN - PIA (Private Internet Access)

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      securedspace
      last edited by

      Hello,

      First post - I bought a new Protectli box to install PFsense on for the first time. I installed the newest version, 2.4.2 and am setting it up. I wasn't able to get PIA's instructions to work properly since it seems that their screenshots were from an older version of PFsense.

      Specifically of concern is their version of PFSense has an option to disable IPV6 from the OpenVPN configuration. That doesn't appear in v2.4.2, or if it does, the wording has changed and I don't see it.

      I was able to connect to the VPN over PFsense, however when I went to an IPV6 site, whatismyip dot com, it was able to see my true home IP address. However IPV4-based sites did show my PIA VPN IP.

      PIA discusses IPV6 leakage as a problem and claims that IPV6 is too expensive and too new to bother supporting. PIA is my first and only VPN I have used for the last few years and don't know if any other VPN providers are offering IPV6 or if PIA is being cheap. PIA does offer IPV6 leak protection if using their proprietary application however my goal with buying the Protectli box was to set up PFsense to be my VPN for all outbound traffic.

      Please advise if there is a setting to block IPV6 - my search results of the forum here just showed several very old posts that were not helpful. Or is the recommendation that I either change VPN providers, downgrade PFsense software, or to return the Protecli box if it's just not possible to protect against IPV6 leaks.

      Thanks so much in advance for any help.

      1 Reply Last reply Reply Quote 0
      • J
        jamesonp
        last edited by

        Why not just disable IPv6 on your WAN and LAN interface?

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          If you don't want IPv6, disable it or block it.

          If you don't want it on a specific host that gets routed to PIA or something, disable IPv6 on that host.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • S
            securedspace
            last edited by

            @jamesonp:

            Why not just disable IPv6 on your WAN and LAN interface?

            That sounds like a great idea! Can you walk me through where that option exists?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Interfaces > WAN

              Interfaces > LAN

              IPv6 Configuration Type: None

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • S
                securedspace
                last edited by

                @Derelict:

                Interfaces > WAN

                Interfaces > LAN

                IPv6 Configuration Type: None

                That seems to have worked! At least with respect to making that one IPV6 website display my PIA VPN. I assume that the website preferentially loads with IPV6 but if that's not available, it will force IPV4. I only have a basic understanding of networking though.

                I did have to disable the IPV6 DHCP service that was running before it let me disable the LAN IPV6 but that only took me a second to figure out where it was.

                Anything else I should try to ensure IPV6 isn't leaking my real IP?

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  It is up to the client whether it uses IPv4 or IPv6 when it thinks it has IPv6 connectivity and both AAAA and A records to choose from.

                  With IPv6 disabled on WAN I can't see anything else helping more.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.