PIA OpenVPN IPV6 selective block?

cammelspit · Apr 27, 2018, 6:50 AM

Hey, so I got my PIA and everything working just fine so far. I have a small range on my subnet 10.10.10.90-10.10.10.99 that are routed through the VPN. It seems to work just fine but as you might be able to tell, IPV6 is still being sent around the VPN for those clients. I know, normally you would just disable IPV6 entirely and certainly would do so but for one issue. My wife works from home so stability is KEY here. Unbeknownst to me, my wife's work systems and their own software connect to their VOIP and intranet services through IPV6. If she could be on her own port on a managed switch, I would just give her her own VLAN and block IPV6 traffic altogether on the other ports. What would be awesome is if I could somehow only block IPV6 on clients that are currently passing traffic through the VPN. I know this is a long shot in general here but this would be ideal. It also seems I can't use anything but IPs as aliases so it's not like I can just make some rule somewhere to not block IPV6 when it comes from a specific MAC address as a blacklist, which would be fine if I could. Or even block all IPV6 unless it is specifically her machine.

I am a little stumped here. I would consider my skills with pfSense to be below average due to nothing but a sheer lack of knowledge but I am learning. If there is a way to do what I would like to do or if any of you people smarter than I have any suggestions, please, fill me in.

JKnott · Apr 27, 2018, 10:52 AM

Why would you want to block IPv6? It's the way the Internet is going. If it's available, why not just use it?

cammelspit · Apr 27, 2018, 2:58 PM

@JKnott:

Why would you want to block IPv6? It's the way the Internet is going. If it's available, why not just use it?

Because I don't like the idea of presenting my vital bits to my ISP is one reason, especially after Ajit Pi got ahold of things. I find it morally wrong for ISPs to inject ads, log or otherwise alter my traffic in ANY way, changing the content I consume. If they can use it, they will abuse it and have proven they are more than happy to. Lots and lots of reasons actually and VPN providers just don't support IPV6 right now. Since it routes right around the VPN, that's pretty unacceptable for any kind of general internet use. Now, the second there is a good VPN service that both supports IPV6 and also has the feature set I require, this would then become a non-issue.

JKnott · Apr 27, 2018, 3:23 PM

Because I don't like the idea of presenting my vital bits to my ISP is one reason, especially after Ajit Pi got ahold of things. I find it morally wrong for ISPs to inject ads, log or otherwise alter my traffic in ANY way, changing the content I consume. If they can use it, they will abuse it and have proven they are more than happy to.

What does any of that have to do with IPv6? What vital bits? With IPv6, you use a firewall, just as with IPv4. Also, normal practice on IPv6 is to use privacy addresses for outgoing connections. These are addresses that change daily and have no identifiers that tie them to specific hardware.

The world is moving to IPv6 and it's long overdue. Hiding from it won't solve anything, but will make the address shortage on IPv4 worse.

cammelspit · Apr 27, 2018, 4:11 PM

I don't think you read my OP very thoroughly. I pretty specifically laid it all out as to why I want this. It's not a matter of hating on IPV6 or not wanting to ever use it, only that in its current form my privacy and security cannot be protected with IPV6 like it can with IPV4. The second that changes I will be the first to jump on using it but not until then. IPV6 isn't the problem, VPN providers not supporting it is. I think it's pretty self-explanatory.