Orbi OpenVPN server leaks IPv6

Question

Hi folks.Again a bit more special topic from my side. I've been struggling with the OpenVPN setup of Orbi for quite some time and now finally got fed up with the IPv6 traffic leaking, which makes me temporarily disable IPv6 on the client side as I've been unable to figure out another way around the problem.Anyway. Server side problem description and solution is explained fairly well here:https://www.sindastra.de/p/807/quickly-kill-ipv6-leaks-on-your-openvpn-server/Now. I'm not sure if there is any free of charge way to sugges this configuration change to Netgear, if there is, feel free to instruct how to do it?Otherwise I'm also open for any other workaround suggestions than disabling IPv6 completely on the client side?Anyway, as IPv6 is actually very common nowadays, this is really a pain.Thanks.

CrimpOn · Answer

Surffa&nbsp;wrote:Anyway. Server side problem description and solution is explained fairly well here:https://www.sindastra.de/p/807/quickly-kill-ipv6-leaks-on-your-openvpn-server/Now. I'm not sure if there is any free of charge way to sugges this configuration change to Netgear, if there is, feel free to instruct how to do it?Otherwise I'm also open for any other workaround suggestions than disabling IPv6 completely on the client side?What about BugBounty?https://bugcrowd.com/netgear&nbsp;Or, send a private message to one of the forum moderators, who could forward it to Netgear engineering?&nbsp;Although this may be "obvious", I am confused about which client addresses are being leaked.OpenVPN on the Orbi is a "server", so the clients are computers that tunnel through the VPN to reach the Orbi.How does anything about such devices reach the internet?

Surffa · Answer

Thanks for your reply. Let's see if I could work from there.

Anyway, yes, I was also puzzled how that leaking happens. It's not exactly what I expected. But it appears that the at least in this specific case Orbi that I use is connected to network where there is no IPv6 available, although I'm not sure if Orbi woul utilize IPv6 for OpenVPN anyway. Client then is in IPv4/v6 dual stack network and Orbi server config is configured to take all the client traffic.

How the problem is then visible, is easy. All the connections to hosts that do have an IPv6 address get contacted through IPv6 directly and not through the OpenVPN tunnel that would be obviously IPv4 only connection. I haven't studied if this affects servers that are IPv6 only or if it's enough that an AAAA entry exists for a domain name in parallel. One can reproduce this by accessing one of those "What's my IP address"-sites that is IPv6 capable or like in my case some IPv6 video streaming site that applies stricts regional restrictions.

Surffa · Answer

Btw. For the completeness, it appears to happen with Win10 client, but right now it seems that Android is not affected. Anyway, problematic enough either way.

CrimpOn · Answer

Surffa&nbsp;wrote:Thanks for your reply. Let's see if I could work from there.Anyway, yes, I was also puzzled how that leaking happens. It's not exactly what I expected. But it appears that the at least in this specific case Orbi that I use is connected to network where there is no IPv6 available, although I'm not sure if Orbi woul utilize IPv6 for OpenVPN anyway. Client then is in IPv4/v6 dual stack network and Orbi server config is configured to take all the client traffic.How the problem is then visible, is easy. All the connections to hosts that do have an IPv6 address get contacted through IPv6 directly and not through the OpenVPN tunnel that would be obviously IPv4 only connection. I haven't studied if this affects servers that are IPv6 only or if it's enough that an AAAA entry exists for a domain name in parallel. One can reproduce this by accessing one of those "What's my IP address"-sites that is IPv6 capable or like in my case some IPv6 video streaming site that applies stricts regional restrictions.(IPv6 is turning out to be SO complicated!)...&nbsp; So, I am sitting in an airport with my Windows PC. Connect to their WiFi and create an OpenVPN connection to my Orbi.&nbsp; My Orbi OpenVPN is set to "LAN Plus Internet".&nbsp; I open a web browser and open "whatsmyip.com"Sure enough, there is one of the eight IPv6 addresses that ipconfig /all says are related to my PC. (Two "preferred" and six "deprecated".)&nbsp; This also happens with OpenVPN on Linux Mint.&nbsp;I am so ignorant about IPv6 that I don't even know if this IPv6 address is related to (a) the airport WiFi, (b) my Orbi LAN (or WAN?), or (c) what?

Surffa · Answer

Oh well, IPv6 is not that complicated. It's just different and people tend to think IPv6 as they do IPv4 and that's when things start going wrong, simply as most of the basic mechanisms are different. :) But it's not really complicated. In fact IPv4 by all the NATs and workarounds for technologies that are built in IPv6 make it much more complex as a whole, plus the privacy and safety matters that are in better shape for the modern world. But all right, enough of that. I'm probably not the regular guy with my direct IPv6 stack development history anyway.&nbsp;From your description it's a bit hard to tell where those v6 addresses are coming from. Are they bound to tunneling interface or just regular eth? If eth, then they are likely from the airport WiFi, if the tunneling IF, then it's assigned by Orbi VPN server, which get's them from your Orbi ISP (or simply local addresses, depending on the Orbi VPN server what it passes on).Educatively:Deprecated address is just an address derived from a prefix that has passed it's lifetime.Preferred ones are most likely active addresses,one fixed address derived from your interface address and another one a "random" privacy address that changes according to OS configuration and where all the outgoing traffic in principal originates.

Forum Discussion

Orbi OpenVPN server leaks IPv6

5 Replies