PSA: DUAL-STACK CONNECTIVITY AND VPNS

I remember a time when all you had at home was IPv4. It was a simpler time, of private local addresses and a spot of NAT behind a public IP coming from your ISP.

But if you're lucky and your ISP decided IPv6 is not something you just ignore and hope it goes away, then perhaps you have Dual Stack Internet Access at home. And while that changes nothing for your IPv4 connectivity (NAT is still going to happen, be it on your router or on a CGNAT device at the ISP edge), overall it changes everything because of the public IPv6 address you get.

Oh and there's this other minor fact: whenever both v4 and v6 are available, v6 will be preferred.

Which means that when you resolve a hostname, if the DNS query returns both a AAAA record (IPv6) and an A (IPv4) record, then your browser/application/whatever will try to connect to the IPv6 address first of all.

Now let's say you start up your trusty VPN over IPv4 and that normally it would not be a split tunnel (all traffic goes through the VPN).

Unless your VPN is dual-stacked as well, you'll find that for any destination that is IPv6 enabled your traffic will go unencrypted, bypassing the tunnel.

So what can you do?

  1. The good: get your VPN to provide dual-stack connectivity and/or prevent split-tunneling
  2. The bad: temporarily disable IPv6 connectivity
    • (Linux) sudo sysctl -w net.ipv6.conf.wlan0.disable_ipv6=1
    • (Linux/Windows) remove IPv6 on the network adapter profile
  3. The weird: use your firewall to block outgoing IPv6 (can introduce significant delays, depending on how the application stack deals with timeouts over v6)

I think it's OK to use option number 2 a few times, as long as you are looking into changing your VPN to support both IPv4 and IPv6 (or changing to a provider that offers it already).

And, as always, thanks for reading.


comments powered by Disqus