linux-cli-community
linux-cli-community copied to clipboard
Fix #118: fix IPv6 leaks by disabling IPv6 altogether
I noticed that the current iptables-based solution doesn't address IPv6 leaks correctly on my Arch Linux system. After reading issue #118, I think it might be beneficial to just disable IPv6 altogether using sysctl net.ipv6.conf.all.disable_ipv6=0
when connecting to ProtonVPN, as it'll provide a guaranteed way to prevent IPv6 leaks. When user disconnects from ProtonVPN, IPv6 will be re-enabled (net.ipv6.conf.all.disable_ipv6=0
).
I know this approach will cause users to lose previously-assigned IPv6 addresses, but I don't think this is a major issue. This could be easily addressed by reconnecting to the network, and the network will reassign IPv6 addresses.
After some more testing, I noticed that Proton's iptables rules have no effect when other firewall (like UFW) is in use. I think it might still be better to just disable IPv6 altogether after VPN connection, as this would always work (prevent IPv6 leaks) without breaking other firewall software.
Current limitation: right now the program doesn't track if IPv6 is already disabled before connection, and will always enable IPv6 after disconnection.
@chrisx8 I have read some pros and cons about fully disabling the ip6 as you done. Starting back in 2.2.4 I used the #118 suggestion by changing the ip6 commands in the connection.py
ip6tables -F ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP
I thought 2.2.6 was ok but I recently set some new rules using ufw and noticed I was leaking again. I have added the above rules and my ip6 is no longer leaking and I have not had any issues with ufw.