Bug 768296 – Native IPv6 is not encrypted or disabled after establishing a IPv4-only VPN

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 768296 - Native IPv6 is not encrypted or disabled after establishing a IPv4-only VPN


Summary:	Native IPv6 is not encrypted or disabled after establishing a IPv4-only VPN


Status:	RESOLVED OBSOLETE

Product:	NetworkManager
Classification:	Platform
Component:	VPN (general)
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	NetworkManager maintainer(s)
QA Contact:	NetworkManager maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:	748442 749376

Reported:	2016-07-01 18:22 UTC by Stefano Pettini
Modified:	2020-11-12 14:33 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Stefano Pettini 2016-07-01 18:22:30 UTC

This can be considered a security issue.

I have a dual stack IPv4/v6 connection (wlan1). After configuring and enabling a IPv4-only VPN (vpnc, via the UI provided by KDE, Ubuntu 14.04), the IPv4 traffic is correctly routed through the VPN (tun0), but the IPv6 routing stays unchanged.

This leaves the IPv6 traffic flowing unencrypted through wlan1.

NM should warn the user of this situation and/or support disabling routing via IPv6 when an IPv4-only VPN is activated.

ifconfig:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.178.201  P-t-P:192.168.178.201  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
          RX packets:3908 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4762 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:1822100 (1.8 MB)  TX bytes:1487619 (1.4 MB)

wlan1     Link encap:Ethernet  HWaddr a0:88:b5:98:a5:f0  
          inet addr:192.168.0.106  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a288:b4ff:fe98:a5f0/64 Scope:Link
          inet6 addr: 2a02:8109:b1c0:39d8:2058:8b75:bcd5:f5f6/64 Scope:Global
          inet6 addr: 2a02:8109:b1c0:39d8:a288:b5ff:fe98:a5f0/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:435993 errors:0 dropped:4 overruns:0 frame:0
          TX packets:279478 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:369023970 (369.0 MB)  TX bytes:56164508 (56.1 MB)

route -4:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 tun0
2.236.54.99     192.168.0.1     255.255.255.255 UGH   0      0        0 wlan1
192.168.0.0     *               255.255.255.0   U     9      0        0 wlan1
192.168.178.0   *               255.255.255.0   U     0      0        0 tun0

route -6:

Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2a02:8109:b1c0:39d8::/64       ::                         UAe  256 0     0 wlan1
fe80::/64                      ::                         U    256 0     0 wlan1
::/0                           fe80::5667:51ff:fe45:c21a  UG   1   3     0 wlan1
::/0                           fe80::5667:51ff:fe45:c21a  UGDAe 1024 0     0 wlan1
::/0                           ::                         !n   -1  1 35383 lo
::1/128                        ::                         Un   0   3    71 lo
2a02:8109:b1c0:39d8:2058:8b75:bcd5:f5f6/128 ::                         Un   0   3 13858 lo
2a02:8109:b1c0:39d8:a288:b5ff:fe98:a5f0/128 ::                         Un   0   1     0 lo
fe80::a288:b5ff:fe98:a5f0/128  ::                         Un   0   1  2587 lo
ff00::/8                       ::                         U    256 0     0 wlan1
::/0                           ::                         !n   -1  1 35383 lo

Comment 1 Thomas Haller 2016-07-01 18:51:47 UTC

Activating a VPN has not the meaning, that routes from other interfaces are blocked/removed and that traffic goes exclusively along the VPN.

If your VPN has not IPv6 (default) route, but another device has, the IPv6 traffic goes along that other device. 

This is related to bug 748442 and bug 749376.

Comment 2 André Klapper 2020-11-12 14:33:55 UTC

bugzilla.gnome.org is being shut down in favor of a GitLab instance. 
We are closing all old bug reports and feature requests in GNOME Bugzilla which have not seen updates for a long time.

If you still use NetworkManager and if you still see this bug / want this feature in a recent and supported version of NetworkManager, then please feel free to report it at https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/

Thank you for creating this report and we are sorry it could not be implemented (workforce and time is unfortunately limited).