How to block local IPv6 leak when connected to an IPv4-only OpenVPN connection on GNU Linux?

There are times when you do not want to disable your ISP’s IPv6 network and still use IPv4 only VPN connection with privacy without leaking your local IPv6 network.

We can configure it using two easy methods in any GNU/Linux distribution of your choice, which are as follows:

  1. New option –block-ipv6 built-in OpenVPN version 2.5.x
  2. By adding –up/–down scripts to OpenVPN for all versions, should work fine OpenVPN version 2.4.x, 2.3.x or older.

Method 1 – New option –block-ipv6 built-in OpenVPN version 2.5.x (Recommended)

This method should work fine for all OpenVPN version 2.5.x clients on all major operating systems including our favorite GNU/Linux. OpenVPN for Android, a free/open client has already included this new option by default in the client software for Android.

Step 1 – Make sure you are on OpenVPN 2.5.x or upgrade

OpenVPN 2.5.0 was released on 28th of Oct 2020. The most recent version OpenVPN 2.5.2 was released on 21st of April 2021. It is the current stable release for production. If for some reason your distribution has not updated to OpenVPN 2.5.x yet.

You can always upgrade to OpenVPN 2.5.x from official repo from OpenVPN website. It is available for distributions as old as Debian Stretch 9.x or Ubuntu Xenial 16.04. There is absolute no reason to not upgrade if you love and use OpenVPN software from a provider of your choice.

Open Terminal application to execute the following command to confirm the OpenVPN version on your distribution:

$ openvpn --version

It should give you an output as seen below:

OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 24 2021
library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10

So, I have OpenVPN version 2.5.1 installed on my Debian based distribution.

Step 2 – Navigate to .ovpn/.conf OpenVPN file and edit with your favorite text editor

For the purpose of this guide, I would be editing OpenVPN configuration file of US – Los Angeles server location from a pro privacy and streaming friendly provider registered in Sweden called PrivateVPN.

Unfortunately, it is still a IPv4-only provider in 2021. So, if you have access to IPv6 network from your ISP, you have to block IPv6 access to prevent leaks and enjoy uninterrupted Hulu, Netflix or Amazon from States.

Navigate to OpenVPN configuration file location and open it with a text editor as seen below (For purpose of this guide, nano is used as text editor, you can use GUI editor like gedit):

$ nano us-los-pvpn.ovpn

Once you have it open, navigate to the bottom and add the following lines:

ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1
redirect-gateway ipv6
block-ipv6

Add the following lines to the bottom as well, in order to resolve DNS properly with resolvconf package installed:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Save it and exit the text editor.

Step 3 – Initiate the OpenVPN connection as sudo or root

Navigate to the folder or directory with newly edited .ovpn or .conf file and execute the following command in terminal as sudo or root:

$ sudo openvpn us-los-pvpn.ovpn

If you see the following line in the end of on-screen log or log file, your connection has been successfully established:

2021-04-28 02:35:30 Initialization Sequence Completed

Step 4 – Navigate to some IPv6 only websites when connected to VPN to confirm IPv4 only VPN with no local IPv6 leak

Navigate to https://ipv6.google.com or http://ping6.online.net/ preferably in Incognito mode of your web browser. Both websites should not open or connect any more.

Method 2 – By adding –up/–down scripts to OpenVPN for all versions, should work fine OpenVPN version 2.4.x, 2.3.x or older.

Some people are stubborn or might not want to upgrade OpenVPN packages from outside their distribution’s official repo. For example both oldstable and stable Debian distributions are on 2.4.x. Although there are always some ways to upgrade even official from distribution’s repo like with backports from Debian, but assuming you just do not wish to upgrade and stick to a good old stable version of OpenVPN which is older than 2.5.x. We have devised some cool tricks to still make it work for you.

Step 1 – Navigate to .ovpn/.conf OpenVPN file and edit with your favorite text editor

Navigate to OpenVPN configuration file location and open it with a text editor as seen below (For purpose of this guide, nano is used as text editor, you can use GUI editor like gedit):

$ nano us-los-pvpn.ovpn

Once you have it open, navigate to the bottom and add the following lines:

script-security 2
up /etc/openvpn/ipv6OFF.sh
down /etc/openvpn/ipv6ON.sh

Add the following lines to the bottom as well, in order to resolve DNS properly with resolvconf package installed:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Save it and exit the text editor.

Step 2 – Navigate to /etc/openvpn directory to create/edit ipv6OFF and ipv6ON bash scripts with your favorite text editor

Open Terminal application to navigate to /etc/openvpn as follows:

$ cd /etc/openvpn/

Create ipv6OFF bash script as follows as root or sudo:

$ sudo nano ipv6OFF.sh

In your favorite text editor copy the following lines verbatim:

#!/bin/bash
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

Save and exit your text editor.

Create ipv6ON bash script as follows as root or sudo:

 $ sudo nano ipv6ON.sh

In your favorite text editor copy the following lines verbatim:

#!/bin/bash
sysctl -w net.ipv6.conf.all.disable_ipv6=0
sysctl -w net.ipv6.conf.default.disable_ipv6=0
nmcli networking off 
nmcli networking on

Use of nmcli assumes that you have NetworkManager installed, in case you do not. You can use ip link set <dev> <up/down>

You can figure out you interface_name using ip route command in terminal without VPN connection. First line of its output on my laptop is as follows:

$ ip route
default via 192.168.0.1 dev wlp6s0 proto dhcp metric 600

My dev or interface interface is wlp6s0. Yours could be wlan0 or enp7s0.

So, replace the the last two nmcli lines with following two lines for using ip link in case you do not use NetworkManager:

 ip link set wlp6s0 down
 ip link set wlp6s0 up

Save and exit your text editor. You have successfully created ipv6OFF and ipv6ON bash scripts.

Make the bash scripts executable as follows as root or sudo:

sudo chmod +x ipv6OFF.sh
sudo chmod +x ipv6ON.sh

Step 3 – Initiate the OpenVPN connection as sudo or root

Navigate to the folder or directory with newly edited .ovpn or .conf file and execute the following command in terminal as sudo or root:

$ sudo openvpn us-los-pvpn.ovpn

If you see the following line in the end of on-screen log or log file, your connection has been successfully established:

2021-04-28 02:35:30 Initialization Sequence Completed

Step 4 – Navigate to some IPv6 only websites when connected to VPN to confirm IPv4 only VPN with no local IPv6 leak

Navigate to https://ipv6.google.com or http://ping6.online.net/ preferably in Incognito mode of your web browser. Both websites should not open or connect any more.

Enjoy! Thanks for reading.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.