OpenVPN Support Forum

Hi,

I am encountering an issue when using the openvpn client for Android (on a 4.4.x device). The Android client is on a network that supports both ipv4 and ipv6, while the server only supports ipv4. VPN connection works fine over ipv4, but all ipv6 from the android client traffic leaks out of the tunnel, which is a problem.

I cannot disable ipv6 on the android device or it's network (I wouldn't mind disabling ipv6 for the whole network, but I am using an ISP-provided router and ipv6 is always enabled from the firmware). So what I am trying to do now is to push a custom route from the vpn server, to direct all ipv6 outgoing traffic from the android client to a black hole (when connected to the vpn, obviously). I am not even convinced this is possible, but my understanding of ipv6 routing is extremely limited, so I would appreciate any advice on this matter (my extensive internet searches led me to believe this is possible, but I do not understand exactly what needs to be done).

Any support will be kindly appreciated.

There is some information here:
https://community.openvpn.net/openvpn/wiki/IPv6

There is some bad news at the bottom of that page ..

I've read that, but it only says that a vpn connection does not work over ipv6. that's fine, my problem is that the connection works outside the tunnel when connected to the vpn what I need is to make it NOT work both through and out of the vpn tunnel.

born2lose wrote:what I am trying to do now is to push a custom route from the vpn server, to direct all ipv6 outgoing traffic from the android client to a black hole

If you control the server then use that previous link to redirect all the client IPv6 (and IPv4) then discard the IPv6 at the server ..

that makes sense, but I cannot redirect ipv6 traffic to the server, because the server does not have an ipv6 address. that's how I ended up asking this question - the only thing I can do now on the server side is to push custom routes via the config file. I just don't know what routes to push

p.s. I've loaded the exact same profile on an ios device - and it works perfectly. if I check my ip on various ipv6 lookup sites - without being connected to the vpn - both my ipad and my android will return similar ipv6 addresses. repeating the same test after connecting to the vpn, the ipad will show the ipv4 external ip address of my server, while android will return the same ipv6 address as in the previous test. so there must be some differences in the clients...

The server does not need an IPv6 address, so long as openvpn can assign it one for inside the tunnel.

Sorry to bump an old thread, but I'm in the same predicament as you are. Found a way to make it work? Mind sharing the configs?

To re-iterate this problem (and a likely solution for you abc...).

TinCanTech wrote: ↑

Fri Jul 08, 2016 6:17 pm

There is some information here:
https://community.openvpn.net/openvpn/wiki/IPv6

There is some bad news at the bottom of that page ..

TinCanTech wrote: ↑

Fri Jul 08, 2016 7:03 pm

born2lose wrote:what I am trying to do now is to push a custom route from the vpn server, to direct all ipv6 outgoing traffic from the android client to a black hole

If you control the server then use that previous link to redirect all the client IPv6 (and IPv4) then discard the IPv6 at the server ..

TinCanTech wrote: ↑

Fri Jul 08, 2016 9:44 pm

The server does not need an IPv6 address, so long as openvpn can assign it one for inside the tunnel.

abcdefghijklmnopqryz wrote: ↑

Thu Nov 30, 2017 9:17 am

Sorry to bump an old thread, but I'm in the same predicament as you are. Found a way to make it work? Mind sharing the configs?

The OP here never reported back but never posted again so I presume it worked .. try it for yourself and let us know.

TinCanTech wrote: ↑

Thu Nov 30, 2017 1:20 pm

If you control the server then use that previous link to redirect all the client IPv6 (and IPv4) then discard the IPv6 at the server ..

I did do that - I end up closing the IPv6 Leak - but then end up being able to only send small packets...

Update: Ended up solving my own problem, as always, thanks but no thanks Reddit, Github, Forums!
For future readers wanting to disable IPv6 - I solved my problem by realizing that as soon as I covered the leak (routing ipv6 in client ovpn), I ran into another issue with the MTU, as small packets were being delivered, larger ones dropped (in retrospect, makes sense since IPv6 = larger packets).
Ended up comparing my config with a VPN service (account holder)'s ovpn file to try and pinpoint what could be changed in the config. Turns out mssfix was what I was looking for.

Update TL;DR: route ipv6 & add mssfix to the client ovpn file - many guides online to finding that value.