I was setting up my laptop for traveling and adding Wireguard VPN configuration.
The Wireguard config generated by router only contains IPv4 address (10.0.5.x), and while testing the VPN to my surprise “what is my ip” websites can find my IPv6 address (I USB tethered mobile connection to my laptop).
It looks like NetworkManager does nothing about IPv6 connection if VPN doesn’t have IPv6 settings, which is bad for road warrior type of VPN configuration.
Is there an easy toggle to turn of IPv6 if VPN is connected and otherwise? Or is only option to disable all IPv6 no matter what?
Best to set a firewall rule with nftables to block non-vpn traffic from leaving (you should also do the save for IPv4 traffic to prevent leaks in case the tunnel disconnects)
I tried the same setup with Ubuntu 24.04.1 desktop live system and I can replicate this IP leak issue, I guess I will have to disable IPv6.
Disable in network manager?
That is what I was thinking, yes.
Do you have ::/0 as an Allowed IPs entry in the Wireguard peer configuration on the laptop? It’s the v6 equivalent of 0.0.0.0/0. That should prevent IPv6 leakage.
Do you have ::/0 as an Allowed IPs entry in the Wireguard peer configuration on the laptop?
Yes it’s in config, The line is
AllowedIPs = 0.0.0.0/0, ::/0, but looks like it doesn’t prevent IP leak.
I’d also like to know, is there a way to just turn off this ipv6 trashfire? Preferably in a universal, cross-distro way?
Seems like the most universal way is: GRUB_CMDLINE_LINUX_DEFAULT=“ipv6.disable=1”
Or you could just… learn to use the modern internet that 60% of internet traffic uses? Not everyone has a dedicated IPv4 anymore, we are in the days of mobile networks and CGNAT. IPv4 exhaustion is here today.
Removed by mod
In my case just disable IPv6 in WiFi is enough.
sysctl looks like the most universal way.
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1