{"id":17964,"date":"2014-08-05T22:08:26","date_gmt":"2014-08-06T02:08:26","guid":{"rendered":"https:\/\/nuxx.net\/blog\/?p=17964"},"modified":"2014-08-12T21:12:55","modified_gmt":"2014-08-13T01:12:55","slug":"breaking-ipv6-on-android-openvpn-via-t-mobile","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2014\/08\/05\/breaking-ipv6-on-android-openvpn-via-t-mobile\/","title":{"rendered":"Breaking IPv6 on Android OpenVPN via T-Mobile"},"content":{"rendered":"

\"\"<\/a><\/p>\n

While getting ready for a trip to DEF CON 22<\/a> I wanted to have a VPN set up from my phone and tablet to connect back home. After a little while I had both IPsec<\/a> and OpenVPN<\/a>\u00a0connecting back to the house’s\u00a0pfSense box<\/a> and passing IPv4 traffic through the tunnel without issue. But, there was a problem when\u00a0connecting over the\u00a0T-Mobile mobile network: the VPN would handle IPv4, but IPv6 was left alone to leak through the carrier.<\/p>\n

This can be seen in the screenshot above (link<\/a>) where IPv4 is passing through my home’s Wide Open West connection, but IPv6 goes through T-Mobile. Such leakage has also been written about here by lxgr<\/a>, in much greater detail.<\/p>\n

By pushing an IPv6 route to the client from OpenVPN I was able to black hole IPv6 on the client and close this leakage. This is done by adding the following to the\u00a0Advanced configuration<\/em> section of the OpenVPN server config in pfSense:<\/p>\n

push \"route-ipv6 ::\/128 ::1\"<\/pre>\n
While IPv6 still is configured, all traffic goes to loopback and\u00a0won’t pass over the mobile network. Connections will then fall back to IPv4, which’ll go via the VPN.<\/p>\n
EDIT: I was also reminded that I can turn off IPv6 in the APN settings. This works, but I really do like keeping this at the provider defaults… I like having IPv6 when it is available, I just want data\u00a0to go via only the connection I prefer.<\/p>\n","protected":false},"excerpt":{"rendered":"
While getting ready for a trip to DEF CON 22 I wanted to have a VPN set up from my phone and tablet to connect…<\/p>\n
Continue readingBreaking IPv6 on Android OpenVPN via T-Mobile<\/span><\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-17964","post","type-post","status-publish","format-standard","hentry","category-computers","entry"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/17964","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=17964"}],"version-history":[{"count":5,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/17964\/revisions"}],"predecessor-version":[{"id":17969,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/17964\/revisions\/17969"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=17964"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=17964"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=17964"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}