VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
Seth Mos
seth.mos at dds.nl
Tue Nov 27 14:35:10 UTC 2012
Op 27-11-2012 14:58, Fernando Gont schreef:
> Folks,
>
> FYI. This is might affect FreeBSD users employing e.g. OpenVPN:
> <http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages>.
>
> For a project such as OpenVPN, a (portable) fix might be non-trivial.
> However, I guess FreeBSD might hook some PF rules when establishing the
> VPN tunnel, such that e.g. all v6 traffic is filtered (yes, this is
> certainly not the most desirable fix, but still probably better than
> having your supposedly-secured traffic being sent in the clear).
No need for filtering. Just forward the traffic over the tunnel.
The newer OpenVPN already supports IPv6 and both servers and clients are
actively out in the wild. Even the Android OpenVPN client supports both
stacks.
Our OpenVPN server for road warriors sends a IPv6 prefix to be used on
OpenVPN as well as a IPv4 address. It works well.
Regards,
Seth
More information about the freebsd-net
mailing list