Block IPV6 - OpenVPN

spindoctor · November 11, 2019, 6:50am

Hi Community,

Can someone tell me the OpenWRT OpenVPN equivalent for these?
Can't figure it out.

pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"

lleachii · November 12, 2019, 12:52pm

In order to suggest "equivalents," can you explain:

If it's OpenVPN (which I'm certain it is), wouldn't it be the same?

Also, if I understand correctly, these rules work differently anyway - configured on a router, compared to a client machine.

Otherwise, only following your title, block IPv6 in the firewall and/or do not configure and/or disable IPv6 addressing.

spindoctor · November 12, 2019, 3:45pm

I'd like to know what I'd put in /etc/config/openvpn.
eg: option pull_filter ?????????????

The rules formatting is different to what I posted which is used in an *.ovpn file.

These rules filter out ipv6 routes pushed from the vpn server.

Regards.

lleachii · November 12, 2019, 3:52pm

Correct, and I wasn't aware this was done on a router.

Is your OpenWrt router auto-creating routes and/or firewall rules upon connection?
If you don't want to use the IPv6 assigned to the tunnel interface, just block it.

You would put the same thing.

Please show what you're referring to; or where the different formatting (or syntax) instructions are located.

vgaetera · November 12, 2019, 6:30pm

Could you share your use case?
It's not clear why you want to block it.
Do you have access to the server?

spindoctor · November 12, 2019, 11:32pm

The vpn service is commercial and pushes IPv6 routes on connection.

Under dd-wrt this vpn service will not work unless IPv6 is enabled.
Adding these rules below allows you to connect to the service without enabling IPv6:

pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"

For educational purposes, I'd like to know but can't figure out what to enter in '/etc/config/openvpn'.

Using an *.ovpn file on OpenWRT I use:

client
fast-io
mute-replay-warnings
nobind
persist-key
persist-tun
auth-user-pass /etc/openvpn/vpn_service/auth.usr
ca /etc/openvpn/vpn_service/ca.crt
cipher AES-256-CBC
dev tun
keepalive 10 120
log /tmp/openvpn.log
port 1194
proto udp
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
remote au-xxx.xxxxxxx.net
remote-cert-tls server
resolv-retry infinite
status /tmp/openvpn-status.log
verb 3

Result in working openvpn.log

Wed Nov 13 10:14:51 2019 Pushed option removed by filter: 'route-ipv6 0000::/2'
Wed Nov 13 10:14:51 2019 Pushed option removed by filter: 'route-ipv6 4000::/2'
Wed Nov 13 10:14:51 2019 Pushed option removed by filter: 'route-ipv6 8000::/2'
Wed Nov 13 10:14:51 2019 Pushed option removed by filter: 'route-ipv6 C000::/2'
Wed Nov 13 10:14:51 2019 Pushed option removed by filter: 'ifconfig-ipv6 fdda:d0d0:cafe:1194::1007/64 fdda:d0d0:cafe:1194::'

If I use this syntax below in '/etc/config/openvpn'

option pull_filter ignore 'route-ipv6'
option pull_filter ignore 'ifconfig-ipv6'

Result in openvpn.log

Options error: Unrecognized option or missing or extra parameter(s) in openvpn-xxxxxxx.conf:16: pull-filter (2.4.5)

Does anyone know the right syntax or point me to some instructions?

vgaetera · November 13, 2019, 12:31am

It should be like this:

list pull_filter 'ignore ifconfig-ipv6'

Although it is still not clear why you want to disable it.

spindoctor · November 13, 2019, 4:58am

That did the trick. Thanks.

Also added:

list pull_filter 'ignore route-ipv6'

As mentioned in an earlier post for educational purposes.

system · November 23, 2019, 4:58am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.