IPv6 address leak

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
AStrangeForum
Posts: 4
Joined: Mon May 24, 2021 11:03 am

IPv6 address leak

Post by AStrangeForum » Mon May 24, 2021 11:19 am

Hello!

I looked though the forum and out of the couple topics I found, none provided any solutions.

Here is what happens:
My VPN server is on Linux, available through IPv4 and IPv6 both. (Ver 4.34, Build 9745, rtm)
My home VPN client is on Windows 10, supporting IPv4 and IPv6 both.
I can successfully connect to the server using Softether VPN Client.
By enabling SecureNAT, my IPv4 is masked and shows like server's IPv4 when I browse the internet.

The problem is, IPv6 is still my client's IP. Even if I connect to the server through IPv6 it is not masked (IPv4 works fine even then).

What sould I do to fix this problem? How do I mask my IPv6 address while connected to the server via VPN, to the server's IPv6?

eddiewu
Posts: 69
Joined: Wed Nov 25, 2020 9:10 am

Re: IPv6 address leak

Post by eddiewu » Mon May 24, 2021 11:42 am

Secure nat is ipv4 only. You need to use local bridge.

AStrangeForum
Posts: 4
Joined: Mon May 24, 2021 11:03 am

Re: IPv6 address leak

Post by AStrangeForum » Mon May 24, 2021 11:56 am

eddiewu wrote:
Mon May 24, 2021 11:42 am
Secure nat is ipv4 only. You need to use local bridge.
Can you elaborate on that? How would I re-create this setup using local bridge? Is there a FAQ?

eddiewu
Posts: 69
Joined: Wed Nov 25, 2020 9:10 am

Re: IPv6 address leak

Post by eddiewu » Mon May 24, 2021 12:22 pm

What's your server environment and how many NIC does it have? How does it connect to Internet?

AStrangeForum
Posts: 4
Joined: Mon May 24, 2021 11:03 am

Re: IPv6 address leak

Post by AStrangeForum » Mon May 24, 2021 1:35 pm

Thank you for the advice, I managed to fix this issue.

It took the following steps:
1) Disable SecureNAT.
2) Create a local bridge, tap interface tap_soft
3) Install dnsmasq to act as a DHCP server.
4) Configure /etc/dnsmasq with the following:

Code: Select all

interface=tap_soft
dhcp-range=192.168.30.10,192.168.30.255,12h
dhcp-option=3,192.168.30.1
dhcp-no-override
bogus-priv
enable-ra
dhcp-range=::100,::1ff,constructor:tap_soft, 64, 12h
server=2606:4700:4700::1111
server=2606:4700:4700::1001
dhcp-option=option6:dns-server,[fc00:0000:2ac:7af1::1],[2606:4700:4700::1111]
I am not sure which DNS resolvers are being used, since I still have my systemd-resolve enabled and dnsmasq is running with port=0, disabling it's DNS server.
5) Then, configure init script of the vpnserver to the following: (dont forget to change ipv4 and ipv6)

Code: Select all

#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $network $remote_fs
# Required-Stop:     $network $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: SoftEther VPN Server
### END INIT INFO

DAEMON=/usr/libexec/softether/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=192.168.30.1
TAP_INTERFACE=tap_soft
IPV6_ADDR=fc00:0000:2ac:7af1::1
IPV6_SUBNET=fc00:0000:2ac:7af1::/64
PUBLIC_IPV4= your server public ip
PUBLIC_IPV6= your server public ipv6

test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3

/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
iptables -t nat -F
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j SNAT --to-source $PUBLIC_IPV4
ip6tables -t nat -F
ip6tables -t nat -A POSTROUTING -s fc00:0000:2ac:7af1::/64 -j SNAT --to-source $PUBLIC_IPV6

sleep 3
service dnsmasq start
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 3

/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
iptables -t nat -F
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j SNAT --to-source $PUBLIC_IPV4
ip6tables -t nat -F
ip6tables -t nat -A POSTROUTING -s fc00:0000:2ac:7af1::/64 -j SNAT --to-source $PUBLIC_IPV6
sleep 3
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
6) You have to ensure your net.ipv4.ip_forward and net.ipv6.conf.all.forwarding are set to 1. After this, use the script from step 5 to start/restart your VPN Server. It should already work fine.

AStrangeForum
Posts: 4
Joined: Mon May 24, 2021 11:03 am

Re: IPv6 address leak

Post by AStrangeForum » Mon May 24, 2021 1:51 pm

Thank you, I resolved this problem. For some reason post with detailed explaination about how to fix this is pending moderation. Let's hope it appears here later.

Post Reply