Skip to content
Kill switch routing with IPv6: how?
Got a problem with Viscosity or need help? Ask here!
With IPv4 it's easy to configure a kill switch within Viscosity:
(1) Preferences > Advanced: untick "Reset network interfaces on disconnect"
(2) Preferences > Connections > [any connection]
(2a) Advanced: add "remap-usr1 SIGTERM" (without the quotation marks of course)
(2b) Networking > routing table: new entry with Route: 0.0.0.0 / Mask: 0.0.0.0 / IP Version: IPv4 / Gateway: VPN Gateway (vpn_gateway)
That way anytime the VPN connection is interrupted, the whole network is torn down (because 0.0.0.0 is sent into the VPN, which doesn't exist anymore), until your disable & reenable your network interface (e.g. Wi-Fi), which you can automate with a user-interactive AppleScript
Now with IPv6 this doesn't seem to work, a friend of mine told me. In Preferences > Advanced "Block IPv6 traffic while connected to IPv4-only VPN connections" is ticked (obviously) to avoid true-IP leaks via IPv6.
The VPN connection presets are sending all traffic via VPN, and when the VPN is interrupted, the network is torn down, but you can still connect normally.
When trying to create an IPv6 entry in the routing table for a second kill switch, none of it works:
(a) the option "VPN Gateway" is greyed out, when trying IPv6, so you need to choose "Custom" for the Gateway, and enter "vpn_gateway" manually;
(b) but that doesn't work either, because after saving and reopening the preset, Viscosity has deleted the entry.
We tried combining IPv6 with route/mask 0.0.0.0, which doesn't work, and combining IPv6 with :: (the IPv6 equivalent to 0.0.0.0), which doesn't work either.
Anyone who knows how to configure a kill switch for IPv6 on a connection that's Dual Stack (DS or DSLite) in addition to the IPv4 kill switch mentioned above?
(1) Preferences > Advanced: untick "Reset network interfaces on disconnect"
(2) Preferences > Connections > [any connection]
(2a) Advanced: add "remap-usr1 SIGTERM" (without the quotation marks of course)
(2b) Networking > routing table: new entry with Route: 0.0.0.0 / Mask: 0.0.0.0 / IP Version: IPv4 / Gateway: VPN Gateway (vpn_gateway)
That way anytime the VPN connection is interrupted, the whole network is torn down (because 0.0.0.0 is sent into the VPN, which doesn't exist anymore), until your disable & reenable your network interface (e.g. Wi-Fi), which you can automate with a user-interactive AppleScript
Now with IPv6 this doesn't seem to work, a friend of mine told me. In Preferences > Advanced "Block IPv6 traffic while connected to IPv4-only VPN connections" is ticked (obviously) to avoid true-IP leaks via IPv6.
The VPN connection presets are sending all traffic via VPN, and when the VPN is interrupted, the network is torn down, but you can still connect normally.
When trying to create an IPv6 entry in the routing table for a second kill switch, none of it works:
(a) the option "VPN Gateway" is greyed out, when trying IPv6, so you need to choose "Custom" for the Gateway, and enter "vpn_gateway" manually;
(b) but that doesn't work either, because after saving and reopening the preset, Viscosity has deleted the entry.
We tried combining IPv6 with route/mask 0.0.0.0, which doesn't work, and combining IPv6 with :: (the IPv6 equivalent to 0.0.0.0), which doesn't work either.
Anyone who knows how to configure a kill switch for IPv6 on a connection that's Dual Stack (DS or DSLite) in addition to the IPv4 kill switch mentioned above?
Hi Joss,
The technique listed in the following support article will work for both IPv4 and IPv6 traffic:
https://www.sparklabs.com/support/kb/ar ... fic-leaks/
Cheers,
James
The technique listed in the following support article will work for both IPv4 and IPv6 traffic:
https://www.sparklabs.com/support/kb/ar ... fic-leaks/
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Hi Joss,
You could try adding adding a IPv6 route with a Destination of "::", a Mask of "0", and the Gateway as Default. However I'm afraid it's not something we've ever tested and so we can't say for sure whether it'll work (IPv6 routes are treated quite differently from IPv4 routes).
Cheers,
James
You could try adding adding a IPv6 route with a Destination of "::", a Mask of "0", and the Gateway as Default. However I'm afraid it's not something we've ever tested and so we can't say for sure whether it'll work (IPv6 routes are treated quite differently from IPv4 routes).
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
4 posts
Page 1 of 1