Page 1 of 1

Kill switch routing with IPv6: how?

Posted: Fri Apr 06, 2018 2:49 am
by Joss
With IPv4 it's easy to configure a kill switch within Viscosity:

(1) Preferences > Advanced: untick "Reset network interfaces on disconnect"
(2) Preferences > Connections > [any connection]
(2a) Advanced: add "remap-usr1 SIGTERM" (without the quotation marks of course)
(2b) Networking > routing table: new entry with Route: 0.0.0.0 / Mask: 0.0.0.0 / IP Version: IPv4 / Gateway: VPN Gateway (vpn_gateway)

That way anytime the VPN connection is interrupted, the whole network is torn down (because 0.0.0.0 is sent into the VPN, which doesn't exist anymore), until your disable & reenable your network interface (e.g. Wi-Fi), which you can automate with a user-interactive AppleScript

Now with IPv6 this doesn't seem to work, a friend of mine told me. In Preferences > Advanced "Block IPv6 traffic while connected to IPv4-only VPN connections" is ticked (obviously) to avoid true-IP leaks via IPv6.

The VPN connection presets are sending all traffic via VPN, and when the VPN is interrupted, the network is torn down, but you can still connect normally.

When trying to create an IPv6 entry in the routing table for a second kill switch, none of it works:

(a) the option "VPN Gateway" is greyed out, when trying IPv6, so you need to choose "Custom" for the Gateway, and enter "vpn_gateway" manually;

(b) but that doesn't work either, because after saving and reopening the preset, Viscosity has deleted the entry.

We tried combining IPv6 with route/mask 0.0.0.0, which doesn't work, and combining IPv6 with :: (the IPv6 equivalent to 0.0.0.0), which doesn't work either.

Anyone who knows how to configure a kill switch for IPv6 on a connection that's Dual Stack (DS or DSLite) in addition to the IPv4 kill switch mentioned above?

Re: Kill switch routing with IPv6: how?

Posted: Mon Apr 09, 2018 9:59 am
by James
Hi Joss,

The technique listed in the following support article will work for both IPv4 and IPv6 traffic:
https://www.sparklabs.com/support/kb/ar ... fic-leaks/

Cheers,
James

Re: Kill switch routing with IPv6: how?

Posted: Tue Apr 10, 2018 2:35 am
by Joss
Yes, thank you. I vaguely remember the route pre-down script.

But how do you do it in the routing table in Preferences > [Connection] > Network? It works perfectly for IPv4, no script needed, but how do we configure it for IPv6? (That was the question.)

Re: Kill switch routing with IPv6: how?

Posted: Tue Apr 10, 2018 9:40 am
by James
Hi Joss,

You could try adding adding a IPv6 route with a Destination of "::", a Mask of "0", and the Gateway as Default. However I'm afraid it's not something we've ever tested and so we can't say for sure whether it'll work (IPv6 routes are treated quite differently from IPv4 routes).

Cheers,
James