Kill switch routing with IPv6: how?
Posted: Fri Apr 06, 2018 2:49 am
With IPv4 it's easy to configure a kill switch within Viscosity:
(1) Preferences > Advanced: untick "Reset network interfaces on disconnect"
(2) Preferences > Connections > [any connection]
(2a) Advanced: add "remap-usr1 SIGTERM" (without the quotation marks of course)
(2b) Networking > routing table: new entry with Route: 0.0.0.0 / Mask: 0.0.0.0 / IP Version: IPv4 / Gateway: VPN Gateway (vpn_gateway)
That way anytime the VPN connection is interrupted, the whole network is torn down (because 0.0.0.0 is sent into the VPN, which doesn't exist anymore), until your disable & reenable your network interface (e.g. Wi-Fi), which you can automate with a user-interactive AppleScript
Now with IPv6 this doesn't seem to work, a friend of mine told me. In Preferences > Advanced "Block IPv6 traffic while connected to IPv4-only VPN connections" is ticked (obviously) to avoid true-IP leaks via IPv6.
The VPN connection presets are sending all traffic via VPN, and when the VPN is interrupted, the network is torn down, but you can still connect normally.
When trying to create an IPv6 entry in the routing table for a second kill switch, none of it works:
(a) the option "VPN Gateway" is greyed out, when trying IPv6, so you need to choose "Custom" for the Gateway, and enter "vpn_gateway" manually;
(b) but that doesn't work either, because after saving and reopening the preset, Viscosity has deleted the entry.
We tried combining IPv6 with route/mask 0.0.0.0, which doesn't work, and combining IPv6 with :: (the IPv6 equivalent to 0.0.0.0), which doesn't work either.
Anyone who knows how to configure a kill switch for IPv6 on a connection that's Dual Stack (DS or DSLite) in addition to the IPv4 kill switch mentioned above?
(1) Preferences > Advanced: untick "Reset network interfaces on disconnect"
(2) Preferences > Connections > [any connection]
(2a) Advanced: add "remap-usr1 SIGTERM" (without the quotation marks of course)
(2b) Networking > routing table: new entry with Route: 0.0.0.0 / Mask: 0.0.0.0 / IP Version: IPv4 / Gateway: VPN Gateway (vpn_gateway)
That way anytime the VPN connection is interrupted, the whole network is torn down (because 0.0.0.0 is sent into the VPN, which doesn't exist anymore), until your disable & reenable your network interface (e.g. Wi-Fi), which you can automate with a user-interactive AppleScript
Now with IPv6 this doesn't seem to work, a friend of mine told me. In Preferences > Advanced "Block IPv6 traffic while connected to IPv4-only VPN connections" is ticked (obviously) to avoid true-IP leaks via IPv6.
The VPN connection presets are sending all traffic via VPN, and when the VPN is interrupted, the network is torn down, but you can still connect normally.
When trying to create an IPv6 entry in the routing table for a second kill switch, none of it works:
(a) the option "VPN Gateway" is greyed out, when trying IPv6, so you need to choose "Custom" for the Gateway, and enter "vpn_gateway" manually;
(b) but that doesn't work either, because after saving and reopening the preset, Viscosity has deleted the entry.
We tried combining IPv6 with route/mask 0.0.0.0, which doesn't work, and combining IPv6 with :: (the IPv6 equivalent to 0.0.0.0), which doesn't work either.
Anyone who knows how to configure a kill switch for IPv6 on a connection that's Dual Stack (DS or DSLite) in addition to the IPv4 kill switch mentioned above?