Privacy and ddos attacks with the arrival of IPv6 a VPN is the solution?

Discussion in 'privacy technology' started by Born23, Apr 12, 2016.

  1. Born23

    Born23 Registered Member

    Joined:
    Apr 12, 2016
    Posts:
    12
    Hello to all,
    Following my Internet provider's transition to IPv6, I lost my dynamic IP (migration is thus performed that way: static IPv4 and dynamic IPv6).
    That is why I direct myself to a VPN ... (to prevent static IP, ddos attacks, spoofing...)
    I contacted for info VPN who said he has the "leak protection", however it does not support IPv6 on its network, I will navigate with IPv4 on its network.
    Does Navigating through the VPN will remains safe despite this new step to IPv6 which unfortunately I do not understand anything. (In fact if I leave the option enabled IPv6 on my box I or disables I'm always in IPv4 when I visit sites like mon-ip.com).
    I'm not talking about peer to peer protocol security breach because I did not download but other vulnerabilities are also present, allowing people connected to the same VPN than you to easily find your MAC address and computer name ( Korben's source).
    Or do I have before to subscribe to a VPN to disable all that refers to IPv6 on my computer:
    - Net BIOS over TCP / IP
    - Internet Protocol version 6
    - All rules concerning IPv6 firewall
    And obviously the IPv6 option on the box.
    Thank you very much for the answers you can give me.
    Best regards
    Born23
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Although OpenVPN can route IPv6, I know of no VPN service that does so. But even that would fail to provide IPv6 privacy. Because there's no NAT with IPv6. Even if your devices generate "privacy-friendly" IPv6 addresses, the first part of all routable IPv6 addresses reveals the ISP that issued the address block. And the addresses don't change very often. Also, some Linux distros (Fedora, for example) don't implement the "privacy-friendly" IPv6 address feature. There's just one static routable IPv6 address.

    Anyway, your best bet for now is to disable IPv6 in your devices' network adapters. Also add rules in local and router firewalls to block IPv6 traffic. And just to be sure, pick a VPN service that doesn't route IPv6. That should be easy, because I haven't found one that does.

    Several VPN services claim to block IPv6. I've tested a few, and IVPN is the only one that works. I'm using a test network with full, native IPv6 connectivity, however. Some of the other VPN services may in fact block IPv6 connectivity that's provided by IPv6-via-IPv4 tunnel brokers. Once I test enough of them, I'll post the results somewhere.

    Ultimately, IPv6 connectivity that's truly "privacy-friendly" must be provided by a VPN service that acts as an ISP. Now we have VPN services that use NAT to provide third-party public IPv4 addresses (mostly shared by many users). But there is no NAT for IPv6. You have link-local and public aka routable IPv6 addresses, but the routable ones are all linked to your local ISP. The only way to get third-party public IPv6 addresses is to actually get them from the third party. To protect your privacy, VPN services will need to do that for you, and not share any personal data that they may have, in the process. That is doable. It's how I have IPv6 connectivity. And it's all through a nested chain of IPv4 VPNs. But it wasn't easy.

    Also, even with all that, it would take just one IPv6 leak to hose it all. I'm pretty confident, because I have multiple layers of pfSense routers, all blocking IPv6. But it's still freaky. And for people with simpler setups, it will be crucial for VPN providers cum ISPs to adequately protect their customers.
     
  3. Born23

    Born23 Registered Member

    Joined:
    Apr 12, 2016
    Posts:
    12
    Hi Mirimir

    Thank you for your answer.
    You gave me an example of one VPN (IVPN) that blocked IVp6 that is why I put you a link where you ca find few of them, it is a good study make by a physical person (no commercial view... ):
    https://docs.google.com/spreadsheet...uQPU4BVzbOigT0xebxTOw/edit?pref=2&pli=1#gid=0
    You'll be able to verify if they really block Ipv6... and it is a great study to see different parameters as five eyes country, canaries etc...

    But did you check that IPVN did the following:
    1/ Have multiple IP addresses, allow incoming connections to ip1, exit connections through ip2-ipx, have portforwardings on ip2-ipx
    2/ On Client connect set server side firewall rule to block access from Client real ip to portforwardings that are not his own
    I really would like to know if you have the answer.

    Following what you said "Anyway the best way for now is disable IPv6 in your devices' network adapters" I did this:
    - Net BIOS over TCP / IP
    - Internet Protocol version 6
    And I disabled all rules concerning IPv6 in the computer's firewall and the option IPv6 in the modem router.
    For rule's firewall do we have to create rules in both firewall this is means modem/router's firewall and computer's firewall?
    I am not familiar by creating rules in the firewall can you help me for this??

    Stupid question: even I disabled IPv6, windows tends to prioritize IPv6 whenever possible do you think it can still do it??

    Ultimate question : a proactive approach by checking at least once per minute the operating status of the DNS according to you will be a good test of information and can we do it as a VPN 's client??

    Thanks a lot for your time and help.
    Have a great day Miramar
    Born23
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    De nada :) I've been working on this, so hey ...
    Yes, I'm working from that spreadsheet. But I'm pretty sure that it's based on what VPN providers have said, and not on actual testing. I'm testing the overall most highly rated ones, plus all that claim to block IPv6. For DNS leaks and response to uplink interruption, as well. As I said, IVPN is the only one that I've found that entirely blocks IPv6. But that's only in their Windows and OSX clients. They don't have a Linux client. In Linux, you need to disable IPv6 on eth0. You also need to block IPv6 in ip6tables. And in iptables, you need to block all traffic on eth0, except for the VPN server, and allow only output on tun0.

    I'm not going to say here which VPN services leak IPv6, because I plan to inform them first, and will give them a month. Then I'll retest, and publish what I find. But I will post to this thread when I find others that do block IPv6.
    Yes, IVPN does that. There is no forwarded-port leak. I setup a client in Linux, with port foo forwarded, connecting to VPN server a.b.c.d, with exit IP a.b.c.e. Then I ran a simple webserver on port foo. I could hit http://a.b.c.e:foo from a Whonix VM, but not from Windows or OSX VMs using IVPN clients, connecting to the same VPN server a.b.c.d, with exit IP a.b.c.e. I could also hit http://a.b.c.e:foo from the Windows and OSX VMswhen they weren't connected to IVPN servers.
    Yes, that should do it.
    It's not that you want to disable all IPv6 rules. You want to block IPv6. I know how to do that in Linux, but not (as I sit here) in Windows or OSX. Maybe someone else can help with that.
    What sort of firewall?
    It can try, but that won't matter if IPv6 isn't working :) And maybe there's a way to change that preference.
    That's not such a good approach. Stuff happens too fast. You want firewall rules that allow only what you want, and block everything else. Proper routing is necessary, but it's not a security feature, because it can be changed by ISPs. NAT is a great privacy feature in IPv4. And it plays a major role in most firewalls. But it's totally irrelevant for IPv6. Firewall rules are the way to go.
    You too :)
     
  5. Born23

    Born23 Registered Member

    Joined:
    Apr 12, 2016
    Posts:
    12
    Hola Mirimir,
    Muchas gracias por tu ayuda y tu reactividad.
    This is great to get answer so quickly.
    You already work with that spreadsheet so I am sure you know this link:
    https://torrentfreak.com/how-to-make-vpns-even-more-secure-120419/
    I leave it for information in case of people reading that post...
    I feel much more comfortable now with your answer.
    I used to have different firewalls but I found it to complicated and I was afraid to leave something or avoid something that could get me in trouble.... so I came back to the windows firewall it is much more simple.
    It will be great if someone can help me to configure both my modem/router's firewall and computer do you think thatI have to make a new post for that?
    Other thing do you know VPNCheck (http://www.guavi.com/vpncheck_free.html) and VPNETMON if yes which one will you advise me?
    I am very impatient to read your study.
    Gracias de nuevo y que te vaya muy bien.
    Born23
    Suerte.
     
  6. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I'm curious about this list. It says that airVPN does not have a kill switch. But they now have a network lock that when enabled will not allow anything on your computer to connect to the internet outside of airVPN.

    I use Shadow Defender so I normally don't disable the network lock when I shut down because it doesn't matter. Everything returns to the way it was before I connected. But one day I was installing a VM and I enabled the network lock and connected to air outside of shadow mode. When I was through I shut down like I normally do without deactivating the network lock. The next morning I could not connect to the internet. I thought something was wrong with my ISP so I called tech support. After doing some tests he asked me to connect through my phone and I did with no problem. So I knew that it was on my end.

    So I remembered the network lock without shadow mode and decided to try and connect airVPN. I connect to a server and I had an internet connection. But when I disconnected from the server I could not get a bare connection through my local ISP. It took me a few minutes to figure it out. First I went into the adapters and told them to "obtain DNS server automatically". But I still could not connect without air. I reactivated the network lock and then deactivated it. Still no go. So I went into windows firewall settings and reset the firewall to default. That did it. I was finally able to connect through my bare ISP connection. So I don't know if this would technically qualify as a "kill switch", but in my mind it sure does. Better than any I can think of.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I'll be testing AirVPN soon.

    Edit: AirVPN clients in Windows and OSX do not leak IPv6, as long as "Network Lock" is enabled. Even though "Network Lock"is not enabled by default, it's the fair way to test. I'll be doing the same for other providers, enabling blocking stuff that's not on by default. In Windows, the AirVPN client without "Network Lock" enabled does leak IPv6. One can't reach IPv6 URLs, because the AirVPN DNS server doesn't handle IPv6. But one can ping IPv6 addresses, and http://whatismyipaddress.com/ reports the VM's global IPv6 address. There are no IPv6 leaks in OSX, however.
     
    Last edited: Apr 15, 2016
Loading...