Bug: IPv6 might leak with PIA and docker configured to enable IPv6

[kubax]

Is this urgent?: it might be...

Host OS (approximate answer is fine too): Arch Linux

CPU arch or device name: amd64

What VPN provider are you using: PIA

What are you using to run your container?: Docker Compose (Portainer)

What is the version of the program:

gluetun:latest

What's the problem 🤔

In case of Docker is configured to use IPv6, "networkmode: bridge" leads to the container be able to use the Hosts IPv6 address, and bypass the OpenVPN (in case of PIA at least).

Changed my Docker-compose like so, to have only IPv4 in this container.

version: "3.7"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    network_mode: bridge
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8000:8000/tcp # Built-in HTTP control server
    # command:
    volumes:
      - /yourpath:/gluetun
    secrets:
      - openvpn_user
      - openvpn_password
    environment:
      # More variables are available, see the readme table
      - VPNSP=private internet access
      # Timezone for accurate logs times
      - TZ=
    restart: always
    networks:
      - gluetun
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1

secrets:
  openvpn_user:
    file: ./openvpn_user
  openvpn_password:
    file: ./openvpn_password

networks:
  gluetun:
    enable_ipv6: false

I might also be missing something... i recently enabled IPv6 on my docker Host, and just started switching from combined vpn + service container, to gluetun... hoping in simplyfying my structures... (wich seems promising so far)

[qdm12]

Duplicate of #422

It seems very few users use IPv6 (not me as well), since most openvpn providers don't support ipv6 (except Mullvad I believe), but yeah it's something I need to dig into soon.

[kubax]

thanks for adressing this, sorry that i did not hook up with the other Issue. i thought it would be slightly off topic there.

Also thanks for the work with this container!

I did test it with a container, and it works like a charm!

[qdm12]

Hey @kubax I have a Docker image qmcgaw/gluetun:ipv6 for you to test on your setup (out of integration test laziness, sorry 😄). It should now blocked all IPv6 traffic BUT should allow specific traffic to come in for example with VPN server side port forwarding or if your local subnet is an IPv6 subnet. List of things to do (which I'll edit here in the future):

• Minimal requirements:

  • Add ip6tables
  • Block all IPv6 traffic

• Additional steps:

  • Adapt existing code to handle IPv4 and IPv6, depending on user inputs and environment
  • Allow IPv6 traffic to the IPv6 VPN server address (mullvad only for now, which is still not in use elsewhere in the code)
  • Add tun-ipv6 to openvpn instruction (to test on non ipv6 providers AND on machines without ipv6) doesn't work, keep it as is.
  • Simplify errors in code for the firewall (OOS but still)

Note 1: you can now set your own ip6tables rules if you want to try things out, see this Wiki page

Note 2: #422 got closed to reduce duplication of issues.

[kubax]

Thanks for putting work into fixing this so fast!

i will check if it fixes the problem tomorrow , and report back (hopefully i don't forget it 🙈)

[kubax]

Ok, it seems like it works!

I did try realy hard to reproduce the IPv6 leaking with my current setup, but could not have it leak my IPv6... Even without switching to the ipv6 tag.

Took me some time to figure out why... seems like pushing the ipv6 branch also updated the latest branch, and i got the fix allready in my container.

That said, i did make a sanity check with 3.15.0 and i can reproduce the "problem" there. So seems like you fix works :)

Great job!!!

[qdm12]

Cool! Closed in 7ba98af