[warn] last whonix-gw update, ipv6 and possible VPN leak!

[Evastar]

Hello,

Seems after last whonix update my old VPN VM begin leaking traffic. After investigation I found that it's because ipv6 primary connection to whonix-gw. I guess that whonix-gw now supporting ipv6. It leak traffic through ipv6 connection to whonix and ignore my default old ipv4 setup. "qvm-features VM ipv6 0" fixed this issue! But I'm not sure about all my others vpns and leaking with ipv6. How I must fix this at vpn setup (on load) to be 100% sure that it never happen again?

P.S. Thanks for Qubes!!!!

[Chris Laprise]

The Qubes-vpn-support / qubes-tunnel firewalls have had ipv6 anti-leak
for some time now. Also, the scripted section of the Qubes vpn doc has
had it as well when I added it last July. But it looks like the Network
Manager section should be updated to also include it, since that section
now suggests firewall settings.

FWIW, I'm not sure when Qubes started enabling ipv6 by default. I
thought R4.0 was going to support ipv6 but leave it disabled by default?

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[Evastar]

> FWIW, I'm not sure when Qubes started enabling ipv6 by default. I > thought R4.0 was going to support ipv6 but leave it disabled by default? > Thanks for fix. I found it! BTW, I have the same question! I never enable ipv6 and it's my old vpn vm! Maybe I'm compromised? All work like a charm until today when I found that leak. Must I disable each vm ipv6 manually now? How to do this in one batch? Thank you!

[David Hobach]

On 2/15/19 10:14 PM, 'Evastar' via qubes-users wrote:
> Seems after last whonix update my old VPN VM begin leaking traffic. After investigation I found that it's because ipv6 primary connection to whonix-gw. I guess that whonix-gw now supporting ipv6. It leak traffic through ipv6 connection to whonix and ignore my default old ipv4 setup. "qvm-features VM ipv6 0" fixed this issue! But I'm not sure about all my others vpns and leaking with ipv6. How I must fix this at vpn setup (on load) to be 100% sure that it never happen again?

For debian templates, you can also set in /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1
I guess debian updates might mess with it though.

In particular I didn't notice `man qvm-features` to explain the setting
you mentioned.

But thanks for the notice!

It is somewhat odd to observe this change, yes.

[Chris Laprise]

On 2/15/19 4:39 PM, Chris Laprise wrote:
> On 2/15/19 4:14 PM, 'Evastar' via qubes-users wrote:
>> Hello,
>>
>> Seems after last whonix update my old VPN VM begin leaking traffic.
>> After investigation I found that it's because ipv6 primary connection
>> to whonix-gw. I guess that whonix-gw now supporting ipv6. It leak
>> traffic through ipv6 connection to whonix and ignore my default old
>> ipv4 setup. "qvm-features VM ipv6 0" fixed this issue! But I'm not
>> sure about all my others vpns and leaking with ipv6. How I must fix
>> this at vpn setup (on load) to be 100% sure that it never happen again?
>
> The Qubes-vpn-support / qubes-tunnel firewalls have had ipv6 anti-leak
> for some time now. Also, the scripted section of the Qubes vpn doc has
> had it as well when I added it last July. But it looks like the Network
> Manager section should be updated to also include it, since that section
> now suggests firewall settings.
>
> FWIW, I'm not sure when Qubes started enabling ipv6 by default. I
> thought R4.0 was going to support ipv6 but leave it disabled by default?

I took the initiative to create the pull request to address this issue
with the NM instructions. The link is here:

https://github.com/QubesOS/qubes-doc/pull/795

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, Feb 15, 2019 at 09:14:51PM +0000, 'Evastar' via qubes-users wrote:
> Hello,
>
> Seems after last whonix update my old VPN VM begin leaking traffic. After investigation I found that it's because ipv6 primary connection to whonix-gw. I guess that whonix-gw now supporting ipv6. It leak traffic through ipv6 connection to whonix and ignore my default old ipv4 setup.
> "qvm-features VM ipv6 0" fixed this issue!

"0" in the command above is _not_ the correct way to disable it. It
should be an empty string:

qvm-features VM ipv6 ''

Details: https://www.qubes-os.org/doc/networking/#ipv6

Anyway, Whonix comes with firewall rules blocking native IPv6, regardless of
the above setting. If you reach some IPv6, it must be tunneled over Tor
- - which does support IPv6.

> But I'm not sure about all my others vpns and leaking with ipv6. How I must fix this at vpn setup (on load) to be 100% sure that it never happen again?

As Chris already mentioned, one way is to add extra firewall rules:
https://github.com/QubesOS/qubes-doc/pull/795

qubes-vpn-support / qubes-tunnel also comes with relevant firewall
rules.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxx5PAACgkQ24/THMrX
1yxNqQgAjVLqHETPZrpGoSIDCSEuqeK+vxsC8qjYKZnxOpUYBF4aEY54Jl1Uuo/n
9teh/XisK/25tarxSi+IZyvO//fA9KXHxB4ebFW5WJOqR3a+KakjvudXwuZFUNpv
Zy76Tm6cBlnqWfCxUyJX93RX1TIysz9NoCPyqIQKeLmj01IdRmJGR8nZWnRVqzw7
7AgnCBjscz2h8WJfIZVHCefNH8uOlL3NWU7N7jzCLvVXjZ6NsWaUq3uYqbGskz6O
v1X+daV1618H26NGUmg0vHUPjWvund/53uXSxuEj+bjk6ryXrtZZ8cP2u3YzqpCY
QxzzLb+/HBNn1GF2ICJkT7tzWKN9Rw==
=njJG
-----END PGP SIGNATURE-----