Kill switch routing with IPv6: how?

Got a problem with Viscosity or need help? Ask here!

Joss

Posts: 4
Joined: Fri Jun 06, 2014 7:11 pm

Post by Joss » Fri Apr 06, 2018 2:49 am
With IPv4 it's easy to configure a kill switch within Viscosity:

(1) Preferences > Advanced: untick "Reset network interfaces on disconnect"
(2) Preferences > Connections > [any connection]
(2a) Advanced: add "remap-usr1 SIGTERM" (without the quotation marks of course)
(2b) Networking > routing table: new entry with Route: 0.0.0.0 / Mask: 0.0.0.0 / IP Version: IPv4 / Gateway: VPN Gateway (vpn_gateway)

That way anytime the VPN connection is interrupted, the whole network is torn down (because 0.0.0.0 is sent into the VPN, which doesn't exist anymore), until your disable & reenable your network interface (e.g. Wi-Fi), which you can automate with a user-interactive AppleScript

Now with IPv6 this doesn't seem to work, a friend of mine told me. In Preferences > Advanced "Block IPv6 traffic while connected to IPv4-only VPN connections" is ticked (obviously) to avoid true-IP leaks via IPv6.

The VPN connection presets are sending all traffic via VPN, and when the VPN is interrupted, the network is torn down, but you can still connect normally.

When trying to create an IPv6 entry in the routing table for a second kill switch, none of it works:

(a) the option "VPN Gateway" is greyed out, when trying IPv6, so you need to choose "Custom" for the Gateway, and enter "vpn_gateway" manually;

(b) but that doesn't work either, because after saving and reopening the preset, Viscosity has deleted the entry.

We tried combining IPv6 with route/mask 0.0.0.0, which doesn't work, and combining IPv6 with :: (the IPv6 equivalent to 0.0.0.0), which doesn't work either.

Anyone who knows how to configure a kill switch for IPv6 on a connection that's Dual Stack (DS or DSLite) in addition to the IPv4 kill switch mentioned above?

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Apr 09, 2018 9:59 am
Hi Joss,

The technique listed in the following support article will work for both IPv4 and IPv6 traffic:
https://www.sparklabs.com/support/kb/ar ... fic-leaks/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

Joss

Posts: 4
Joined: Fri Jun 06, 2014 7:11 pm

Post by Joss » Tue Apr 10, 2018 2:35 am
Yes, thank you. I vaguely remember the route pre-down script.

But how do you do it in the routing table in Preferences > [Connection] > Network? It works perfectly for IPv4, no script needed, but how do we configure it for IPv6? (That was the question.)

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Apr 10, 2018 9:40 am
Hi Joss,

You could try adding adding a IPv6 route with a Destination of "::", a Mask of "0", and the Gateway as Default. However I'm afraid it's not something we've ever tested and so we can't say for sure whether it'll work (IPv6 routes are treated quite differently from IPv4 routes).

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
4 posts Page 1 of 1