Enable block IPv6 traffice in the GlobalSettings.xml

Got a problem with Viscosity or need help? Ask here!

Rieder

Posts: 2
Joined: Thu Jan 14, 2021 10:24 pm

Post by Rieder » Thu Jan 14, 2021 10:34 pm
Hi

Is it possible to set the check mark for "Block IPv6 traffic" in the GlobalSettings.xml file? We push this out to all clients and would like to enable the block IPv6 option.

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Fri Jan 15, 2021 12:22 pm
Hi Rieder,

Yes it is. Simply set the option and copy it out of Settings.xml in %appdata%\Viscosity like any other setting. The setting is called "BlockIPv6" in the xml.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

asdffdsa6131

Posts: 30
Joined: Sat Feb 23, 2019 12:15 pm

Post by asdffdsa6131 » Fri Jan 29, 2021 11:42 am
hello,

i have this in the Settings.xml

<key>BlockIPv6</key>
<string>YES</string>

and for the tap adapter, i have disabled "Internet protocol version 6 (tcp/ipv6)"

yet, each time i connect the vpn, viscosity keeps re-enabling "Internet protocol version 6 (tcp/ipv6)"

i absolutely, positively do not want to have any ipv6 settings enabled.

how do i prevent this?

thanks,
david

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Mon Feb 01, 2021 9:18 am
Hi David,

If the server is pushing IPv6 information to setup, the IPv6 stack will be re-enabled when connecting. While TAP connections can have IPv6 disabled via Viscosity, I'm afraid TUN cannot, we also do not recommend it. Please post a copy of your log after connecting and we can see if there's anything we can recommend.

The BlockIPv6 command will only function if you have IPv6 connectivity on your local network connection.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

asdffdsa6131

Posts: 30
Joined: Sat Feb 23, 2019 12:15 pm

Post by asdffdsa6131 » Tue Feb 02, 2021 2:47 am
i have ipv6 disabled via
reg add HKLM\sYSTEM\currentControlSet\Services\Tcpip6\Parameters /v DisabledComponents /t REG_DWORD /d 0xFF /f

the network card for my lan has ipv6 disabled.

if i do an ipconfig, no ipv6 addresses are listed.
----------------------------
Ethernet adapter BUILTIN.WIRED:

Connection-specific DNS Suffix . : localdomain
IPv4 Address. . . . . . . . . . . : 192.168.62.234
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.62.1

Unknown adapter VPN.V.MV.US.ALL.HOME:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.0.7
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.0.1

--------------------------------

here the the log output
---------------
Feb 01 10:42:02 AM: State changed to Connecting
Feb 01 10:42:02 AM: Viscosity Windows 1.9 (1695)
Feb 01 10:42:02 AM: Running on Windows 10 2009 (19042) 64 bit
Feb 01 10:42:02 AM: Running on .NET Framework Version 4.8.04084.528372
Feb 01 10:42:02 AM: WARNING: The block-outside-dns option has been ignored as it is not required under Viscosity's DNS management system. For more information please see the following article: https://www.sparklabs.com/support/kb/ar ... n-ignored/
Feb 01 10:42:02 AM: Checking reachability status of connection...
Feb 01 10:42:02 AM: Connection is reachable. Starting connection attempt.
Feb 01 10:42:02 AM: Bringing up interface...
Feb 01 10:42:02 AM: OpenVPN 2.4.9 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on Oct 6 2020
Feb 01 10:42:02 AM: library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
Feb 01 10:42:05 AM: Valid endpoint found: 86.106.121.15:1196:udp
Feb 01 10:42:05 AM: TCP/UDP: Preserving recently used remote address: [AF_INET]86.106.121.15:1196
Feb 01 10:42:05 AM: Socket Buffers: R=[65536->524288] S=[65536->524288]
Feb 01 10:42:05 AM: UDP link local: (not bound)
Feb 01 10:42:05 AM: UDP link remote: [AF_INET]86.106.121.15:1196
Feb 01 10:42:05 AM: State changed to Authenticating
Feb 01 10:42:05 AM: TLS: Initial packet from [AF_INET]86.106.121.15:1196, sid=706bb1e0 1a1fc480
Feb 01 10:42:05 AM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 01 10:42:05 AM: VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=Mullvad Intermediate CA v3, emailAddress=[email protected]
Feb 01 10:42:05 AM: VERIFY KU OK
Feb 01 10:42:05 AM: Validating certificate extended key usage
Feb 01 10:42:05 AM: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Feb 01 10:42:05 AM: VERIFY EKU OK
Feb 01 10:42:05 AM: VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=us-nyc-211.mullvad.net, emailAddress=[email protected]
Feb 01 10:42:05 AM: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
Feb 01 10:42:05 AM: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Feb 01 10:42:05 AM: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 4096 bit RSA
Feb 01 10:42:05 AM: [us-nyc-211.mullvad.net] Peer Connection Initiated with [AF_INET]86.106.121.15:1196
Feb 01 10:42:05 AM: State changed to Connecting
Feb 01 10:42:05 AM: SENT CONTROL [us-nyc-211.mullvad.net]: 'PUSH_REQUEST' (status=1)
Feb 01 10:42:06 AM: SENT CONTROL [us-nyc-211.mullvad.net]: 'PUSH_REQUEST' (status=1)
Feb 01 10:42:07 AM: SENT CONTROL [us-nyc-211.mullvad.net]: 'PUSH_REQUEST' (status=1)
Feb 01 10:42:07 AM: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.10.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 10.10.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:1196::1005/64 fdda:d0d0:cafe:1196::,ifconfig 10.10.0.7 255.255.0.0,peer-id 5,cipher AES-256-GCM'
Feb 01 10:42:07 AM: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Feb 01 10:42:07 AM: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Feb 01 10:42:07 AM: Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
Feb 01 10:42:07 AM: Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
Feb 01 10:42:07 AM: Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
Feb 01 10:42:07 AM: Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
Feb 01 10:42:07 AM: OPTIONS IMPORT: compression parms modified
Feb 01 10:42:07 AM: OPTIONS IMPORT: --socket-flags option modified
Feb 01 10:42:07 AM: NOTE: setsockopt TCP_NODELAY=1 failed
Feb 01 10:42:07 AM: OPTIONS IMPORT: --ifconfig/up options modified
Feb 01 10:42:07 AM: OPTIONS IMPORT: route-related options modified
Feb 01 10:42:07 AM: OPTIONS IMPORT: peer-id set
Feb 01 10:42:07 AM: OPTIONS IMPORT: adjusting link_mtu to 1624
Feb 01 10:42:07 AM: OPTIONS IMPORT: data channel crypto options modified
Feb 01 10:42:07 AM: Data Channel: using negotiated cipher 'AES-256-GCM'
Feb 01 10:42:07 AM: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 01 10:42:07 AM: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 01 10:42:07 AM: interactive service msg_channel=0
Feb 01 10:42:07 AM: ROUTE_GATEWAY 192.168.62.1/255.255.255.0 I=13 HWADDR=48:2a:e3:2e:f6:d1
Feb 01 10:42:07 AM: Awaiting adapter to come up...
Feb 01 10:42:07 AM: WARNING: Failed to get IPv6 interface information for MTU. This warning can be ignored if this stack is disabled. Element not found
Feb 01 10:42:08 AM: TAP-WIN32 device [VPN.V.MV.US.ALL.HOME] opened: \\?\root#net#0001#{adda4c48-c32e-4ef6-9602-b3252f082583}, index: 17
Feb 01 10:42:08 AM: Waiting for DNS Setup to complete...
Feb 01 10:42:09 AM: Successful ARP Flush on interface [17] {8374414A-4AA0-4FFF-A967-D1AC5BE02432}
Feb 01 10:42:09 AM: add_route_ipv6(fdda:d0d0:cafe:1196::/64 -> fdda:d0d0:cafe:1196::1005 metric 0) dev VPN.V.MV.US.ALL.HOME
Feb 01 10:42:09 AM: Route addition via IPAPI failed. Fallback to netsh.exe
Feb 01 10:42:09 AM: ROUTE: IPv6 route addition failed using management: Element not found. [status=1168 if_index=17]
Feb 01 10:42:09 AM: TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Feb 01 10:42:09 AM: C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.0.0 10.10.0.1
Feb 01 10:42:09 AM: IPv4 Route addition via management succeeded
Feb 01 10:42:09 AM: Initialization Sequence Completed
Feb 01 10:42:09 AM: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/ar ... e-present/
Server - 192.168.62.1:53; Lookup Type - Any; Domains - localdomain.

Feb 01 10:42:09 AM: State changed to Connected
-----------------------------------------------

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Tue Feb 02, 2021 9:04 am
Hi asdffdsa6131,

This server is indeed pushing ipv6 configuration options. You will need to contact your VPN provider for a configuration that does not support IPv6, or you will need to filter out the IPv6 options with the pull-filter command to disable IPv6 - https://sparklabs.com/support/kb/articl ... ull-filter

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

asdffdsa6131

Posts: 30
Joined: Sat Feb 23, 2019 12:15 pm

Post by asdffdsa6131 » Tue Feb 02, 2021 10:47 am
ok. thanks much

asdffdsa6131

Posts: 30
Joined: Sat Feb 23, 2019 12:15 pm

Post by asdffdsa6131 » Wed Mar 10, 2021 9:52 am
hello and thanks,

i added the following
Code: Select all
pull-filter ignore route-ipv6
pull-filter ignore ifconfig-ipv6
in the viscosity gui, i set dns mode to off.
from the log, seems like viscosity does remove them but when i do a ipconfig, ipv6 addresses and ipv6 dns are in use?
Code: Select all
Unknown adapter VPN.V.MV.US.ALL.DEFAULT:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Viscosity Virtual TUN Adapter
   Physical Address. . . . . . . . . : C4-1F-03-05-57-FD
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::543a:611f:f391:f345%41(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.10.0.1
   DHCPv6 IAID . . . . . . . . . . . : 695131758
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-27-D5-BB-CD-48-2A-E3-2E-F6-D1
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled
and here is the log
Code: Select all
Viscosity Windows 1.9.1 (1707)
Running on Windows 10 2009 (19042) 64 bit
Running on .NET Framework Version 4.8.04084.528372
WARNING: The block-outside-dns option has been ignored as it is not required under Viscosity's DNS management system. For more information please see the following article: https://www.sparklabs.com/support/kb/article/warning-the-block-outside-dns-option-has-been-ignored/
Checking reachability status of connection...
Connection is reachable. Starting connection attempt.
Bringing up interface...
OpenVPN 2.4.10 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on Feb  2 2021
library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
Valid endpoint found: 198.54.133.66:1196:udp
TCP/UDP: Preserving recently used remote address: [AF_INET]198.54.133.66:1196
Socket Buffers: R=[65536->524288] S=[65536->524288]
UDP link local: (not bound)
UDP link remote: [AF_INET]198.54.133.66:1196
State changed to Authenticating
TLS: Initial packet from [AF_INET]198.54.133.66:1196, sid=db40afd8 1fa9dfdb
VERIFY OK: depth=2, C=SE, ST=Gotaland, L=Gothenburg, O=Amagicom AB, OU=Mullvad, CN=Mullvad Root CA v2, [email protected]
VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=Mullvad Intermediate CA v3, [email protected]
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=us-phx-103.mullvad.net, [email protected]
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 4096 bit RSA
[us-phx-103.mullvad.net] Peer Connection Initiated with [AF_INET]198.54.133.66:1196
State changed to Connecting
SENT CONTROL [us-phx-103.mullvad.net]: 'PUSH_REQUEST' (status=1)
SENT CONTROL [us-phx-103.mullvad.net]: 'PUSH_REQUEST' (status=1)
SENT CONTROL [us-phx-103.mullvad.net]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.10.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 10.10.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:1196::1001/64 fdda:d0d0:cafe:1196::,ifconfig 10.10.0.3 255.255.0.0,peer-id 1,cipher AES-256-GCM'
Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Pushed option removed by filter: 'route-ipv6 0000::/2'
Pushed option removed by filter: 'route-ipv6 4000::/2'
Pushed option removed by filter: 'route-ipv6 8000::/2'
Pushed option removed by filter: 'route-ipv6 C000::/2'
Pushed option removed by filter: 'ifconfig-ipv6 fdda:d0d0:cafe:1196::1001/64 fdda:d0d0:cafe:1196::'
OPTIONS IMPORT: compression parms modified
OPTIONS IMPORT: --socket-flags option modified
NOTE: setsockopt TCP_NODELAY=1 failed
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1624
OPTIONS IMPORT: data channel crypto options modified
Data Channel: using negotiated cipher 'AES-256-GCM'
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
interactive service msg_channel=0
ROUTE_GATEWAY 192.168.62.1/255.255.255.0 I=13 HWADDR=48:2a:e3:2e:f6:d1
Awaiting adapter to come up...
TAP-WIN32 device [VPN.V.MV.US.ALL.DEFAULT] opened: \\?\root#net#0000#{adda4c48-c32e-4ef6-9602-b3252f082583}, index: 41
Waiting for DNS Setup to complete...
Successful ARP Flush on interface [41] {8AF97873-CA0E-4E90-86F0-04289CCB66F9}
TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.0.0 10.10.0.1
IPv4 Route addition via management succeeded
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Initialization Sequence Completed
DNS set to Disabled on Viscosity Adapter.

State changed to Connected

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu Mar 11, 2021 10:58 am
Hi asdffdsa6131,

These are all addresses configured automatically by Windows when IPv6 is enabled however no configuration is present. They are the equivalent of 169.x.x.x addresses for IPv4 when DHCP fails. They will not be used to transmit any traffic across the VPN.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
9 posts Page 1 of 1