Jump to content
Not connected, Your IP: 52.14.252.16
M-Z

ANSWERED IPv6 and Eddie + stunnel question

Recommended Posts

I have two questions:

Why are you insisting on using IPv6 when connecting with Eddie? It makes this application not working in my configuration, probably because I disable IPv6 wherever I can.
Config generator allows to create IPv4-only configs and they work. Is there a similar option in Eddie?

Another question I have is whether stunnel (portable or Eddie's) SSL certificates are valid certificates in terms of (I think) Server Name Indication?
I want to "punch a hole" in firewall guarding my work's guest WiFi, but it is very picky. One provider of SSTP VPN seems to be working there; my guess is that it is because SSTP use proper certificates (although SSTP gives very little in terms of logging, so I am not sure).

Share this post


Link to post
17 hours ago, M-Z said:

Why are you insisting on using IPv6 when connecting with Eddie? It makes this application not working in my configuration, probably because I disable IPv6 wherever I can.
Config generator allows to create IPv4-only configs and they work. Is there a similar option in Eddie?


Nothing is insisting. The default is v4 and v6 inside tunnel unless v6 is not supported, then v6 is blocked. Preferred connection protocol by default is v4, then v6. The settings of both can be found in the Networking preference tab.
You should probably make your post a request for support and upload a support file (Logs > lifebelt icon) rather than a rant.

Personally, not sure about your second question, so let's wait for someone else to tell more.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

I suspected IPv6 because I was getting netsh error when setting ipv6 route or dns and now I get sth like this:

Quote

 E 2020.07.30 17:49:42 - Fatal error occured, please contact Eddie support: The requested protocol has not been configured into the system, or no implementation for it exists -    at System.Net.NetworkInformation.SystemIPInterfaceProperties.GetIPv6Properties()
E 2020.07.30 17:49:42 -     at Eddie.Platform.Windows.Platform.OnInterfaceRestore()
E 2020.07.30 17:49:42 -     at Eddie.Core.Threads.Session.OnRun()


Second question was about certificate for Stunnel. In the past I tried to set up my own Stunnel installation, but it didn't work because (I assume) it was a self-signed certificate and firewall/proxy in my workplace didn't like that.

Today I checked Eddie at work and surprisingly it worked!
Which makes my problems at home even more mysterious. At home nothing is blocked, but Eddie refuse to connect.
Only reason I can come up with is deep "un-updateiness" of my Windows 7 installation (since it is a VM).

Nonetheless most important reason why I "purchased" AirVPN for seems to be realized.

Share this post


Link to post

In Preferences > Networking, set Layer IPv6 to Block and Protocol used to connect to IPv4 only.#

Though I am unsure why you want v6 to be disabled. It's not a hazard.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
15 hours ago, giganerd said:

In Preferences > Networking, set Layer IPv6 to Block and Protocol used to connect to IPv4 only.#

Though I am unsure why you want v6 to be disabled. It's not a hazard.

I'm not sure it's not a hazard. For now it perhaps isn't (especially in VPN), but when it takes over and IPv4 is gone (I hope I'll be dead by then), the fact that MAC address is put in IPv6 address is mind boggling and since more and more manufacturers blocks changing of MAC address, I don't want to go that path.
Not to mention NAT is prohibited in IPv6 (at least OpenWRT site states that) it looks like it'll be a security nightmare.

Share this post


Link to post
5 hours ago, M-Z said:

the fact that MAC address is put in IPv6 address is mind boggling


It's not from a server's perspective, but we'll keep to the client's side.
What you're referring to is SLAAC EUI-64 addressing, and I must stress this here, it is not the default on practically all OSes, not even Windows. The default is usage of Privacy Extensions where the OS generates itself several v6 addresses randomly the moment it gets a Router Advertisement from, well, a router, using these addresses interchangeably. See, the router sends info about v6 subnets clients can use (among other things), and a client appends its random host part to this subnet part, creating a Unique Global v6 Address, or UGA. While it is really unique and represents one more thing to use in tracking, the host part regularly changes completely, or in the worst case on reconnecting to a network (Linux for example).
To some extent, it can even help against VPN provider logging, that is, if the provider does not assign v6 addresses via DHCPv6. With v4 it must do so, because v4 heavily relies on DHCP, and DHCP is a stateful protocol (as in, it saves the state of IP assignments). With v6 you get more control over your own addresses because your OS does the assignment. So I understand the panic about Unique Global Addresses, but I don't see how one can ignore all the other benefits of IPv6. Almost feels like paranoia at this point.
So, yeah, MAC addresses don't need to be changed anywhere.
 
6 hours ago, M-Z said:

Not to mention NAT is prohibited in IPv6 (at least OpenWRT site states that) it looks like it'll be a security nightmare.


I don't think it's prohibited per se, but I can imagine it's frowned upon. See, NAT was created to tackle the growing v4 address exhaustion, so it's something specifically done for IPv4. It was cheap to implement and is used very extensively, of course, what with all the households and their growing number of devices over the years, especially in the wake of smart devices emerging and gaining popularity fast. With v6 and its vast address pool there is really no need for NAT anymore, because every host has got the ability to get a unique address by itself. So I like calling NAT a very good example of managers being greedy, because if they weren't, we would've been using v6 for decades now.
All NAT ever did was complicating routing and breaking protocols like IPsec. It also got us port forwarding and all the problems it brings.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
6 hours ago, M-Z said:
...
Not to mention NAT is prohibited in IPv6 (at least OpenWRT site states that) it looks like it'll be a security nightmare.

 

19 minutes ago, giganerd said:

...
I don't think it's prohibited per se, ...
 

Linux supports NAT for IPv6. I am sure that AirVPN is using it on their servers.

It is quite easy to set up if you want to have a Linux VPS as your own VPN exit.

I believe the BSDs also support NAT for IPv6.
 

Share this post


Link to post

It's clear I have to read more about IPv6... Although the fact that addresses are un-remember-able makes me biassed against this protocol.
Do they plan for every cell of every human being to have an IP address?! ;)

Share this post


Link to post
1 hour ago, M-Z said:

Do they plan for every cell of every human being to have an IP address?! ;)


While, in theory, technically possible, even for every atom, the thinking was to have enough reserves for decades, maybe even a century.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...