Jump to content
Not connected, Your IP: 3.15.143.178
Sign in to follow this  
rohko

Eddie's network lock prevents all IPv6 traffic

Recommended Posts

Eddie seems to be missing one crucial rule in its IPv6 network lock. In the OUTPUT chain, there should be the same entry as in the INPUT chain:

icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
icmpv6 type nd-redirect ip6 hoplimit 255 counter packets 0 bytes 0 accept

This is needed because some router vendors and Linux distros use global unicast addresses in NDP instead of link-local addresses. Somebody else has observed and documented the same issue: https://blog.apnic.net/2023/01/30/interesting-ipv6-ndp-observation/  

If the rule is missing, all the IPv6 traffic drops after a while because the router does not get a reply from the computer to its NDP packets. If the router/OS used only link-local addresses for NDP, there would not be an issue. But this is not the case for many people. I hope AirVPN staff will fix this in the Eddie network lock rules.

Share this post


Link to post
1 hour ago, rohko said:

Eddie seems to be missing one crucial rule in its IPv6 network lock. In the OUTPUT chain, there should be the same entry as in the INPUT chain: 


Hello!

Thank you. Eddie adds the 4 rules you mention only on INPUT chain when you disable Allow ping option. But, if Preferences > NetLock > Allow Ping is enabled (default setting), Eddie adds more general accept rules:
add rule ip6 filter INPUT meta l4proto ipv6-icmp counter accept
add rule ip6 filter OUTPUT meta l4proto ipv6-icmp counter accept

So, it ought to work by default.
Of course any feedback about best rules is welcome.

In general, we need rules applied always, and rules applied only if users want ICMP and ICMPv6 enabled (option above, checked by default)

Can you please enable (tick) "Allow ping" (which will actually allow ICMP and ICMPv6) on Eddie's Preferences > Network Lock window and test again?

Kind regards
 

Share this post


Link to post

Hi,

Allowing ping seems to work and allow the NDP traffic. According to my tests, the entries I suggested including in the OUTPUT chain also seem to work. But I feel there are still 1-2 rules that could be included in the ruleset for seamless IPv6 operation instead of allowing full ICMPv6 traffic. It could be good to be unable to ping accidentally certain IPs behind the firewall and beyond the VPN, just in case.

Deplugging and replugging the ethernet from the router halts the traffic unless the ICMPv6 traffic is allowed in the firewall. But currently, I do not know which rules in the firewall will allow this without enabling full ICMPv6 traffic.

Share this post


Link to post

Ok, it seems these important packets are also dropped by the firewall if the full ICMPv6 is not enabled:

SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 
SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 
SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 
SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 
SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 
SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0016 
SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0016 
SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0002 
SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:00fb 
SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0001:0003 
SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0016 
SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:00fb 
SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0016 
SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:00fb 
SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0002 
SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0002 

Eddie has these entries in the OUTPUT chain, but they seem not sufficient for proper IPv6 operation:
ip6 daddr ff02::1:2 
ip6 daddr ff05::1:3 
ip6 saddr 64:ff9b::/96 ip6 daddr 64:ff9b::/96 
ip6 saddr 64:ff9b:1::/48 ip6 daddr 64:ff9b:1::/48 
ip6 saddr fe80::/10 ip6 daddr fe80::/10 
ip6 saddr ff00::/8 ip6 daddr ff00::/8 
ip6 saddr fc00::/7 ip6 daddr fc00::/7 

Share this post


Link to post

I highly recommend that AirVPN should include these entries into the OUTPUT IPv6 chain (maybe when local and/or DHCP tick is enabled):

ip6 saddr fe80::/10 ip6 daddr ff00::/8 counter packets 0 bytes 0 accept
ip6 saddr ::/128 ip6 daddr ff00::/8 counter packets 0 bytes 0 accept
icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
icmpv6 type nd-redirect ip6 hoplimit 255 counter packets 0 bytes 0 accept
The first two entries could be preferably, in my opinion, also
ip6 daddr ff00::/8 counter packets 0 bytes 0 accept
This would allow traffic from a link-local and unique local addresses as well, and it would be analogous with the IPv4 multicast address entry of
ip daddr 255.255.255.255 counter packets 0 bytes 0 accept
These additions seem to work perfectly for me (the computer gets an SLAAC address from the router without any issues), and I do not need to open the firewall for the full ICMPv6 traffic, which would potentially leak outside of the VPN tunnel.

Could AirVPN consider including these rules in Eddie?

Share this post


Link to post
@Staff Please also take a look at Mullvad's rules regarding outgoing IPv6 traffic: https://github.com/mullvad/mullvadvpn-app/blob/main/docs/security.md
They have similar rules as AirVPN (I guess ticks for local and DHCP traffic). The local option enables traffic from and to the local unroutable IPv6 addresses. Eddie does not implement these crucial rules, in my opinion.

Not everybody wants to allow all ICMPv6 traffic (ping and others) just to get the IPv6 working in VPN.

Share this post


Link to post
On 3/11/2025 at 9:04 PM, rohko said:

Could AirVPN consider including these rules in Eddie? Not everybody wants to allow all ICMPv6 traffic (ping and others) just to get the IPv6 working in VPN.


Hello!

Of course, you're right. New rules with additional flexibility are being tested and will be available soon on the Linux AirVPN Suite 2.0.0 next beta version which is imminent. You will be able to decide whether allowing only ping (in, out, in/out), only IPv6 NDP, none of them or both of them. The same new rules are also being implemented in Eddie for all Desktop platforms so you will see them in the future Eddie version.

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...