rohko 17 Posted ... Eddie seems to be missing one crucial rule in its IPv6 network lock. In the OUTPUT chain, there should be the same entry as in the INPUT chain: icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept icmpv6 type nd-redirect ip6 hoplimit 255 counter packets 0 bytes 0 accept This is needed because some router vendors and Linux distros use global unicast addresses in NDP instead of link-local addresses. Somebody else has observed and documented the same issue: https://blog.apnic.net/2023/01/30/interesting-ipv6-ndp-observation/ If the rule is missing, all the IPv6 traffic drops after a while because the router does not get a reply from the computer to its NDP packets. If the router/OS used only link-local addresses for NDP, there would not be an issue. But this is not the case for many people. I hope AirVPN staff will fix this in the Eddie network lock rules. Quote Share this post Link to post
Staff 10123 Posted ... 1 hour ago, rohko said: Eddie seems to be missing one crucial rule in its IPv6 network lock. In the OUTPUT chain, there should be the same entry as in the INPUT chain: Hello! Thank you. Eddie adds the 4 rules you mention only on INPUT chain when you disable Allow ping option. But, if Preferences > NetLock > Allow Ping is enabled (default setting), Eddie adds more general accept rules: add rule ip6 filter INPUT meta l4proto ipv6-icmp counter accept add rule ip6 filter OUTPUT meta l4proto ipv6-icmp counter accept So, it ought to work by default. Of course any feedback about best rules is welcome. In general, we need rules applied always, and rules applied only if users want ICMP and ICMPv6 enabled (option above, checked by default) Can you please enable (tick) "Allow ping" (which will actually allow ICMP and ICMPv6) on Eddie's Preferences > Network Lock window and test again? Kind regards Quote Share this post Link to post
rohko 17 Posted ... Hi, Allowing ping seems to work and allow the NDP traffic. According to my tests, the entries I suggested including in the OUTPUT chain also seem to work. But I feel there are still 1-2 rules that could be included in the ruleset for seamless IPv6 operation instead of allowing full ICMPv6 traffic. It could be good to be unable to ping accidentally certain IPs behind the firewall and beyond the VPN, just in case. Deplugging and replugging the ethernet from the router halts the traffic unless the ICMPv6 traffic is allowed in the firewall. But currently, I do not know which rules in the firewall will allow this without enabling full ICMPv6 traffic. Quote Share this post Link to post
rohko 17 Posted ... Ok, it seems these important packets are also dropped by the firewall if the full ICMPv6 is not enabled: SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0016 SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0016 SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0002 SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:00fb SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0001:0003 SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0016 SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:00fb SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0016 SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:00fb SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0002 SRC=fe80:0000:0000:0000:dead:beef:dead:beef DST=ff02:0000:0000:0000:0000:0000:0000:0002 Eddie has these entries in the OUTPUT chain, but they seem not sufficient for proper IPv6 operation: ip6 daddr ff02::1:2 ip6 daddr ff05::1:3 ip6 saddr 64:ff9b::/96 ip6 daddr 64:ff9b::/96 ip6 saddr 64:ff9b:1::/48 ip6 daddr 64:ff9b:1::/48 ip6 saddr fe80::/10 ip6 daddr fe80::/10 ip6 saddr ff00::/8 ip6 daddr ff00::/8 ip6 saddr fc00::/7 ip6 daddr fc00::/7 Quote Share this post Link to post
rohko 17 Posted ... I highly recommend that AirVPN should include these entries into the OUTPUT IPv6 chain (maybe when local and/or DHCP tick is enabled): ip6 saddr fe80::/10 ip6 daddr ff00::/8 counter packets 0 bytes 0 accept ip6 saddr ::/128 ip6 daddr ff00::/8 counter packets 0 bytes 0 accept icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept icmpv6 type nd-redirect ip6 hoplimit 255 counter packets 0 bytes 0 accept The first two entries could be preferably, in my opinion, also ip6 daddr ff00::/8 counter packets 0 bytes 0 accept This would allow traffic from a link-local and unique local addresses as well, and it would be analogous with the IPv4 multicast address entry of ip daddr 255.255.255.255 counter packets 0 bytes 0 accept These additions seem to work perfectly for me (the computer gets an SLAAC address from the router without any issues), and I do not need to open the firewall for the full ICMPv6 traffic, which would potentially leak outside of the VPN tunnel. Could AirVPN consider including these rules in Eddie? Quote Share this post Link to post
rohko 17 Posted ... @Staff Please also take a look at Mullvad's rules regarding outgoing IPv6 traffic: https://github.com/mullvad/mullvadvpn-app/blob/main/docs/security.md They have similar rules as AirVPN (I guess ticks for local and DHCP traffic). The local option enables traffic from and to the local unroutable IPv6 addresses. Eddie does not implement these crucial rules, in my opinion. Not everybody wants to allow all ICMPv6 traffic (ping and others) just to get the IPv6 working in VPN. Quote Share this post Link to post
Staff 10123 Posted ... On 3/11/2025 at 9:04 PM, rohko said: Could AirVPN consider including these rules in Eddie? Not everybody wants to allow all ICMPv6 traffic (ping and others) just to get the IPv6 working in VPN. Hello! Of course, you're right. New rules with additional flexibility are being tested and will be available soon on the Linux AirVPN Suite 2.0.0 next beta version which is imminent. You will be able to decide whether allowing only ping (in, out, in/out), only IPv6 NDP, none of them or both of them. The same new rules are also being implemented in Eddie for all Desktop platforms so you will see them in the future Eddie version. Kind regards Quote Share this post Link to post
Staff 10123 Posted ... On 3/12/2025 at 9:55 AM, rohko said: Not everybody wants to allow all ICMPv6 traffic (ping and others) just to get the IPv6 working in VPN. Hello! AirVPN Suite 2.0.0 beta 5 implements the required features: https://airvpn.org/forums/topic/66706-linux-airvpn-suite-200-preview-available/?do=findComment&comment=247401 Kind regards Quote Share this post Link to post
Not connected, Your IP: 160.79.108.195
Online: 28490 users - 364708 Mbit/s total BW