Ubuntu – How to disable IPv6 when connecting to an OpenVPN server using Network Manager on a dual-stack system

ipv6network-managernetworkingopenvpnvpn

I'm using the OpenVPN client through the OpenVPN Network Manager plugin on a dual stack (meaning configured both for IPv4 and IPv6 connectivity) Ubuntu 13.10 to redirect all traffic through the VPN (redirect-gateway). It generally works fine.

However, due to the fact that IPv6 is preferred by the system, the VPN "leaks" and when connecting to sites that are also available over IPv6 (like Google, or Wikipedia), the browser connects directly.

One solution would be to configure the OpenVPN server to provide IPv6 connectivity. While possible with OpenVPN, the plugin for Network Manager currently doesn't support it.

Since IPv6 connectivity over the VPN is not strictly necessary, I'd like to simply disable IPv6 on the client when connecting to the OpenVPN server. Is it possible? If so, how can I do it?

Best Answer

Add this to your kernel line in your boot loader to disable IPv6 altogether:

ipv6.disable=1

If you're using Grub (if you haven't installed your own boot-loader, then you are using Grub), your kernel line should look something like this:

linux /boot/vmlinuz-linux root=UUID=978e3e81-8048-4ae1-8a06-aa727458e8ff ipv6.disable=1

The recommended approach, for adding something to the kernel line, is to add the desired kernel parameter to the GRUB_CMDLINE_LINUX_DEFAULT variable in the /etc/default/grub file:

GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"

Once you've added that to /etc/default/grub, run the following command to regenerate your grub.cfg:

sudo grub-mkconfig -o /boot/grub/grub.cfg

Alternatively, adding ipv6.disable_ipv6=1 instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.

OR

To disable IPv6 via sysctl, place the following into your /etc/sysctl.conf file:

net.ipv6.conf.all.disable_ipv6 = 1

Don't forget to comment out any IPv6 hosts in your /etc/hosts file:

#::1        localhost.localdomain   localhost

NOTE

a reboot may be required for the sysctl method, and a reboot is definitely required for the kernel line approach.

OR

To temporarily disable ipv6: 

sysctl -w net.ipv6.conf.all.disable_ipv6=1

To temporarily enable it:

sysctl -w net.ipv6.conf.all.disable_ipv6=0

So if you need to disable ipv6 on a given condition, then write a bash script somewhere along these lines:

#!/bin/bash
ipv6_disabled="$(sysctl net.ipv6.conf.all.disable_ipv6 | awk '{print $NF}')"
if (connected_to_vpn &> /dev/null); then
  (($ipv6_disabled)) || sysctl -w net.ipv6.conf.all.disable_ipv6=1
else
  (($ipv6_disabled)) && sysctl -w net.ipv6.conf.all.disable_ipv6=0
fi

NOTE

You might need to disable any ipv6 hosts in your /etc/hosts file for this method too, just as I recommended in the previous method.

Related Question