Add this to your kernel line in your boot loader to disable IPv6 altogether:
ipv6.disable=1
If you're using Grub (if you haven't installed your own boot-loader, then you are using Grub), your kernel line should look something like this:
linux /boot/vmlinuz-linux root=UUID=978e3e81-8048-4ae1-8a06-aa727458e8ff ipv6.disable=1
The recommended approach, for adding something to the kernel line, is to add the desired kernel parameter to the GRUB_CMDLINE_LINUX_DEFAULT
variable in the /etc/default/grub
file:
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"
Once you've added that to /etc/default/grub
, run the following command to regenerate your grub.cfg
:
sudo grub-mkconfig -o /boot/grub/grub.cfg
Alternatively, adding ipv6.disable_ipv6=1
instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.
OR
To disable IPv6 via sysctl, place the following into your /etc/sysctl.conf
file:
net.ipv6.conf.all.disable_ipv6 = 1
Don't forget to comment out any IPv6 hosts in your /etc/hosts
file:
#::1 localhost.localdomain localhost
NOTE
a reboot may be required for the sysctl method, and a reboot is definitely required for the kernel line approach.
OR
To temporarily disable ipv6:
sysctl -w net.ipv6.conf.all.disable_ipv6=1
To temporarily enable it:
sysctl -w net.ipv6.conf.all.disable_ipv6=0
So if you need to disable ipv6 on a given condition, then write a bash script somewhere along these lines:
#!/bin/bash
ipv6_disabled="$(sysctl net.ipv6.conf.all.disable_ipv6 | awk '{print $NF}')"
if (connected_to_vpn &> /dev/null); then
(($ipv6_disabled)) || sysctl -w net.ipv6.conf.all.disable_ipv6=1
else
(($ipv6_disabled)) && sysctl -w net.ipv6.conf.all.disable_ipv6=0
fi
NOTE
You might need to disable any ipv6 hosts in your /etc/hosts
file for this method too, just as I recommended in the previous method.
I got it working with OpenVPN (using TAP) after a lot of work. No luck with TUN, I believe it cannot work with TUN since there is no UDP broadcast possible with it (which apparently Steam In-home Streaming uses to detect peers).
I run the OpenVPN server on my router, a Archer C7 V2 running OpenWRT (Barrier Breaker).
Below is the server config file I use. Modification is necessary, where should be clear:
client-to-client
persist-key
persist-tun
tls-server
ca /etc/openvpn/ca.crt
cert /etc/openvpn/erb-router-c7.crt
dev tap_mypvn
dh /etc/openvpn/dh2048.pem
keepalive 10 120
key /etc/openvpn/erb-router-c7.key
log /tmp/openvpn.log
mode server
port 1194
proto udp
route-gateway dhcp
server 10.8.0.0 255.255.255.0
status /var/log/openvpn_status.log
topology subnet
verb 3
push topology subnet
push route-gateway dhcp
push persist-key
push persist-tun
Here is my client config (The host machine running Windows, a similar config is used on the client machine running Ubuntu):
client
float
dev tap
proto udp
remote YOUR_HOSTNAME_OR_IP_HERE 1194
log "C:/Program Files/OpenVPN/config/log.txt"
verb 3
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ca "C:/Program Files/OpenVPN/config/ca.crt"
cert "C:/Program Files/OpenVPN/config/erb-main-7.crt"
key "C:/Program Files/OpenVPN/config/erb-main-7.key"
I've done so much with the OpenWRT config that I'm not sure if this is all that is required for someone to replicate my success. But the short version it: Use TAP and not TUN, make sure your VPN clients can talk to each other by specifying the client-to-client
parameter in the server config. In OpenWRT I've also set up the network interface and the firewall as specified in the OpenWRT wiki for OpenVPN.
If you have any questions, I'll do my best to answer them.
Edit, on request:
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0f:252f:ed29::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option _orig_ifname 'eth1 wlan0 wlan1'
option _orig_bridge 'true'
option ifname 'eth1 tap_myvpn'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 2 3 4 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6'
config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
option auto '1'
Selected part from /etc/config/firewall
, may not provide entire context but I don't want my entire firewall file to be known. Please inform me of eventual redundancy and mistakes:
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '1194'
config zone
option name 'vpn'
option masq '1'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'vpn0'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
Best Answer
Discuss it with the people who set up VPN for you.
This is commonly known as split routing, where the VPN tunnel will be used for resources that is inside the corporate network, whilst default gateway will be used for the rest. This is usually easier than filtering by service. Commonly, the corporation will have some kind of internal plan over the network that makes it easy to provide split routing.
You should check if it's permitted in your organization. Not all organizations allows split routing, because they for instance want to do data loss prevention on your traffic.