Hello. I have been using PureOS for the past six weeks as this is my first attempt at a GNU/Linux distro. I have enjoyed my time switching to Linux from Windows. However, I have been having problems with the Librem One Tunnel.
When I first started using the Tunnel VPN I noticed it would leak my IPv6 address. In order to stop this I changed my Network Settings in the GUI for my own Personal Wifi IPv6. By going to System Settings>>>Connections>>>Personal Wifi>>>IPv6 (Method: set on “Automatic”>>>Routes and checked “Use Only for resources on this connection”. I then changed my Network Settings for Tunnel VPN by going to System Settings>>>Connections>>>Librem One US-California>>>IPv6 and set Method to “Disabled”. Once I did this Tunnel VPN would work just fine and my IPv6 address would not leak for six weeks. However now I when I do this my Tunnel VPN connects but the internet won’t work.
I have been researching for a couple of days now and I keep reading that it is important to disable IPv6 for my own Personal Wifi. However when I disable IPv6 on my own Wifi by going to System Settings>>>Connections>>>Personal Wifi>>>IPv6 Method: set on “Disabled”. But when I do this Tunnel VPN connects but then the internet won’t work. Do you have any advice or resources I can use so that my Tunnel VPN will work and not leak my IPv6 address??? I have already tried contacting support two different times but they won’t reply back to me. I am using OpenVPN version 2.5.1 and using PureOS KDE Plasma Live.
When I was using openvpn, I would run it from the terminal in order to avoid leaking ipv6. At the time (and I haven’t looked into it since) it was known that the network manager would leak the ipv6 address. Try putting your settings back the way they were and running openvpn from the command line.
Also if it helps, ipleak.net is a good site to test for leaks.
Thanks for responding Gavaudan. I have started to research into running openvpn from the command line. I got a response back from Purism. It appears for now Librem Tunnel only supports IPv4. I have disabled IPv6 from the terminal by entering sudo nano /etc/sysctl.conf and inserting: net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.tun0.disable_ipv6 = 1
and than activating the changes with sudo sysctl -p. (Source: https://protonvpn.com/support/disable-ipv6-protocol-linux/)
However just like when I would disable IPv6 in the GUI it will disable my IPv6 but then when I connect to the VPN the internet won’t work. It probably has something to do with the DNS not resolved properly. I’ll keep doing research in the meantime to see if I can find a way to resolve this.
Sorry for the late reply. I was able to confirm that the DNS was the issue by pinging an IP address. I want to thank the support team at Purism for assisting me with the issue. It appears the problem might be my ISP provides only IPv6 DNS. The answer was to resolve this was to try another DNS. I have been using https://dns.watch and it works fine. However I have been researching into https://www.quad9.net/ and I have also heard great things about https://www.opennic.org/ and I might give them a try. I had to modify /etc/resolv.conf and now my internet works great!
Somewhat related to the topic above. I was very surprised about finding that same leak.
I can confirm the Librem 5 Broadmobi WWAN0 modem ipv6 address leaks with Librem One service, and using Awesim T-Mobile, even when Open VPN network service is selected as ipv4 only, regardless of DNS setting. This did not change even when Open VPN network ipv6 was enabled.
This should be configured in the Open VPN configuration file to route the WWAN0 modem ipv6 traffic if enabled through the Open VPN service if ipv6 is enabled, and if disabled, block network traffic from WWAN0 on ipv6. The same fix as mentioned above did the trick by opening the network configuration manager and disabling all ipv6 traffic for the WWAN0 (not ideal though).
If i remember correctly i don’t think i have experienced that before, the website i used to figure the leak out is “what is my ip address” https://whatismyipaddress.com/.
Is this something that can be improved in the Purism Open VPN configuration files for Librem One? Or the simplest solution is to update the generic VPN documentation to state that WWAN0 ipv6 has to be manually disabled when using Libem One VPN when using mobile data.
One additional point, Open VPN with Librem One does not block traffic when you disable the VPN and it is connected through either 4G, or WIFI (without VPN). This again results in the IPs IPv4, and IPv6 leaking, by allowing data connection to go through. VPN off should mean all data connections are blocked (this may also be something that could be configured in the Open VPN files?).
I tried the ufw method to block all traffic except allow tun0 traffic on port 1198, however since the IPs dynamically change ufw doesn’t have a way to define those rules and won’t allow outbound traffic when writing ufw default deny outgoing. Any ideas how to setup automatic blocking? If someone has a script to update iptables with the proper data for Librem One OpenVPN i am all ears :)!
One additional side note, even though in the network settings i selected disable Open VPN ipv6, this is not honored and it is still generating a ipv6 address, so this is probably a bug?
I know I am to this thread but needed to mention, you shouldnt be using openvpn becauase it was released in 2011 in a series of NSA leaked top secret documents, that all three three letter agencies have been able to hyjack and intercept those protocols.
The leaking part is actually just a phone configuration issue that Purism could fix. I think a lot of VPNs do not allow ipv6 so if you have to run connections over that (because it is all the service allows) they are obviously not encrypted, regardless of using OpenVPN or any other protocol since it is dependent on whether it covers ipv4, or 6 or both.
A better way to fix these instances is banner notifications, as in you are about to send an unencrypted message etc, or your browsing is about to be unencrypted, instead of just blocking it the user could swipe away the notification and continue on their business of unencrypted communication for that same session.