From owner-freebsd-net@FreeBSD.ORG  Tue Nov 27 14:35:10 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 11F83960
 for <freebsd-net@freebsd.org>; Tue, 27 Nov 2012 14:35:10 +0000 (UTC)
 (envelope-from seth.mos@dds.nl)
Received: from rotring.dds.nl (rotring.dds.nl [85.17.178.138])
 by mx1.freebsd.org (Postfix) with ESMTP id BAE1F8FC08
 for <freebsd-net@freebsd.org>; Tue, 27 Nov 2012 14:35:09 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by rotring.dds.nl (Postfix) with ESMTP id AC2F858D56
 for <freebsd-net@freebsd.org>; Tue, 27 Nov 2012 15:29:41 +0100 (CET)
Received: from [10.0.2.53] (edge-pf.coltex.nl [91.227.27.34])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by rotring.dds.nl (Postfix) with ESMTPSA id 8EF7958C29
 for <freebsd-net@freebsd.org>; Tue, 27 Nov 2012 15:29:36 +0100 (CET)
Message-ID: <50B4CE50.4060508@dds.nl>
Date: Tue, 27 Nov 2012 15:29:36 +0100
From: Seth Mos <seth.mos@dds.nl>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Subject: Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
References: <50B4C714.6080206@gont.com.ar>
In-Reply-To: <50B4C714.6080206@gont.com.ar>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.97.5 at rotring
X-Virus-Status: Clean
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2012 14:35:10 -0000

Op 27-11-2012 14:58, Fernando Gont schreef:
> Folks,
> 
> FYI. This is might affect FreeBSD users employing e.g. OpenVPN:
> <http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages>.
> 
> For a project such as OpenVPN, a (portable) fix might be non-trivial.
> However, I guess FreeBSD might hook some PF rules when establishing the
> VPN tunnel, such that e.g. all v6 traffic is filtered (yes, this is
> certainly not the most desirable fix, but still probably better than
> having your supposedly-secured traffic being sent in the clear).

No need for filtering. Just forward the traffic over the tunnel.

The newer OpenVPN already supports IPv6 and both servers and clients are
actively out in the wild. Even the Android OpenVPN client supports both
stacks.

Our OpenVPN server for road warriors sends a IPv6 prefix to be used on
OpenVPN as well as a IPv4 address. It works well.

Regards,

Seth