TunSafe Forum

Welcome to the TunSafe Community Forum. This is open for discussions related to TunSafe and the WireGuard protocol.

You are not logged in.

#1 2018-10-22 09:26:51

tas
Member
Registered: 2018-10-22
Posts: 4

Tunsafe ipv6 leak

Windows 10 Pro 1803
IPV6 enabled
Tunsafe TunSafe-1.5-rc1 (also apply to 1.4 stable)

When connecting with conf file supporting IPV4 only, the system leak dns from previous provider with conf file supporting IPV6.

Example: I connect to Azire with IPV6 support, ip test all good, show only azire addresses. When I connect to Mullvad and conf file only supporting IPV4, ipleak test show dns servers from Azire.

Is this a feature or kind of misbehaviour?
I can support more documentation if desired.


Best regards

Offline

#2 2018-10-22 12:37:23

ludde
Administrator
Registered: 2018-03-09
Posts: 128

Re: Tunsafe ipv6 leak

When I test I see first this line when I connect, which sets up the DNS server.
[13:35:11] Run: netsh interface ipv6 set dns name=13 static fc00::2 validate=no

Then when I disconnect, I see this line, which removes the DNS server
[13:35:17] Run: netsh interface ipv6 delete dns name=13 all

Do you see those too?

Offline

#3 2018-10-22 16:28:20

tas
Member
Registered: 2018-10-22
Posts: 4

Re: Tunsafe ipv6 leak

No, I do not have the line you have when disconnect.

Maybe I didn't clarify the issue enough. I have Azirevpn and Mullvad. Azirevpn conf supports IPV6. Mullvad conf support only IPV4. When  I connect to Azirevpn ip address and dns assresses are normal from Azirevpn. So, when disconnecting Azirevpn and connect to Mullvad, I hav ip address fromMullvad but dns servers from Azirevpn.

Here connect/disconnect log Azirevpn:

[17:08:08] Loading file: C:\Program Files\TunSafe\Config\azirevpn-se1.conf
[17:08:08] Resolved se1.wg.azirevpn.net to 193.180.164.58
[17:08:08] TAP Driver Version 9.21
[17:08:08] Set IPV6 Address to: 2a03:8600:1001:4000::118a/64
[17:08:08] Run: netsh interface ipv6 set dns name=14 static 2001:67c:15ec:1337::2 validate=no
[17:08:08] Blocking standard DNS on all adapters
[17:08:08] Added Route 193.180.164.58/32  =>  10.0.0.138
[17:08:08] Added Route 0.0.0.0/1  =>  10.10.0.1
[17:08:08] Added Route 128.0.0.0/1  =>  10.10.0.1
[17:08:08] Added Route ::/1  =>  2a03:8600:1001:4000::1
[17:08:08] Added Route 8000::/1  =>  2a03:8600:1001:4000::1
[17:08:08] Sending handshake...
[17:08:08] Connection established. IP 10.10.17.137
[17:08:54] Disconnected
[17:08:54] Deleted Route 193.180.164.58/32  =>  10.0.0.138
[17:08:54] Deleted Route 0.0.0.0/1  =>  10.10.0.1
[17:08:54] Deleted Route 128.0.0.0/1  =>  10.10.0.1
[17:08:54] Deleted Route ::/1  =>  2a03:8600:1001:4000::1
[17:08:54] Deleted Route 8000::/1  =>  2a03:8600:1001:4000::1

Here connect/disconnect log Mullvad:
[17:09:53] Loading file: C:\Program Files\TunSafe\Config\mullvad-no1.conf
[17:09:53] TAP is not compatible CIDR /31 or /32. Changing to /24
[17:09:53] IPv6 /127 or /128 not supported. Changing to 120
[17:09:53] TAP Driver Version 9.21
[17:09:53] Deleted IPv6 address: 2a03:8600:1001:4000::118a/64
[17:09:53] Set IPV6 Address to: fc00:bbbb:bbbb:bb01::fef/120
[17:09:53] Blocking standard DNS on all adapters
[17:09:53] Added Route 91.90.44.60/32  =>  10.0.0.138
[17:09:53] Added Route 0.0.0.0/1  =>  10.99.15.1
[17:09:53] Added Route 128.0.0.0/1  =>  10.99.15.1
[17:09:53] Added Route ::/1  =>  fc00:bbbb:bbbb:bb01::1
[17:09:53] Added Route 8000::/1  =>  fc00:bbbb:bbbb:bb01::1
[17:09:53] Sending handshake...
[17:09:53] Connection established. IP 10.99.15.239
[17:10:15] Disconnected
[17:10:15] Deleted Route 91.90.44.60/32  =>  10.0.0.138
[17:10:15] Deleted Route 0.0.0.0/1  =>  10.99.15.1
[17:10:15] Deleted Route 128.0.0.0/1  =>  10.99.15.1
[17:10:15] Deleted Route ::/1  =>  fc00:bbbb:bbbb:bb01::1
[17:10:15] Deleted Route 8000::/1  =>  fc00:bbbb:bbbb:bb01::1

Now, if I check ip/dns addresses, it shows Azirevpn dns, even if I'm connected to Mullvad.

In the TAP adapter when displaying properties for IPV6, it show azirevpn dns servers.

OK, this is not a problem for me, I know how to rectify this. It could be a problem for others not experienced enough with windows and networking, hence my original question if it's a feature of Tunsafe or misbehavior.

Offline

#4 2018-10-22 21:00:32

tas
Member
Registered: 2018-10-22
Posts: 4

Re: Tunsafe ipv6 leak

Done some further testing. I disabled IPV6 in Windows. Completely uninstalled Tunsafe and TAP adapter (Revo uninstaller), did a clean reinstall. Imported clean fresh downloaded conf files from Azire/Mullvad with IPV6 disabled.

So far switching between vpn provider works flawless with correct ip and dns from respective vpn provider.

Issue seems if IPV6 are in use? It looks like dns servers are stuck in TAP adapter when switching vpn providers.

Offline

#5 2018-10-23 14:56:52

tas
Member
Registered: 2018-10-22
Posts: 4

Re: Tunsafe ipv6 leak

Did the same with IPV6 only. Enable IPV6 in Windows, clean Tunsafe install, clean new downloaded conf files with IPV6 support. No more different dns addresses, only from respective vpn provider.

Seems the problem occur when mixing conf files with IPV4 and other conf file with IPV6.

Solved?

Last edited by tas (2018-10-23 14:57:23)

Offline

#6 2018-11-07 12:32:08

anaknaga
Member
Registered: 2018-11-07
Posts: 1

Re: Tunsafe ipv6 leak

Thank you for this information. I had the exact same problem and this solved it. Tunsafe was very unreliable with IPV6 leaks until I uninstalled the adapter as well as openVPN client and Mullvad client and reinstalled only Tunsafe. Now it's perfect performance without leaks.

tas wrote:

Done some further testing. I disabled IPV6 in Windows. Completely uninstalled Tunsafe and TAP adapter (Revo uninstaller), did a clean reinstall. Imported clean fresh downloaded conf files from Azire/Mullvad with IPV6 disabled.

So far switching between vpn provider works flawless with correct ip and dns from respective vpn provider.

Issue seems if IPV6 are in use? It looks like dns servers are stuck in TAP adapter when switching vpn providers.

Offline

#7 2018-11-10 00:19:28

wiggo
Administrator
Registered: 2018-03-09
Posts: 88

Re: Tunsafe ipv6 leak

As you're using the TUN / TAP based Windows version, IPv6 will leak (and also IPv4 DNS queries) if you're on a dual stack network with an IPv4-only file and don't have kill switch with firewall rules enabled.

"Options -> Internet Kill Switch -> Yes, Both methods."

This will add firewall rules so that no traffic can bypass TunSafe, and IPv6 packets will be dropped instead of leaving default interface, or routed via TunSafe is the conf file is configured to route IPv6 traffic. (however, another software running as admin can delete or modify these rules, for example another VPN software)

Did you have kill switch with firewall rules enabled when the problem occured?

Offline

Board footer

Powered by FluxBB