Package: network-manager-openvpn Version: 0.9.4.0-1 Severity: normal Tags: ipv6
I see the following in the log: May 9 14:52:12 spike NetworkManager[1927]: <info> Policy set 'SCC rz-netze-s1' (tap0) as default for IPv4 routing and DNS. May 9 14:52:12 spike NetworkManager[1927]: <info> Policy set 'Pigeon_A' (wlan0) as default for IPv6 routing and DNS. Sadly that's pretty much wrong. The OpenVPN plugin does not support IPv6 configuration at all. As long as "Use this connection only for routes on its network" is unchecked (i.e. the default), IPv6 connectivity should be suppressed if not obtained through the VPN. In principle it's possible to get v6 connectivity through the TAP device without explicit OpenVPN support. If v6 connectivity is still preserved on the other interfaces, then longest prefix match will take effect, which might be right for most addresses, but is wrong for some (like if the organization uses multiple different prefixes). So to allow proper v6 tunneling, the other interfaces should have their IPv6 deactivated. If the tunnel does not provide IPv6 (or when we simply don't know) then the other interfaces should also have their IPv6 deactivated. I think it's fair to leave it on iff one ticks the split tunneling option as mentioned above. Sadly central firewalls are still common and this mismatch causes hosts reachable from the internal network to be reachable via IPv4, but not IPv6. Kind regards Philipp Kern -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (300, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages network-manager-openvpn depends on: ii libc6 2.13-32 ii libdbus-1-3 1.5.12-1 ii libdbus-glib-1-2 0.98-1 ii libglib2.0-0 2.32.0-4 ii libnm-glib-vpn1 0.9.4.0-3 ii libnm-glib4 0.9.4.0-3 ii libnm-util2 0.9.4.0-3 ii openvpn 2.2.1-8 network-manager-openvpn recommends no packages. network-manager-openvpn suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
