Hi Gert > Sent: Saturday, April 30, 2022 at 2:13 AM > From: "Gert Doering" <g...@greenie.muc.de> > To: "Jordan Hayes" <jmha...@j-o-r-d-a-n.com> > Cc: openvpn-users@lists.sourceforge.net > Subject: Re: [Openvpn-users] How do I prevent IPv6 routes from being added to > my connection? > > *I* have spent very much time to implement and improve the IPv6 support > (*and* to provide the tools to ignore server-pushed options, if someone > would bother to read the manuals)
Your contributions to the development of OpenVPN cannot be overestimated. I really thank you from the bottom of my heart. > - and it pains me if people spread the > lore that "disabling IPv6 is a good way forward". > > OpenVPN developers are human and they are unable to foresee some unexpected security vulnerabilities. A good case in point is the VORACLE attack (https://www.bleepingcomputer.com/news/security/voracle-attack-can-recover-http-data-from-vpn-connections/) > Half of the "you need to disable IPv6 to achieve..." is bullshit, and the > other half is misunderstood lore. > > Like, "with IPv6 in my VPN I can be tracked" - no, you can't, All VPN vendors/providers which are serious about security and privacy will invariably advise their customers to disable IPv6 support in Linux or to configure Microsoft Windows in such a way that IPv4 is preferred to IPv6. These serious VPN vendors/providers have been in the business for more than a decade and they do know what they are saying when they give such advice. You may be surprised that some of them may be contributors to the development of OpenVPN. > > There is reliable measurement data that performance from mobile networks > to dual-stacked servers is *better* using IPv6 than using IPv4, due to > the avoidance of CGNAT boxes, leading to better routing and less issues > due to CGNAT state overflow. > Thanks for this piece of information. What is the source of this "reliable measurement data"? However, in my opinion, performance cannot and should not trump security. Below is the quote from "VORACLE Attack Can Recover HTTP Data From VPN Connections" (https://www.bleepingcomputer.com/news/security/voracle-attack-can-recover-http-data-from-vpn-connections/) [quote] But despite this, the OpenVPN project did not modify its default setting of compressing data before encrypting it as part of the VPN tunnel. This is because compressing data before the TLS encryption has performance benefits and a good reason why most VPN services/clients will continue to use this option. [end quote] If the above quote is factually correct, it shows that the folks at OpenVPN prioritize performance over security, which is a big NO for me. Best regards. Stella P.S.: This is off-topic but I hope you can satisfy my curiosity. What do you think of The Tor Project? Would you contribute to the project if you had the time? _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
