From what I’ve read, he primary concern with VPNs that do not support IPv6 is leakage. If a user’s device tries to access an IPv6 resource while connected to a VPN that only routes IPv4 traffic, the IPv6 packets can escape the VPN tunnel. This exposes the user’s real IP address to external servers, undermining the privacy that the VPN is supposed to provide. Some servers have moved to strictly IPv6. Some servers only accept IPv4.
Some of you networking gods set me straight.
If you just want an IPv6 prefix and don’t need the encryption a VPN provides, you can use an IPv6 broker. Hurricane Electric’s broker is a popular one.
Thanks. I need encryption so that I can host anonymously.
Are you looking for a VPN or are you looking for an IPv6 tunnel broker like Hurricane Electric?
You might also try asking on !ipv6@lemmy.world .
Be advised that even if a VPN offers IPv6, they may not necessarily offer it sensibly. For example, some might only give you a single address (aka a routed /128). That might work for basic web fetching but it’s wholly inadequate if you wanted the VPN to also give addresses to any VMs, or if you want each outbound connection to use a unique IP. And that’s a fair ask, because a normal v6 network can usually do that, even though a typical Legacy IP network can’t.
Some VPNs will offer you a /64 subnet, but their software won’t check if your SLAAC-assigned address is leaking your physical MAC address. Your OS should have privacy-extensions enabled to prevent this, but good VPN software should explicitly check for that. Not all software does.
Yeah, you’re stuck with NAT66 with most commercial VPNs that support IPv6. If you’ve got ISP level ipv6 you can still allow inbound connections directly at least.
If you do go the NAT66 route, consider assigning a fake GUA from an unassigned prefix as if you use standard ULAs outbound connections will always prefer ipv4.
None of this is in the spirit of proper ipv6 but it “works”.
I’ve seen the suggestion of buying a GUA subnet, purely to use as a routable-but-unique prefix that will never collide, and will always win over ULA or Legacy IP routes. When I last checked, it was something like €1 for a /48 off of someone’s /32 prefix, complete with a letter of authorization and reverse IP delegation. So it could be routable, if one so chooses.
I’m not too familiar with VPNs that offer IPv6 addresses, so I can’t help with that. But I’m curious about why some people want IPv6 addresses. Are there any benefits to having an IPv6 address?
The main benenfit is not having to deal with NAT. You get your own address and your traffic is not conflated with other people’s.
You also get privacy extensions. Your device generates a temporary address for making outgoing connections. The address has no listening sockets. This means that you cannot get portscanned by every website you visit.
I’m not an expert, so somebody may be able to give better responses.
It looks like IPv6 addresses have access to all 65,000 ports, whereas IPv4 addresses need to ‘forward’ them. I don’t know about other VPNs, but the one I’m using only allows forwarding 1 port at a time and I don’t get to choose it.
With IPv6, I hope to be able to have multiple ports open to make it easier to host multiple services.
Port forwarding is a function of NAT. It’s only needed because there aren’t enough ipv4 addresses for every device, so in most networks a lot of devices share a single ip and specific ports are forwarded to specific internal hosts
IPv6 has a large enough address space that this isn’t needed. You can still do it if you want. But mostly you just need a firewall without any NAT.
There’s more to it than this but you should get the idea.
That’s great and all, but how does it help with VPNs only forwarding one port?
You responded to a question with an incorrect answer. I was correcting that.
VPNs shouldn’t need to forward any ports when using ipv6. They can provide an entire ipv6 subnet to you.
One thing I did is connect to the smart home (Home Assistant) and the NAS running at home. Some internet service providers don’t provide proper IPv4 addresses any more so IPv6 is the most convenient way to connect. This doesn’t require a VPN provider, though.
Telstra (Australia’s largest telco) now provides IPv6-only to mobile handsets by default. They’ve deployed 464XLAT.
Vodafone/TPG now implements this too. It’s just shitty old Optus that’s stuck in the past.
Optus is barely an internet connection at this point. I’m using about 10 fearures on Aussie Broadband that simply don’t exist on the Optus network.
NordVPN I believe. Also AzireVPN owned by Malwarebytes. Some others do for a fee.
