VPNs and IPv6¶
There are some special considerations for VPNs when using them in combination with IPv6. The two main items of concern are:
Whether or not a certain VPN type supports IPv6
Making sure the firewall rules don’t allow unencrypted traffic in that should be coming over a VPN.
IPv6 VPN Support¶
Support for IPv6 varies from type to type and in client support. Be sure to check with the vendor of the other device in order to make sure a non-pfSense firewall or client supports IPv6 VPNs.
IPsec can use IKEv1 over IPv6 with one quirk: If a tunnel uses an IPv6 peer address, the tunnel can only carry IPv6 phase 2 networks, and the same for IPv4. Traffic cannot be mixed between address families with IKEv1. See IPsec and IPv6.
When an IPsec tunnel is set for IKEv2, it can include both IPv4 and IPv6 Phase 2 definitions concurrently.
OpenVPN fully supports IPv6 for site-to-site and mobile clients, and tunnels can carry both IPv4 and IPv6 traffic concurrently. See OpenVPN and IPv6.
WireGuard fully supports IPv6 and tunnels can carry both IPv4 and IPv6 traffic concurrently.
IPv6 VPN and Firewall Rules¶
As mentioned briefly in Firewall and VPN Concerns, special care must be taken when routing IPv6 traffic across a VPN and using publicly routable subnets. The same advice also applies to IPv4 but it’s much less common to have clients on both sides of an IPv4 VPN using publicly routable addresses.
The main issue is that because it’s possible to route all the way from one LAN to the other LAN across the Internet, then traffic could be flowing unencrypted between the two networks if the VPN is down (or not present at all!). This is far from ideal because although connectivity is available, if any traffic were intercepted in between the two networks and that traffic was using an unencrypted protocol like HTTP, then it could compromise the network.
One way to prevent this is to not allow traffic from the remote IPv6 LAN in on the opposing side’s WAN rules. Only allow traffic from the remote side’s subnet on the firewall rules for whichever VPN type is being used to protect the traffic. An explicit block rule could also be added to the top of the WAN rules to ensure that this traffic cannot enter from the WAN directly. A better method is to use a floating rule to reject outbound traffic on WAN destined for VPN hosts/remote local networks. This way the insecure traffic never leaves the premises. With the rule set to log, the “leakage” would be obvious to someone monitoring the logs as it would be shown blocked outbound on WAN.
Another less obvious consequence of having dual stack connectivity between networks is that differences in DNS can cause unintended routing to take place. Suppose IPv4 VPN connectivity exists between two sites, but there is no IPv6 VPN, only standard IPv6 connectivity at both locations. If a local host is set to prefer IPv6 and it receives a AAAA DNS response with the IPv6 IP address for a remote resource, it would attempt to connect over IPv6 first rather than using the VPN. In cases such as this, care would be needed to make sure that DNS does not contain conflicting records or that floating rules are added to prevent this IPv6 traffic from leaking out WAN. A more in-depth article on these kinds of traffic leakage can be found in the IETF draft named draft-gont-opsec-vpn-leakages-00.