Anonymous VPN tunnels And IPv6: When Two Rights Make A Wrong
Two things that I’ve been quite vocal in advocating recently – both on Geekosaur and in person – are IPv6 and privacy protection through VPN tunnelling. Both of these things are positive influences on the Internet and its users. However, it turns out that when combined, the two clash in a battle of awesomeness. I don’t know – think of it like one’s riding a velociraptor and playing Hangar 18 on a flying-V guitar, while the other flies an X-Wing while punching a shark in the face.
And the shark is also a pirate.
The important part, to paraphrase Alien vs. Predator, is that whoever wins – you lose.
What you need to know is this. I’ve tested Giganews’ VyprVPN and PrivateInternetAccess’ VPN services, and neither support IPv6 tunnelling. If you don’t have any IPv6 service on your machine, you can chill out and forget about this post because it doesn’t affect you. If, however, you do have IPv6 service, your tunnel is not protecting your privacy for services that support IPv6 – and that includes BitTorrent. Let me reiterate –
If you have IPv6 connectivity, your VPN tunnel is not fully protecting your identity.
Because the tunnels support IPv4 only at the moment, your network stack sends IPv6 data out without using the tunnel. The IPv6 source address that you’re using is directly traceable to you if you have native service, or to your tunnel broker (who will probably not maintain your privacy if challenged) if you’re using a tunnel for IPv6 connectivity.
This is particularly insidious when it comes to BitTorrent or other peer-to-peer networks, as while your IPv4 traffic will be proxied, your IPv6 traffic won’t – meaning an even worse situation as anyone will be able to associate your anonymised IPv4 address with your traceable IPv6 address, using your identifier on the network as a link, and could then compromise your identity when you use the previously anonymous IPv4 address.
It’s pretty ugly. Fortunately, there’s a simple enough solution – disable IPv6 for the duration of your anonymous session, until VPN providers also tunnel IPv6. This is easy enough to do in major operating systems. Here’s a guide to enabling and disabling IPv6 in Windows, here’s one for Mac OS X and here’s one for Ubuntu.