Anonymous VPN tunnels And IPv6: When Two Rights Make A Wrong

Two things that I’ve been quite vocal in advocating recently – both on Geekosaur and in person – are IPv6 and privacy protection through VPN tunnelling. Both of these things are positive influences on the Internet and its users. However, it turns out that when combined, the two clash in a battle of awesomeness. I don’t know – think of it like one’s riding a velociraptor and playing Hangar 18 on a flying-V guitar, while the other flies an X-Wing while punching a shark in the face.

And the shark is also a pirate.

The important part, to paraphrase Alien vs. Predator, is that whoever wins – you lose.

What you need to know is this. I’ve tested Giganews’ VyprVPN and PrivateInternetAccess’ VPN services, and neither support IPv6 tunnelling. If you don’t have any IPv6 service on your machine, you can chill out and forget about this post because it doesn’t affect you. If, however, you do have IPv6 service, your tunnel is not protecting your privacy for services that support IPv6 – and that includes BitTorrent. Let me reiterate –

If you have IPv6 connectivity, your VPN tunnel is not fully protecting your identity.

Because the tunnels support IPv4 only at the moment, your network stack sends IPv6 data out without using the tunnel. The IPv6 source address that you’re using is directly traceable to you if you have native service, or to your tunnel broker (who will probably not maintain your privacy if challenged) if you’re using a tunnel for IPv6 connectivity.

This is particularly insidious when it comes to BitTorrent or other peer-to-peer networks, as while your IPv4 traffic will be proxied, your IPv6 traffic won’t – meaning an even worse situation as anyone will be able to associate your anonymised IPv4 address with your traceable IPv6 address, using your identifier on the network as a link, and could then compromise your identity when you use the previously anonymous IPv4 address.

It’s pretty ugly. Fortunately, there’s a simple enough solution – disable IPv6 for the duration of your anonymous session, until VPN providers also tunnel IPv6. This is easy enough to do in major operating systems. Here’s a guide to enabling and disabling IPv6 in Windows, here’s one for Mac OS X and here’s one for Ubuntu.

Also read...


  1. I have actually been using for a month now, they do tunnel both ipv4 and ipv6 in an encrypted tunnel and has been working very well. I can browse and torrent using ipv6.

  2. Pingback: Manning’s Mistakes: 7 critical privacy pitfalls, and how to avoid them | Dave I/O

  3. Good tips. I discovered the VPN provided no anonymity w/o also disabling IPv6–since using a windows downloadable fix, my IP remains at the website where I want it.

  4. Yea, thanks for this post I was about to start posting this around and am happy to see others noticed this too.

    I asked my VPN provider about it and this is what they said. “Not sure. It’s pretty new stuff. Sounds like you know more about ipv6 then I do.” -BTGuard

    The best way to work around this is to disable IPv6 when you are trying to hide what your doing.

  5. Please update or withdraw this article. OpenVPN now supports tunneling of IPv6 data. Your article was once true, but not anymore.

    • OpenVPN had support for IPv6 at the time of writing. The issue is the provider’s support for IPv6 – the vast majority still will not negotiate an IPv6 tunnel, leaving OS native IPv6 in use.


Leave a Reply