Skip to main content

IPv6 you say? Make sure your VPN provider supports it

(Image credit: Image Credit: Centurylink internet)

With the proliferation of computers, mobile phones, and any other device that connects to the Internet, the original IP address scheme (called IPv4) is quickly running out of addresses. And because these devices all need a numerical IP address in order to communicate with each other, IPv6 is the way forward - in fact it’s the only way forward. Do you use a VPN? You might be surprised to learn that many VPNs available today do not support IPv6 - and that includes some of the most heavily advertised ones. Why have we chosen to support IPv6 and does it really matter if your chosen VPN is not supporting IPv6? Let’s delve a bit deeper to understand why the VPN should be embracing IPv6 as a matter of urgency for the sake of users.

Under the current technology landscape, Windows (and other operating systems) prefer IPv6 when it’s available. IPv6 is supposed to be preferred and operating systems will use that protocol when you are performing internet searches, for example. Windows will prefer any kind of IPv6, even if there's an IPv4 tunnel in place. So, any of your Google searches will go over IPv6 if your ISP gave you an IPv6 address - unless the VPN takes care of that too.

In essence, IPv6 is a parallel and preferred network stack, but unrelated to IPv4. Whilst the name is similar, the two work independently. For this reason it is problematic for any VPN provider to support both protocols simultaneously. There are two networking stacks to take care of now, not just one, and a VPN provider needs to make sure everything works correctly. Some protocols (e.g. IKEv1) do not support tunneling IPv6 at all, and some protocols make it really tricky to configure an IPv6 address (SoftEther).

Compromising your customers

A Windows built-in IKEv2 client is especially tricky. It configures routing based on traffic selectors for all remote networks except for the default route. Default route is configured over IPv6 routing advertisements in lieu of a local area network. Traffic selectors, which are an integral part of IPSec, should be used for default routes too, but again, Microsoft does it’s own thing and deviates from the standard.

Our strategy has been to ditch any protocols that do not support IPv6 (IKEv1) or that are unreliable (PPTP/L2TP) and support it with the other protocols. Usually, a VPN provider publishes an app which takes care of blocking IPv6 (more or less successfully). Being robust is the name of the game here. Blocking is fine and does work, but it also incurs a penalty for the customer. IPv6 sites do not work, dual-stack sites (Google, Facebook et al.) use only IPv4. DNS queries have to be filtered to make sure that no IPv6 addresses get served to a customer (such operations may be logged). Whichever way you look at it, anonymity gets reduced and connectivity suffers - as a user this is exactly what you don’t want and goes against what a VPN should offer.

If a VPN provider supports manual configuration (as most VPNs do) then manual configuration of a connection can become dangerous. With no IPv6 blocking or leak protection going on (which is usually handled by the apps) your IPv6 traffic flows through your ISP. Under such conditions, a customer's security can be severely compromised and any claims about protection become redundant. Our conclusion to solving this problem (and other similar ones) was to completely embrace IPv6 and to fully support it. Amongst other things, this required a major infrastructure upgrade and removal of some locations. There are still some networks in the colocation/hosting space, which do not support IPv6, although that number is becoming increasingly marginal. Our faith in IPv6 means connecting to our servers provides you with both a IPv4 and an IPv6 address - our servers support IPv6 and can tunnel, secure and anonymize all traffic under complete protection. There's no filtering or tampering with the DNS going on and we support any method of the connection setup. We have done this because we understand the impact this can have on the experience of users.

Future-proofing your browsing

Due to the scarcity of IPv4 addresses, many mobile providers use IPv6 and enable transitional technologies. In other words, your mobile device gets an IPv6 address and uses that one for native IPv6 and tunneled IPv4 traffic (thanks to some clever DNS based trickery going on behind the scenes called NAT64 and DNS64). However, this sort of tunneling incurs a penalty. Google, Facebook et al. are far from pleased with such penalties, or with the DNS response rewrites, and support IPv6 completely to make sure their services work optimally. All the major players can and do run completely over IPv6 when there's no IPv4 configured or when IPv4 is transitionally tunneled.

It is not possible to access IPv6 sites without IPv6 being assigned by your ISP, unless of course you use a VPN that enables IPv6 for you. A few other technologies, namely Teredo, 6in4, 6rd, can help but these are not widely used by the average VPN customer. ISPs are now slowly ramping up their IPv6 support, with Germany seemingly leading the way. All the major ISPs in Germany (Vodafone, UnityMedia, Kabel Deutschland and Deutsche Telekom) support native IPv6. Also in Germany, only O2 out of all the mobile providers, does not support native IPv6. And over in the UK, for example, the IPv6 adoption rate currently stands at 31%, meaning every third customer or so of a VPN provider needs IPv6 protection of some sort.

With the web transitioning to use the IPv6 protocol, future-proof your browsing by choosing a VPN provider that supports IPv6. This is no longer a case of a ‘nice to have’ - it’s an absolute must have. When considering a VPN provider, sometimes there’s a tendency to look past the minor details and opt for the provider that makes bold promises with regards to speed, privacy and more. However, my advice is to choose a provider that offers IPv6 support as the advantages provided are far reaching.

Tomislav Čohar, co-founder, hide.me VPN