Make block local work in IPv6 as well #509

roop · 2023-02-03T19:51:09Z

Fixes #323.

The actual code changes are in eduvpn/tunnelkit (Commit).

The original code used to do:

Find the default route
Find the broadest route routing into the gateway of the default route
Partition that route into two routes (to make that override the original route), routing into the tunnel

In IPv6, the following things make this not work:

Some default routes route into non-existant "utun" interfaces (maybe not cleaned up by the OS yet)
- Solution: Need filter out these routes
The broadest route can be a link-local address
- Solution: Need to find a link-layer address that routes into the interface of the default route (broadest, if there are many)

To test it:

Connect to a wifi network that allocates a public IPv6 address to our machine (say A)
In another machine (say B), connect to the same wifi network
run ifconfig en0 in Machine B, note down the secured IPv6 address
From Machine A, ping6 to the Machine B's IPv6 address (should work)
In Machine A, connect to a VPN server that sets block-local
From Machine A, ping6 to the Machine B's IPv6 address (should not work while tunnel is on)

roop added 2 commits February 4, 2023 01:00

Update eduvpn/tunnelkit

c267106

Update changelog

d1bdf4b

roop requested review from jeroenleenarts and johankool February 3, 2023 19:51

johankool approved these changes Feb 8, 2023

View reviewed changes

Provide feedback