Disable IPv6 only when a VPN connection is active

My ISP recently activated IPv6 on our service. This is now playing havoc with my IPv4 OpenVPN connections. The problem is that when I make connections, I want them to always go over the IPv4 VPN connection, but my system is prioritizing IPv6, and so the services I connect to think that I’m not on the VPN. In fact, when I’m on certain VPNs, I don’t even want to use the non-VPN IPv6 connection as a fallback—if I can’t connect to a service through the IPv4 VPN, I don’t want to connect at all.

I usually connect to the VPNs using Plasma’s NetworkManager panel applet. Is there any way I can configure it so that all existing IPv6 connections are automatically disabled when I connect to a VPN, and automatically enabled again when I disconnect from the VPN? Failing that, is there any way of configuring NetworkManager (the upstream tool, not the KDE applet) to automatically do this?

Which desktop? The KDE NM connection editor has an option ‘IPv4 is required for this connection’ which can be enabled. There should be something similar if using Gnome.

BTW, it adds the ‘may-fail=false’ entry to the applicable connection file in the /etc/NetworkManager/system-connections/ directory…


…so you could just edit by hand if desired. It should take effect when the connection is next activated.

As I mentioned in my OP, I am using KDE.

The KDE NM connection editor has an option ‘IPv4 is required for this connection’ which can be enabled. There should be something similar if using Gnome.
I think you may have misunderstood my question. I am not asking how to enable IPv4 for my VPN connection; that already works fine. I am asking how to disable IPv6 on my regular ethernet/wireless connection whenever the VPN is active, so that I can force my computer to route all traffic over the IPv4 VPN. The checkbox you refer to has no effect on IPv6.

Then use a dispatcher script to disable IPv6 when VPN connection is active.

IPv6 can be disabled on the on the fly with

sysctl -w net.ipv6.conf.all.disable_ipv6=1

and enabled again when the VPN connection is deactivated.

Thanks. I take it, then, that there is no way of doing this from the Plasma widget? Perhaps a feature request is in order…

In the meantime, I called up my ISP and got them to switch me back to IPv4-only. This is not a long-term solution but prevents me from having to mess around with scripts for the time being.

The long time solution is of course that you (or anybody else) do not bother if a connection uses IPv4 or IPv6. Thus I doubt if asking to build in such switches in software will get much support.

Sure, I would love not to have to care whether a given connection goes over IPv4 or IPv6. But as I mentioned in my original post, not caring is not an option when you are using a VPN and need to make sure that all your network traffic goes through that VPN. I can’t help it if the VPNs I must use for my job are IPv4-only. I am certainly not the only person in this situation—for instance, a quick survey of commercial “privacy VPN” services show that many of them are also IPv4-only. At least one of them says that this is because of security/privacy problems with IPv6 implementations and with how some VPN software handles IPv6. (I have no idea whether OpenVPN and Linux’s IPv6 stack are among those affected by these problems.)

So my not caring about IPv4/IPv6 will need to wait until my VPN providers don’t care about it either, and that in turn will need to wait until those providers are satisfied enough with the security/privacy of IPv6 implementations that they start supporting them.

I do not deny what you say, but you suggest a feature request and I doubt that that will stir people into activity because they will probably not put resources into it for the reasons I explained above (after all IPv6 should already be supported by all involved for many years). But you can of course always try.

You could just permanently disable IPV6 on your openSUSE all the time (whether vpn up or vpn down). in openSUSE-LEAP-42.3 (I have not tried with Tumbleweed) this can be done via YaST > system > network settings. Change to use the “Network Manager”. Also in that menu ensure “enable IPv6” is not selected. You need to reboot to have that applied.

Its not precisely what you asked for - but it does stop IPV6.