FORUMS
Remove All Ads from XDA

[GUIDE/APP][ROOT] Disable/Block IPv6 on Android (Prevent IPv6 Leak on VPN)

308 posts
Thanks Meter: 206
 
By CanMan1, Senior Member on 22nd January 2016, 08:31 AM
Post Reply Email Thread
Note For Moderators:
Please move this thread to somewhere in forum.xda-developers.com/android if that's a better fit.


Simple App Alternative/Supplement [UNTESTED]

With AFWall+ 2.9.0, you can now block IPv6 with iptables.

NOTE
This only blocks IPv6 with a firewall. It does not disable IPv6. See the main guide to disable it.

Requirement(s)
  • Root
  • *Recommended: init.d or su.d (SuperSU) support. HTC devices musts be configured for S-OFF
Download
https://f-droid.org/app/dev.ukanth.ufirewall
https://play.google.com/store/apps/d...anth.ufirewall

Instructions
To block IPv6, go to Preferences, Rules/Connectivity, Block IPv6.
*Recommended: Fix startup data leak by going to Preferences, Experimental, Fix startup data leak

Explanation
GitHub Commit for Block IPv6 feature:
https://github.com/ukanth/afwall/com...010372d4596829


Main Guide and Background
Requirements
  • Root
  • *init.d support and knowledge of how to create and install init.d scripts
  • 1 WiFi interface (wlan0). If you have more than 1, then ask for custom instructions.
  • The following file system paths exist:
    /proc/sys/net/ipv6/conf/wlan0/accept_ra
    /proc/sys/net/ipv6/conf/all/disable_ipv6
  • **Kernel that doesn't load an IPv6 module but instead has IPv6 built in (I may make a separate guide for kernels with a loadable IPv6 module if asked)
*Optional with method 2 (To be added upon request. Uses SManager instead of init.d)
**Optional


Background
After trying a lot of non functional methods for disabling IPv6, then using a working but sometimes high battery drain one, I decided to read the Linux kernel documentation and create my own method. All of the methods I've seen do not keep IPv6 disabled on the WiFi interface when there is a network change, or they drain battery by disabling IPv6 after a network change.

This method has only been tested on Note5 LP 5.1.1 SkyHigh kernel, but it should work for any device that meets the requirements.

Apps Using this Method
Synapse for SkyHigh kernel Note5.
https://i.imgur.com/W1wftgTh.jpg
If someone uses this method in their app or wants to make a FOSS app for this, please let me know.

Functionality
No reboot needed. Modifications persist across network changes, but reset on boot. Thus, an init.d script is used. Notes: I haven't tested IPv6 over data as my provider doesn't seem to support it, but rmnet0/disable_ipv6 didn't reset when switching to data from Wi-Fi . wlan0/disable_ipv6 resets on reconnect, but there should be no IPv6 addresses on the interface.

Instructions (scripts at end of post and attached)
Click here to test if IPv6 is supported and working before continuing.
Disable IPv6
Add disable IPv6 script to init.d
Run disable script as root (you can use an app such as SManager)
Script needs to be re-added to init.d after flashing a ROM (I may create a flashable zip)

Optional
(may interfere with Afwall+ if IPv6 support is enabled)
Maybe rename/backup ip6tables when disabling IPv6 since it won't be used, then rename/restore it when enabling IPv6.

Enable IPv6
Delete disable IPv6 init.d script
Run enable IPv6 script as root
Wait up to 30s for IPv6 addresses to be added

Explanation of Script Commands
https://www.kernel.org/doc/Documenta.../ip-sysctl.txt



Scripts
Disable IPv6 (name: 00disable_ipv6)
#!/system/bin/sh
# Disable IPv6
echo 0 > /proc/sys/net/ipv6/conf/wlan0/accept_ra
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

Enable IPv6 (name: 00disable_ipv6_reset)
#!/system/bin/sh
# Enable IPv6
echo 1 > /proc/sys/net/ipv6/conf/wlan0/accept_ra
echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6



Testing IPv6
http://test-ipv6.com
https://diafygi.github.io/webrtc-ips/ (IPv6 addresses may still show until reconnect or reboot. Will try to fix if someone reports this issue)



Side Notes
Not even the paid play store app Disable IPv6 Pro or the free Pv6 Auto Disable work as simply or effectively. Those apps also increases battery drain like the free network change method I used before, whereas this method should have no effect on battery. So, AFAIK, it's the best method available for our android devices.

VPN/Privacy Notes
If using a VPN with IPv6 support, you don't need this guide. Otherwise, I recommend using Firefox with WebRTC disabled to prevent your public IPv6 address from leaking. Alternatively, you can block all connections that don't go through your VPN using iptables (eg. AFwall+).
Attached Files
File Type: zip Scripts.zip - [Click for QR Code] (434 Bytes, 5280 views)
The Following 16 Users Say Thank You to CanMan1 For This Useful Post: [ View ] Gift CanMan1 Ad-Free
31st January 2016, 02:05 PM |#2  
Senior Member
Thanks Meter: 34
 
More
Is that attachment a flashable ZIP? I've got a Moto E 2015 (Stock, rooted, with TWRP, squid kernel) that I'd try it out on.
31st January 2016, 05:43 PM |#3  
OP Senior Member
Thanks Meter: 206
 
More
Quote:
Originally Posted by harryspar

Is that attachment a flashable ZIP? I've got a Moto E 2015 (Stock, rooted, with TWRP, squid kernel) that I'd try it out on.

No, it's just the scripts. You have to follow the instructions to disable IPv6. I may make flashable zips if requested.
8th February 2016, 02:25 AM |#4  
mrrocketdog's Avatar
Senior Member
Thanks Meter: 1,736
 
More
so i can surmise i dont need to disable , since support isnt there ¿

"err on the side of kindness"
8th February 2016, 02:33 AM |#5  
OP Senior Member
Thanks Meter: 206
 
More
Quote:
Originally Posted by mrrocketdog

so i can surmise i dont need to disable , since support isnt there ¿

"err on the side of kindness"

You may want to remove your IP address from the screenshots.

If you use the script, you shouldn't see any difference on that interface/network configuration since IPv6 isn't supported. But you're Wi-Fi connection might have IPv6 support. So if you have a good reason to disable IPv6 (Eg privacy), then use the script. If not, then using it will not make any difference with your current network configuration.
The Following 2 Users Say Thank You to CanMan1 For This Useful Post: [ View ] Gift CanMan1 Ad-Free
8th February 2016, 03:35 AM |#6  
mrrocketdog's Avatar
Senior Member
Thanks Meter: 1,736
 
More
love the zips for ease. love more having to use my brain and knowing what i just did.

"err on the side of kindness"
7th April 2016, 11:01 PM |#7  
Junior Member
Thanks Meter: 0
 
More
I have put it at /etc/init.d, but I guess this folder is requested only at boot. Where to place this script that it is executed on every change of network. I am asking, because I dont know when the ipv6 settings are resetted and why...
27th April 2016, 05:59 PM |#8  
Member
Thanks Meter: 6
 
More
@CanMan1, I have kernel version 3.4.67 in my device. When I install custom Lolipop rom vpn doesn't connect having ipv6. It connect only ipv4. I doesn't have ipv6 function in kernel. How to disable make ipv4 work instead of ipv6 ? Which most of vpn providers use.

Sent from my Hol-U19 using XDA-Developers mobile app
29th April 2016, 10:18 PM |#9  
OP Senior Member
Thanks Meter: 206
 
More
Quote:
Originally Posted by God-Future

I have put it at /etc/init.d, but I guess this folder is requested only at boot. Where to place this script that it is executed on every change of network. I am asking, because I dont know when the ipv6 settings are resetted and why...

That is normal, and IPv6 should stay disabled.

The IPv6 disable setting will reset on network change, but you won't have any IPv6 addresses. For more details, read the OP and look at accept_ra in the Linux kernel documentation.

You can test IPv6 connectivity with the links in the OP.

Quote:
Originally Posted by Yagnik Sojitra

@CanMan1, I have kernel version 3.4.67 in my device. When I install custom Lolipop rom vpn doesn't connect having ipv6. It connect only ipv4. I doesn't have ipv6 function in kernel. How to disable make ipv4 work instead of ipv6 ? Which most of vpn providers use.

I'm confused by your question.

You want IPv4 to work instead of IPv6. But you are connecting to your VPN through IPv4. And your kernel doesn't support IPv6. So I don't understand how disabling IPv6 (this thread) can help you.

Please clarify.


I'm using OpenVPN for Android with a custom configuration.
30th April 2016, 07:56 AM |#10  
Member
Thanks Meter: 6
 
More
In lolipop rom vpn connects with ipv6.

Sent from my Hol-U19 using XDA-Developers mobile app
1st May 2016, 06:01 AM |#11  
OP Senior Member
Thanks Meter: 206
 
More
Quote:
Originally Posted by Yagnik Sojitra

In lolipop rom vpn connects with ipv6.

I'm still confused by what you've said.

If your kernel doesn't support IPv6, and you followed the instructions in the OP, then it's impossible for the VPN to connect through IPv6.

If your device has more than 1 Wi-Fi interface, then you'll need to add all interfaces to the scripts for IPv6 to be disabled. I can do this for you if needed.

Follow the instructions in the OP if you want IPv6 to be disabled. Or, use a custom OpenVPN configuration if you want to connect through IPv4 only.
Post Reply Subscribe to Thread

Tags
ipv6, privacy

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes