Preamble

This is a very narrow-minded study, or rather a personal note what one can expect in the world where the IPv6 is gaining place – slowly but surely. All type of annoyances follows from that because all of the stakeholders and service provider are not walking the same pace. I was wondering is there anything I can do against my Linux-running (not Android) phone is leaking its IPv6 address despite the two well known Virtual Private Network (VPN)-providers I am using.

Spoiler: yes, in my particular configuration there are some options, but if you do not have exactly the below configuration it is likely not reproducible. It is better that you write to your VPN-providers, like I did and require IPv4/IPv6 -enabled servers for your money.

Configuration:

  • Phone: Sony Xperia 10 III ;
  • OS: SailfishOS 4.5.0.16 (Struven ketju) (Jolla Oy) ;
  • Device adaptation: 1.0.1.12
  • VPNs: ProtonVPN and NordVPN

ProtonVPN is used below, also it has instructions “How to manually configure OpenVPN for Proton VPN in Linux“, Unfortunately they works on most common Linux distros, but on SailfishOS (SFOS), that would have been too easy.

Notably, the installed OpenVPN script /etc/openvpn/update-resolv-conf is useless since it is searching for a RESOLVCONF=$(type -p resolvconf) which does not exists on a SFOS phone – connman is used. It is doing nothing so that would not hurt to leave it in place to avoid changing the .ovpn files provided by the VPN provider, ProtonVPN in this case.

Assumptions

You need to be familiar with IPv4 / IPv6 differences at conceptual level (like yeah, short IP-addresses vs. long IP-addresses), about is your phone’s provider supporting IPv6 only on your phone (and with SFOS with VoLTE – voice on 4G): even if you define in the Data Access Point settings – or Jolla defines for you – Dual protocol (for IPv4 and IPv6) it does not mean that it always ends that way. One good indication that it ends up to IPv6 only is that your phone can browse the Internet, but it cannot act as a hotspot for your beloved Windows machine or other – they emit IPv4 addresses only but there is nobody to route them to the Internet on your phone in this case.

Under the hood

In this business, looking the forever rotating circle on the SFOS GUI is not helping us to understand what is happening. One needs to be root and use connman and read / modify the configuration files. Login on your phone over a USB-cable as default user.

Use devel-su:

[root@Xperia10III defaultuser]#

If connmanctl not yet available in your SFOS installation:

zypper install connman-tools

connmanctl --help Check first. If you enter without any parameter, you can give commands while staying in connmanctl “shell”, use exit. For the simplicity, we use only the commands in connmanctl below, but you can also type them directly from the bash shell.

technologies Gives information about the state of the different communication subsystems.

services Gives a list of names which allows you to find them from the file system, or to refer to them in connmanctl.

connmanctl monitor --vpnconnection on Useful to study, for debugging purpose the events when you turn on or off a VPN connection. Note that for showing some output it is better to start this with the full connmanctl command line, from the bash shell as devel-su.

vpnconnections Same as the above but restricted to VPN. For example, we get:


* a-US-999.protonvpn vpn_node_us_999_protonvpn_net_sailfishos_org_9

Where the first is the human readable name I have given to the VPN-profile. The second is formed by connman-vpn by adding a “domain name” into the fully qualified name (FQN) I have given in the profile’s server field, instead of the IPv4 address the .ovpn-file gives to me – there is no IPv4 DNS available at this point, when an IPv6-only connection is searching for the VPN-server but you need to feed the FQN into the DNS server of the IPv6-only-service provider.

Back to the bash shell, as devel-su we search for the location of the configuration files

find /home/defaultuser -name "vpn_node_us_999_protonvpn_net"
/home/defaultuser/.local/share/system/privileged/connman-vpn/vpn_node_us_999_protonvpn_net_sailfishos_org_9
ls /home/defaultuser/.local/share/system/privileged/connman-vpn/vpn_node_us_999_protonvpn_net_sailfishos_org_9
settings
file /home/defaultuser/.local/share/system/privileged/connman-vpn/vpn_node_us_999_protonvpn_net_sailfishos_org_9/settings
ASCII text
cat /home/defaultuser/.local/share/system/privileged/connman-vpn/vpn_node_us_999_protonvpn_net_sailfishos_org_9/settings
[vpn_node_us_999_protonvpn_net_sailfishos_org_9]
Name=a-US-999.protonvpn
SplitRouting=false
AutoConnect=false
Modified=2023-02-11T07:24:45.495025+01
IPv4.method=fixed
IPv4.netmask_prefixlen=16
IPv4.local_address=10.--.--.8
IPv6.method=off
IPv6.privacy=disabled

The above, privileged directory, connman-vpn contains also folder which starts, instead of vpn_node_xyz... with provider_node_xyz... It has also a settings file, from which you can find the parameters you have set (or accepted the defaults) with the SFOS VPN-edit GUI. In the end of that settings file, one has a link OpenVPN.ConfigFile= to the configuration file with a random numeric name but with a .conf extension. Dump that with cat and you will find the settings from the .ovpn file you imported when you set a new connection in SFOS VPN-edit GUI.

To get all the active settings, type first connmanctl vpnconnections and then the same with connmanctl vpnconnections <connection> (the second, full name). You will see that the Proton (here) server provides the right DHCP options and the configuration is filled with values, like

IPv4 = [ Address=10.--.--.5, Netmask=255.255.0.0 ]
Nameservers = [ 10.--.--.1 ]

So, there is no reason to make use of

connmanctl config vpn_node_us_999_protonvpn_net_sailfishos_org_9 --nameservers 10.--.--.1

Anyway, it does not work on this (apparently virtual) interface if you try…

Error vpn_node_us_999_protonvpn_net_sailfishos_org_9: Method "SetProperty" with signature "sv" on interface "net.connman.Service" doesn't exist

But if you look for the an IP-address with getent, you get only IPv6 replies. Let’s try to change the cellular connection itself. Check the cellular service name with with connmanctl services and set its name server to point to the same as the one provided by the VPN server’s DHCP:

Note that the phone’s cellular service directory is not in the user folder but in system’s “home” folder:

[root@Xperia10III defaultuser]# find / -name "cellular_208016303493665_context1"
/home/.system/var/lib/connman/cellular_208016303493665_context1

The below commands will modify the file so the modifications are persistent, also the errors are persistent…

connmanctl config cellular_208016303493665_context1 --nameservers 10.--.--.1

It is a good idea to make a backup of the settings file of the cellular service at this point. I did not… and the above DNS-trial made the cellular data all but useless – but one can always remove the settings file and then restart the phone from cold again – it will build a new settings file.

Build a new settings-file with SIM on Slot 2

Since I accidentally screwed the setting in my cellular service’s settings file, I need to rebuild it with defaults. Since I wanted to check the different behavior of the SIM Slot 2 on this phone, I turned off the phone, changed the SIM card in the Slot 2 and started the phone from cold. Now back to the

One cannot change the following parameter but by editing the settings file:

IPv6.privacy=enabled (is disabled by default)

The resulting settings (in Slot2) looks like this

[cellular_208016303493665_context1]
Name=<access point>
Favorite=true
AutoConnect=true
Modified=2023-02-11T13:13:48.891258+01
IPv4.method=fixed
IPv4.netmask_prefixlen=29
IPv4.local_address=10.--.--.44
IPv4.gateway=10.--.--.45
IPv6.method=auto
IPv6.privacy=enabled

Commands to check the IPv4 and IPv6 routing

ip -4 r
ip -6 r

There should be now both.

Leaks?

With this settings (in Slot2) and with the Proton VNP set without modification for name resolution of the server’s FQN, not for IPv4 IP-address works as expected: with ipleak.net we get:

No IPv6 leaked both by native SFOS browser and with Vivaldi (Android) browser. Vivaldi also hides the WebRTC broadcasted local address but the native SFOS browser reveals it. Both hide the DNS completely.

Using Slot2 we have a working solution for IPv4-based VPN.

Hotspot is working. Everything is like before, in the good old days. But, we do not have SD card anymore in Sony Xperia 10 III…

Behavior in Slot1 with IPv6-only service

Let’s try no move the SIM card back to Slot1, but removing the cellular service’s settings file first.

After one reboot (from cold), the settings file looks like this:

Name=<access point>
Favorite=true
AutoConnect=true
Modified=2023-02-11T16:05:32.591085+01
IPv4.method=off
IPv6.method=fixed
IPv6.privacy=disabled
IPv6.netmask_prefixlen=64
IPv6.local_address=2a01:cb1e:0006:----:----:cba6:789c:7b8a
IPv6.gateway=fe80:0000:0000:0000:f810:----:----:4502

The operation is as what I have observed before: the ProtonVPN is doing better than NordVPN and the only thing revealed to ipleak.net we get now is the actual IPv6 address… Well, that’s annoying for a VPN!

Let’s try to change the IPv6.privacy=enabled.

Unfortunately, this does not prevent the VPN connection to leak the actual IPv6 address to ipleak.net.

Still trying to disable IPv6 in the profile of the VPN connection using the GUI: it does not connect anymore.

Conclusion

If you have IPv6-only ISP (or your ISP somehow thinks that SFOS wants to have only IPv6) and do not want to use VoLTE, you can attempt to use the slot 2 (not guaranteed it works with other providers than mine, but some feedback has been given in the forums that it works for others, too) and get a full protection with no leaks and can use the phone as hotspot. But you will lose the SD-card.

If you use the slot 1, you get IPv6, can browse the Internet as before and can enjoy IP-calls with VoLTE.

With you IPv4-only supporting VPN provider on this IPv6-only configuration you get the IPv4 and its routing (so that the phone can be used as hotspot with it. But your VPN is leaking your phone’s IPv6 address.

I reckon that there is no other alternatives but to have a VPN provider working both with IPv4 and IPv6. Make your VPN provider to understand that this needed. Meanwhile, there is the slot 2 which allows you to go to (perhaps, with your provider) to IPv4 only mode if the SD-card and the VoLTE calls are less important for you.