Home network IPv6 conundrum

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

ArmedAviator

Member
May 16, 2020
91
56
18
Kansas
I've come to a crossroads recently in my home network setup and looking for some input.

In the past, I ran pfSense and all IPv6 was disabled. Traffic was forced through a VPN service, such as NordVPN, with a few exception that restricted the VPN service.

At present, my network is fully open traffic IPv4+IPv6 with only very specific traffic (by host IP) forced through VPN and IPv6 disabled on that host.

I'm considering going back to a more secure network setup with IPv6 disabled and all traffic forced through a VPN.

With regards to VPN performance, it's negligible in my case. 100/10Mbps is easily achieved with an acceptable increase in latency.

What do you lovely geniuses do?

FWIW, I'm considering this because I recently had a few displaced friends start living at my place and I prefer what they may do (torrents? misgender someone?) not come back on me and to generally harden my network.
 

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
I don't know how much more "secure" the network is with a VPN. You're moving the point where someone has access to the unencrypted traffic, but it does help somewhat with stupid ISPs and such.

There are VPN services that work with ipv6, so that's one option.

I think I would set up a VPN only VLAN and put everyone else on that.
 

Stephan

Well-Known Member
Apr 21, 2017
920
697
93
Germany
Kudos for giving those friends a temporary home. But theoretically speaking...

Stop using any commercial VPN provider. There are only two kinds: Those who log traffic and whose logs can be subpoenad by whoever. You will have gained nothing. And those who don't log and will soon be out of business with your money gone because court cases will drive them into bankruptcy. One by one. At least that is my understanding from the current tactics.

My advice is turn off IPv6 (nobody really needs it - still - after all these what 30 years now), get a VM in a jurisdiction with a) good peering to you i.e. good ping and speed and b) from a place that is distinctly away from your jurisdiction, i.e. when you are in the US, outside of North America. Create a VLAN, new interface or whatever and route all your friends over this connection. That hypothetical OpenVPN box shall NAT everything that wants to go out over its external interface, e.g. coming from the tunnel seeking a gateway. See if you can create a reverse-DNS entry for this VM and let it point to some generic chinese website that is parked, to throw interested parties off some more. Like "www23.xiangzhou.yolo.cn". Because, who would want to litigate a hopeless case in China.

Remind your friends to not do anything particularly stupid, every week. Because its your house. Of course have offsite backups that are reasonably current, just in case somebody gets really interested because one of your guests did something. You may not know beforehand because desperation, boredom, opportunity or addiction are powerful drivers.

Cheers.
 
Last edited:

RobstarUSA

Active Member
Sep 15, 2016
233
101
43
I don't think anyone should be disabling ipv6 anymore. There just isn't any reason too, and since IP(v4) space has been gone for a while you will soon start seeing people who don't have ipv4 or only have ipv4 behind CGN.