This is indeed an interesting problem also described in bug #1091356 that is not specific to NetworkManager. A machine with IPv4 and IPv6 connectivity and IPv4 VPN connectivity with IPv4 and IPv6 DNS information from the VPN will always attempt to reach hosts via IPv6.
> This is a security issue, since a user activating the VPN would expect all go through it.
There are two issues, actually:
1) Serving IPv6 DNS records and providing VPN access without IPv6 at the same time is a security problem in the first place. Clients that only use VPN for resources on the network are thus not informed about the IPv6 subnets that constitute resources on the network.
Solutions (on the network operator side):
a) Avoid IPv4-only VPNs and only provide IPv4+IPv6 VPNs.
b) Don't provide IPv6 DNS records on IPv4-only VPNs (and vice versa).
2) When VPN is to be used for all (except local) resources and only IPv4 connectivity is available on the VPN, there should IMO be no IPv6 default route through the local router just as there is no IPv4 default route through the local router.
From the network configuration point of view the second issue is as follows...
Expected result:
* IPv4 default route through VPN
* IPv6 default route absent (as VPN doesn't provide any)
Actual result (as I understand the bug report):
* IPv4 default route through VPN (good)
* IPv6 default route via local gateway (bad)
This is indeed an interesting problem also described in bug #1091356 that is not specific to NetworkManager. A machine with IPv4 and IPv6 connectivity and IPv4 VPN connectivity with IPv4 and IPv6 DNS information from the VPN will always attempt to reach hosts via IPv6.
> This is a security issue, since a user activating the VPN would expect all go through it.
There are two issues, actually:
1) Serving IPv6 DNS records and providing VPN access without IPv6 at the same time is a security problem in the first place. Clients that only use VPN for resources on the network are thus not informed about the IPv6 subnets that constitute resources on the network.
Solutions (on the network operator side):
a) Avoid IPv4-only VPNs and only provide IPv4+IPv6 VPNs.
b) Don't provide IPv6 DNS records on IPv4-only VPNs (and vice versa).
2) When VPN is to be used for all (except local) resources and only IPv4 connectivity is available on the VPN, there should IMO be no IPv6 default route through the local router just as there is no IPv4 default route through the local router.
From the network configuration point of view the second issue is as follows...
Expected result:
* IPv4 default route through VPN
* IPv6 default route absent (as VPN doesn't provide any)
Actual result (as I understand the bug report):
* IPv4 default route through VPN (good)
* IPv6 default route via local gateway (bad)