shill: Enable blackhole_ipv6 for OpenVPN and L2TP/IPsec
The builtin VPN clients do not currently support IPv6. If the system's
physical network connection supports IPv6, IPv6 traffic will "leak" past
the VPN and out onto the untrusted LAN. Third party VPN clients
on Chrome OS and on Android block this, but:
- OpenVPN doesn't enable the option at all (blackhole_ipv6=false).
- L2TP/IPsec does enable the option, but it only works when
per_device_routing is enabled, because adding a blackhole route with
metric (x) to the `main` routing table collides with other metric (x)
routes. The kernel will not let the two routes coexist, even
temporarily.
So, enable blackhole_ipv6=true on OpenVPN, and always use per-device
routing tables if blackhole_ipv6 is enabled.
BUG=chromium:787674
TEST=`ping6 ipv6.google.com` while connected to each VPN
TEST=`test_that -b samus network_VPNConnect.openvpn`
TEST=`test_that -b samus network_VPNConnect.l2tpipsec_psk`
Change-Id: I7d3359db12d18dd322576ce2c841e297ffe2e13e
Reviewed-on: https://chromium-review.googlesource.com/784311
Commit-Ready: Kevin Cernekee <cernekee@chromium.org>
Tested-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>
Reviewed-by: Kevin Cernekee <cernekee@chromium.org>
4 files changed