How to permanently disable IPv6

n1ckla · November 10, 2025, 10:22am

Hi,

I’m trying to permanently disable IPv6 because it causing leak with my VPN.

Doing this, I can disable it for the session, but IPv6 will re-enable after reboot:

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1

I tried making sysctl.d config /etc/sysctl.d/99-disable-ipv6.conf:

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

 # Loopback device
 # net.ipv6.conf.lo.disable_ipv6=1

And do this:

sudo sysctl -p /etc/sysctl.d/99-disable-ipv6.conf

IPv6 is disabled, but still don’t survive reboot.

It turns out, when I restart NetworkManager like this:

sudo systemctl restart NetworkManager

IPv6 automatically re-enabled, even if it is previously disabled by kernel variables.

Tried adding this to /etc/NetworkManager/NetworkManager.conf:

[connection]
ipv6.method=disabled

But restarting NetworkManager still re-enable IPv6.

Tried doing these:

$ nmcli connection show --active

NAME                      UUID                                  TYPE      DEVICE 
Wired connection 3        8ae9f6e5-b67c-3368-9740-364fa3012f06  ethernet  enp7s0 
lo                        0932eaf2-f3f5-44ec-8279-818edf3a4d5c  loopback  lo     
tun0                      5294db2e-b6c0-45b7-9c95-fdb27b8a1911  tun       tun0   

$ nmcli connection show "Wired connection 3" | grep -i ipv6

ipv4.dhcp-ipv6-only-preferred:          -1 (default)
ipv6.method:                            auto
...

$ sudo find / -name "*.nmconnection" 2>/dev/null

/run/NetworkManager/system-connections/tun0.nmconnection
/run/NetworkManager/system-connections/Wired connection 3.nmconnection
...

$ sudo cat /run/NetworkManager/system-connections/"Wired connection 3".nmconnection

[connection]
id=Wired connection 3
uuid=8ae9f6e5-b67c-3368-9740-364fa3012f06
type=ethernet
autoconnect-priority=-999
interface-name=enp7s0
timestamp=1762039409

[ethernet]

[ipv4]
method=auto

[ipv6]
addr-gen-mode=default
method=auto

[proxy]

[.nmmeta]
nm-generated=true

Now, the nm-generated=true. That would mean that the config for my ethernet connection is auto-generated.

Oh yeah, this also:

$ sudo journalctl -b | grep -i ipv6

# tons of these

Nov 10 16:01:16 omdv-01 NetworkManager[858]: <warn>  [1762765276.7882] ipv6ll[8d9a7b4e90cff4dc,ifindex=2]: changed: no IPv6 link local address to retry after Duplicate Address Detection failures (back off)
Nov 10 16:01:16 omdv-01 NetworkManager[858]: <warn>  [1762765276.7887] platform-linux: do-add-ip6-address[2: 2404:8000:1095:1339:7d0b:4d:b508:5678]: failure 13 (Permission denied - ipv6: IPv6 is disabled on this device)

So, how do I truly disable IPv6, the OpenMandriva way?

Thanks

zeroability · November 10, 2025, 11:55am

Why?

Froozle · November 10, 2025, 12:08pm

It’s funny this topic has come up just now. Just the other day I was trying to get my old windows VPN working in Linux, since my subscription doesn’t expire until next year. It seemed from the provider documentation that they only supported installation of their CLI application on Ubuntu 22.04 & Fedora etc., but in reading a bit deeper, I found that they do provide configuration files that can be imported using the OMA / KDE System Settings GUI - “Wi-Fi & Internet”. Surprisingly enough, this “import VPN” connection wizard “just worked” for me.
Around the same time, from the same settings screen, I found that could just select my current Wi-Fi Connection, click on the “IPv6” tab, and change the “Method” to “disabled” - again it just works - and it stays that way after rebooting.
Checking in the terminal just now:

$ nmcli connection show "#SSID#" | grep -i ipv6
ipv4.dhcp-ipv6-only-preferred:          -1 (default)
ipv6.method:                            disabled

I also checked my other PC with wired network connection and same thing, IPv6 still disabled, just done though the settings GUI.

hemathor · November 10, 2025, 3:51pm

hey,

have you tried kernel parameters?

autoconf=0
disable=1
disable_ipv6=1

see: https://docs.kernel.org/networking/ipv6.html

but i can also acknowledge @zeroability’s question: why?

greetings…

zeroability · November 10, 2025, 8:13pm

Thanks for the clarification. Please don’t stealth edit. Answer a reply directly. You can check the timestamp on edits, but it’s kind of rude.

I’m not sure what you mean by “causing leak with my VPN.”

Froozle · November 11, 2025, 11:19am

This might be related to an offhand comment I heard in a Louis Rossmann video that users of “cheap” VPN’s may unknowingly be exposing their local IPv6 address even when actively browsing the web behind an IP server with a foreign IPv4 address. It’s possible, being time-poor and ignorant of the detail, I may also have misunderstood this issue.

n1ckla · November 11, 2025, 12:29pm

Haven’t read/watch that particular issue from Louis Rossmann yet, but it came from my own testing.

I perform a simple test: check what other websites said my IP is. Multiple of such checking sites reports different IP for IPv4 and v6. Yes, IPv6 has different format from IPv4, but it should be resolved to similar geolocation. Problem is, the IPv4 and IPv6 resolves to vastly different geolocation from different Internet provider: The IPv4 is from my VPN provider, and the IPv6 is from my actual ISP, not related to the VPN provider.

This creates havoc to my account on youtube and any other sites, detecting inconsistent IP addresses from my previous logins.

Disabling IPv6, at least in per session basis with sysctl"corrects" that problem, at least until next reboot and I “forgot” to sysctl to disable IPv6 again.

So, to iterate, why I want to disable IPv6 is based on real issue, not “something I heard somewhere”.

And also, I find it peculiar that NetworkManager seems to override settings from other subsystems (sysctl), and even editing /etc/NetworkManager/NetworkManager.conf has no effect.

Yes sysctl disable IPv6, but from journalctl, it does seem NetworkManager don’t get the memo/hint and always try to brute force its way to establish IPv6 connection, and spamming the log with such error notification.

n1ckla · November 11, 2025, 12:45pm

Well, I actually don’t get this. I didn’t do any “edits”–let alone “stealth”-- to the original post. The explanation why I want to disable IPv6 is actually the 1st sentence I’ve written of the post, and only now I check this thread again.

BTW, for additional context to my reply to @Froozle, I’ve recently switched ISP. The older ISP don’t provide IPv6 to connect to the net, but the new one did. I learned about this as I became suspicious of why the new tab screen of Brave browser prominently features ads instead of the usual photo background. This lead to me finding about the VPN leak: though correctly IPv4 protected, IPv6 reveals my true IP, thus get targeted, as it does seem that multiple websites detects whether both IPv4 and v6 available, and selects the one without any hints of VPN. When IPv6 is disabled, it’s just a single connection and the website has to respond to the VPN protected IPv4 connection.

zeroability · November 11, 2025, 1:27pm

Sure.

That’s because there is no NAT in IPv6. You will need your own firewall solution. For what it’s worth, you should probably read up more on how the protocol works and how to secure it.

zeroability · November 11, 2025, 5:06pm

Because they need to make money.

n1ckla · November 11, 2025, 5:32pm

Wait, can it be it’s that “simple”, use the GUI and clicking on things?

No need for sysctl.d config, editing /etc/NetworkManager/NetworkManager.conf, or my current attempt to create a service that specifically run after NetworkManager service to turn off IPv6 using sysctl?

Am I over-complicating things here ?

ben79 · November 11, 2025, 8:28pm

$ nmcli connection show SSID | grep -i ipv6
ipv4.dhcp-ipv6-only-preferred:          -1 (default)
ipv6.method:                            auto
...

Changed the setting in “Wi-Fi & Networking” (SystemSettings) to disabled:

$ systemctl daemon-reload

$ nmcli connection show SSID | grep -i ipv6
ipv4.dhcp-ipv6-only-preferred:          -1 (default)
ipv6.method:                            disabled
...

Edit:

$ sudo cat /etc/NetworkManager/system-connections/<SSID>.nmconnection
[sudo] password for <uname>: 
[connection]
id=<SSID>
uuid=<XXXXXXXXXXXXXXXXXXXXXXXXXXXXX>
type=wifi
permissions=user:<uname>:;

[wifi]
mode=infrastructure
ssid=<SSID>

[wifi-security]
key-mgmt=wpa-psk
psk-flags=1

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=disabled

[proxy]

zeroability · November 11, 2025, 10:44pm

You could also configure your router to firewall your IPv6 connection if that is the crux of the issue. OM should already be in secure mode so that SLAAC doesn’t use your MAC address as part of your IPv6 address. Which means, you could run a dual stack with any number of FOSS VPN clients and servers that work with IPv6. There really isn’t a reason to disable it anymore.