You may not realize it, but the web is undergoing a protocol upgrade because we’ve run out of IP addresses. Under the current (IPv4) system, there are approximately 4.3 billion IP addresses, which is actually fewer than the current number of internet-capable devices.
So the web will be slowly transitioning to use the IPv6 protocol which supports a theoretical total of 2128 which is a number so large it’s hard to get your mind around.
But for a variety of reasons, most VPN providers don’t support the IPv6 protocol yet. This article will explore the pros and cons of allowing IPv6 over VPN, and you’ll also learn which VPN providers currently support the IPv6 protocol.
What you need to know about IPv6?
Do I even need IPv6?
The short answer is no, not right now. And probably not for the foreseeable future either.
Even though there are more devices than IP addresses, many devices can (and do) share the same IP address. For example, every device on your home wifi network has the same external ip address.
Eventually the entire web will switch transition over to IPv6, but the best estimates of when that will happen put the shift nearly 20 years in the future (around 2035).
And if you don’t use IPv6 right now you aren’t really missing out on anything. Almost no websites require IPv6, and many sites and services don’t even offer an IPv6 address yet. Heck, many routers made this decade don’t even have IPv6 support.
And many VPN users actually have IPv6 manually disabled on their router (or VPN software) for security reasons (covered below). I personally have never experienced a problem or had trouble accessing a site because IPv6 is off.
Why don’t some VPNs support IPv6?
A significant percentage of the most popular VPN providers don’t support IPv6 or allow the option to disable it in their software.
There are two main reasons why:
- There’s no real use for it yet, so enabling it just adds complexity.
- There are some privacy risks (IPv6 address leaks) to using IPv6 with a VPN on older OS’s and before the tech is widely adopted.
IPv6 Leaks
IPv6 leaks are one of the possible VPN leaks that can threaten your security when using a VPN.
What’s an IPv6 Leak? You may not realize it, but if your internet provider (ISP) supports IPv6 already (most in the USA do) then your computer actually has an IPv6 address in addition to a traditional IPv4 address. And when using a VPN, that IPv6 address could accidentally leak if you’re VPN doesn’t have leak protection.
As a result VPN providers have opted for 1 of 2 possible fixes for IPv6 leaks:
- Custom code in the VPN server/app to prevent IPv6 leaks
- Blocking IPv6 altogether (NordVPN is a well-known VPN that chose this option).
What if your VPN doesn’t plug IPv6 leaks? Even if this is the case, it’s still super simple to fix on your own. You can either disable IPv6 in your router settings (the ASUS routers we recommend all have this option).
Or you can simply disable IPv6 directly on your Windows or Mac computer.
VPNs that do (and don’t) support IPv6
The current list of VPNs that fully support IPv6 is quite small, most providers simply block the protocol or route it to a ‘black hole’ as NordVPN does.
VPNs with full or partial IPv6 Support:
- Cyberghost
- Perfect Privacy
- AirVPN (as of June 2018)
Below you’ll find a more-detailed look at the current IPv6 policy and roadmap for several of the largest VPN companies.
Cyberghost (supports IPv6)
Cyberghost is one of our highest rated VPNs thanks to their zero-log policy, excellent software, and affordable pricing.
And they’re one of the only VPNs that currently 100% supports IPv6. They even have a dedicated help policy on the subject which states:
Even better, our tests during our Cyberghost Review process found no evidence of IPv6 leaks, so it appears their implementation is quite secure.
ExpressVPN (Blocks IPv6)
ExpressVPN is one of the more popular VPN services, despite its above-average pricing. Their software is some of the best in the industry, but ExpressVPN doesn’t support IPv6 yet.
There’s no info on their website about a roadmap or any plans to support IPv6 (though eventually they will be forced to when the technology is more mainstream). Unlike some VPNs, IPv6 doesn’t ‘plug’ IPv6 leaks but instead blocks the protocol entirely as shown in our ExpressVPN review.
IPVanish (No IPv6 Support)
IPVanish doesn’t support IPv6, and their public documentation says that IPv6 connections may be routed outside the VPN tunnel. The IPVanish software does currently have optional IPv6 leak protection or you can manually disable IPv6 on your router to be safe.
IPVanish has stated that they do intend to fully support IPv6 but a firm date for the rollout hasn’t been released yet. Our best guess is they’ll prioritize it when other big VPN players start making the switch.
NordVPN (Blocks IPv6)
NordVPN doesn’t support IPv6 but they have built always-on IPV6 leak protection into their desktop and mobile software. Their solution won’t route IPv6 insecurely but instead directs it to a ‘black hole’ inside the VPN tunnel.
Essentially it blocks all IPv6 connectivity without ever exposing your IPv6 address through leaks. NordVPN is one of our favorite Zero-Log VPN services and is fully Netflix-compatible (not blocked). Even better, they’re running an amazing deal that gets you 2 years of service for under $4/month.
Private Internet Access (Blocks IPv6)
Like most of their peers, Private Internet Access blocks IPv6 while routing it inside the VPN tunnel to ensure there are no leaks. This option can be toggled from inside PIA’s software if for some reason you do want to enable IPv6.
Currently PIA has no public roadmap for IPv6 support. That said, it’s still one of the best VPNs for the money, period. Check out our PIA review to see why we love their service so freakin much.
VyprVPN (No IPv6 Support)
VyprVPN does a lot of things amazingly well. Their best-in-class software is a great example of this. Unfortunately their IPv6 support is one weak spot.
Not only does VyprVPN no support the protocol, but to they haven’t implemented specific IPv6 leak blocking in their software, meaning IPv6 traffic could theoretically be routed outside the VPN tunnel. Their help forum suggests their is no specific roadmap for IPv6 leak protection or support.
What to do if your VPN doesn’t support IPv6
It’s important to understand that while you don’t actually need IPv6 right now, it is essential to make sure that IPv6 traffic isn’t being routed insecurely. This could compromise some of the anonymity that a VPN provides by exposing your IPv6 address to websites, streaming services or BitTorrent peers.
No, you don’t need to switch VPN providers.
You just need to block IPv6. And it’s really easy. You can do it at the router level (disable IPv6 for all your connected devices) or on a single device like your PC. At this time there’s no easy way to disable IPv6 on an Android or iPhone device so you’re better off using the router method.
Each router (if it supports IPv6) will have it’s own settings menu to disable/block IPv6. On all ASUSWRT routers (which we love), IPv6 can easily be disabled by going to:
Advanced Settings > IPv6 > Disable IPv6
Testing for IPv6 Leaks
An important step in securing your IPv6 connections to make sure that your VPN (or your router) is correctly blocking IPv6 connectivity. A great site for this is ipleak.net.
If the test can’t detect your IPv6 address (as shown below) then your leak protection (or IPv6-blocking) is working correctly.
Be aware that an IPv6 blackhole can introduce significant performance hits on sites that are dual stacked. Depending on your OS, this hit can be anywhere from 20ms to 4s, and it’s caused by the Happy Eyeballs algorithm (RFC 8305). The Cliff’s Notes version: If a website offers both IPv6 and IPv4 responses to a DNS lookup, the two compete to see which gives the better performance. A number of OS’s give IPv6 a head start.
Be aware also: If you are a T-Mobile or (I think) Sprint wireless customer, your data is IPv6 native! This means that you are going through a NAT64 firewall to reach any IPv4 address, and an IPv4 VPN tunnel is NOT end to end between your device and the server. It remains encrypted, but the NAT64 association lives on that CGF. It has to. That record might still exist on the CGF and make you traceable to your VPN.
If you notice a performance hit or you are a T-mobile wireless customer, you may benefit from a dual-stacked VPN.
Avira Phantom also support IPv6.
Interestingly, I’ve just had a chat with support from Cyber Ghost. Also, no information about IPv6 can be found anywhere on their website.
They say, they don’t support IPv6 as of now, but will enable it on all servers “very soon”. Unfortunately without stating the timeframe of “very soon”.
After reading the comment from someone claiming to be “Avira”, I’ve checked their website, too. Again, there is nothing to be found about IPv6. If they would be the only (or one of very few) existing VPN provider supporting IPv6, then they should shout it out loud. Because it will be a very good reason to buy.
Blocking IPv6 is stupid, it is the future and offers many advantages over legacy IPv4. Modern systems prefer IPv6 for a reason, and with a provider that offers native IPv6 your connection going out over v6 will usually be slightly faster all else being equal.
The IPv6 protocol is newer and better designed, so routing hardware is simpler and faster, plus you do away with the need for (sometimes multiple layers of) NAT which also introduce a bottleneck, and are the primary cause of poor connection speeds in many countries.
IPv6 usage globally is just over 30%, but in some countries (eg India) is over 60%, the average is dragged down by backwards third world countries that don’t have IPv6 at all such as north korea.
If your VPN provider does not support IPv6, or suggests that you block it then it’s time to get a more modern provider. Don’t continue supporting a provider that’s stuck in the 1980s.