AWS Security ChangesHomeSearch

AWS vpn high security documentation change

Service: vpn · 2025-08-28 · Security-related high

File: vpn/latest/clientvpn-admin/ipv6-considerations.md

Summary

Added comprehensive documentation for native IPv6 support in Client VPN including dual-stack endpoints, CIDR assignment, DNS configuration, limitations, and Client Routes Enforcement for IPv6 traffic control

Security assessment

The change introduces IPv6 Client Route Enforcement to prevent traffic leaks, explicitly mentions IPv6 leak prevention mechanisms, and documents security-focused limitations like blocking client-to-client IPv6 communications. The Client Route Enforcement feature specifically addresses potential security risks of traffic bypassing VPN tunnels.

Diff

diff --git a/vpn/latest/clientvpn-admin/ipv6-considerations.md b/vpn/latest/clientvpn-admin/ipv6-considerations.md
index 2da692a29..466eb1a97 100644
--- a//vpn/latest/clientvpn-admin/ipv6-considerations.md
+++ b//vpn/latest/clientvpn-admin/ipv6-considerations.md
@@ -4,0 +5,2 @@
+Key components of IPv6 supportIPv6 client CIDR assignmentCompatibility requirementsDNS supportLimitationsClient Routes Enforcement for IPv6IPv6 leak prevention (legacy information)
+
@@ -7 +9,72 @@
-Currently the Client VPN service does not support routing IPv6 traffic through the VPN tunnel. However, there are cases when IPv6 traffic should be routed into the VPN tunnel to prevent IPv6 leak. IPv6 leak can happen when both IPv4 and IPv6 are enabled and connected to the VPN, but the VPN doesn’t route IPv6 traffic into its tunnel. In this case, when connecting to an IPv6 enabled destination, you are actually still connecting with your IPv6 address provided by your ISP. This will leak your real IPv6 address. The instructions below explain how to route IPv6 traffic into the VPN tunnel.
+Client VPN now supports native IPv6 connectivity alongside existing IPv4 capabilities. You can create IPv6-only, IPv4-only, or dual-stack (both IPv4 and IPv6) endpoints to meet your networking requirements.
+
+## Key components of IPv6 support
+
+When working with IPv6 in Client VPN, there are two key configuration parameters:
+
+Endpoint IP address type
+    
+
+This parameter defines the endpoint management IP type, which determines the type of EC2 instance provisioned for the endpoint. This IP type is used for managing outer VPN tunnel traffic (the encrypted traffic that flows between the OpenVPN client and server over the public internet).
+
+Traffic IP address type
+    
+
+This parameter defines the type of traffic that flows through the VPN tunnel. This IP type is used for managing inner encrypted traffic (the actual payload), client CIDR ranges, subnet association, routes, and rules per endpoint.
+
+## IPv6 client CIDR assignment
+
+For IPv6 client CIDR, you do not need to specify a CIDR block. Amazon automatically assigns CIDR ranges for IPv6 clients. This auto-assignment enables no-SNATing for IPv6 tunnel traffic, providing enhanced visibility into the connected user's IPv6 address.
+
+## Compatibility requirements
+
+IPv6 and dual-stack endpoints have dependencies on user devices and internet service providers (ISPs):
+
+  * User devices running the CVPN client must support the required IP configuration as shown in the compatibility table below.
+
+  * ISPs must support the required IP configuration for the connection to work properly.
+
+  * For IPv6 or dual-stack traffic, the associated VPC subnets must have IPv6 or dual-stack CIDR ranges.
+
+
+
+
+## DNS support
+
+DNS is supported in all types of endpoints - IPv4, IPv6, and dual-stack. For IPv6 endpoints, you can configure IPv6 DNS servers using the `--dns-server-ipv6` parameter. AAAA DNS records are supported on both the service and client end.
+
+## Limitations
+
+The following are the limitations with IPv6:
+
+  * Client-to-client (C2C) communication is not supported for IPv6 clients. If an IPv6 client tries to communicate with another IPv6 client, the traffic will be dropped.
+
+
+
+
+## Client Routes Enforcement for IPv6
+
+Client VPN now supports Client Routes Enforcement for IPv6 traffic. This feature helps ensure that IPv6 network traffic from connected clients follows the routes defined by the administrator and is not inadvertently sent outside the VPN tunnel.
+
+Key aspects of IPv6 Client Route Enforcement support:
+
+  * The existing `ClientRouteEnforcementOptions.enforced` flag enables CRE for both IPv4 and IPv6 stacks.
+
+  * IPv6 Client Route Enforcement excludes certain IPv6 ranges to maintain critical IPv6 functionalities:
+
+    * `::1/128` — Reserved for loopback
+
+    * `fe80::/10` — Reserved for link-local addresses
+
+    * `ff00::/8` — Reserved for multicast
+
+  * IPv6 Client Route Enforcement is available in AWS VPN Client version 5.3.0 and higher on Windows, macOS, and Ubuntu.
+
+
+
+
+For more detailed information about CRE, including how to enable and configure it, see [AWS Client VPN Client Route Enforcement](./cvpn-working-cre.html).
+
+## IPv6 leak prevention (legacy information)
+
+For older configurations that don't use the native IPv6 support, you may still need to prevent IPv6 leak. IPv6 leak can happen when both IPv4 and IPv6 are enabled and connected to the VPN, but the VPN doesn't route IPv6 traffic into its tunnel. In this case, when connecting to an IPv6 enabled destination, you are actually still connecting with your IPv6 address provided by your ISP. This will leak your real IPv6 address. The instructions below explain how to route IPv6 traffic into the VPN tunnel.
@@ -27 +100 @@ The next command, `route-ipv6 2000::/4` will route IPv6 addresses from `2000:000
-For “TAP” device routing in Windows for example, the second parameter of `ifconfig-ipv6` will be used as route target for `--route-ipv6`.
+For "TAP" device routing in Windows for example, the second parameter of `ifconfig-ipv6` will be used as route target for `--route-ipv6`.