Virtual Private Network (VPN) clients usually support several of these operating systems: Android, Apple iOS and macOS, Chrome OS, Linux, Microsoft Windows, and UNIX.

Older VPN clients were typically unable to intercept and tunnel Internet Protocol version 6 (IPv6) packets. They could only tunnel IPv4 packets and cannot secure the flow of IPv6 packets. 

Some organizations have recognized that use of a VPN alone is not enough to maintain secure remote access. They are deploying zero-trust network access (ZTNA) solutions in addition to (or sometimes even instead of) VPNs.

Some best practices when deploying VPNs are described in this article. Some best practices when transitioning from the use of a VPN to a ZTNA solution are described in this article.

To prevent insecure traffic via the IPv6 network stack while using a VPN client that can only tunnel IPv4 traffic, it is recommended to temporarily disable IPv6 and then reboot before activating the VPN client, and then re-enable IPv6 upon terminating the VPN client. The recommended procedure to disable or enable IPv6 traffic on specific host Operating Systems is described in separate articles in the IP Transport section of the IPv6 knowledge base.

For Windows 8 (and later) users using any VPN client that tunnels only IPv4, disabling the Smart Multi-Homed Name Resolution feature is recommended. The reason for this recommendation and techniques for disabling the feature are described in this Turn off smart multi-homed name resolution in Windows article.

Some VPN clients for the home and small office/home office (SOHO) individual user that tunnels the flow of IPv6 traffic include: AirVPN, Avast SecureLine, Avira Phantom VPN, AzireVPN, Bitdefender VPN (Windows only),,, HotSpot Shield (Windows only), IPVanish,, OVPN,,,, Proton VPN,, and Reviews of several of these VPN clients are available here.

In alphabetical order, some enterprise-level VPNs that can simultaneously tunnel both IPv6 and IPv4 protocols include:

1. Check Point End Point Remote Access VPN, when used in conjunction with a Check Point Security Gateway (VSX version R68 and later)

2. Cisco AnyConnect SSL VPN (version 2.5 and later)

3. LogMeIn Hamachi VPN using the service (version and later Microsoft Windows and and later Apple macOS and OS X)

4. Forcepoint Stonesoft SSL VPN (version 1.1.0 and later)

5. Fortinet SSL VPN FortiClient, when used in conjunction with a FortiNet security appliance running FortiOS

6. The GreenBow VPN Client (version 6.1 and later)

7. Juniper Networks Junos OS on SSG-140 or any SRX-series device

8. Microsoft Always On VPN supported by Windows 10 clients and later

9. Microsoft Secure Socket Layer (SSL) VPN over the Secure Socket Tunneling Protocol (SSTP) supported by Windows Server 2008 and later

10. NCP Secure Engineering Secure Entry Client (version 9.3 or later)

11. OpenVPN Technologies Inc. Access Server (version 2.3.x and later), Client (version 2.3.x and later) and Connect (all versions when connecting to an Access Server that supports IPv6). Client 2.3.9 (and later) incorporates a solution to the above "DNS Leaks" issue

12. Palo Alto Networks GlobalProtect (version 4.0 or later), when used in conjunction with a Palo Alto Networks firewall running PAN OS (version 8.0 or later)

13. Pulse Secure when using their SSL VPN appliances (version 7.3 and later)

14. realVNC Ltd. Enterprise Edition (version 4.1.7 and later), Personal Edition (version 4.1.2 and later)

15. SonicWALL SSL VPN (version 3.5 and later)

Additional VPNs that do (and some that do not) simultaneously tunnel both protocols are identified in this article.

While it does more than just tunnel packets, Microsoft DirectAccess also tunnels both IPv4 and IPv6 packets.