The Apache web server has had Internet Protocol version 6 (IPv6) support built in and enabled by default since 2002 (with the release of version 2.0.43). The authoritative source for Apache Web Server is the Apache HTTP Server Project, which does not explicitly address many IPv6 topics. It does address Special IPv6 Considerations for mapping IPv4 and IPv6 addresses.
Complete the 8 steps described in this Get Your Site Ready for IPv6 article for the host computer your Apache web server is or will be installed on.
The configuration information shown below is from the Linux IPv6 HOWTO (en) website. While old, it is still useful. Additional old articles about Apache web server IPv6 configuration for Linux and virtual hosts are available here.
3. Webserver Apache2 (httpd2)
Apache web server supports IPv6 native by maintainers since 2.0.14. Available patches for the older 1.3.x series are not current and shouldn't be used in public environment, but available at KAME/Misc.
3.1. Listening on IPv6 addresses
Note: virtual hosts on IPv6 addresses are broken in versions until 2.0.28 (a patch is available for 2.0.28). But always try latest available version first because earlier versions had some security issues.
3.1.1. Virtual host listen on an IPv6 address only
Listen [2001:0db8:100::1]:80
<VirtualHost [2001:0db8:100::1]:80>
ServerName ipv6only.yourdomain.yourtopleveldomain # ...sure more config lines
</VirtualHost>
3.1.2. Virtual host listen on an IPv6 and on an IPv4 address
Listen [2001:0db8:100::2]:80
Listen 1.2.3.4:80
<VirtualHost [2001:0db8:100::2]:80 1.2.3.4:80>
ServerName ipv6andipv4.yourdomain.yourtopleveldomain
# ...sure more config lines
</VirtualHost>
This should result after restart in e.g.
# netstat -lnptu |grep "httpd2\W*$" tcp 0 0 1.2.3.4:80 0.0.0.0:* LISTEN 12345/httpd2
tcp 0 0 2001:0db8:100::1:80 :::* LISTEN 12345/httpd2
tcp 0 0 2001:0db8:100::2:80 :::* LISTEN 12345/httpd2
For simple tests use the telnet example already shown.
3.1.3. Additional notes
· Apache2 supports a method called “sendfile” to speedup serving data. Some NIC drivers also support offline checksumming. In some cases, this can lead to connection problems and invalid TCP checksums. In this cases, disable “sendfile” either by recompiling using configure option “--without-sendfile” or by using the "EnableSendfile off" directive in configuration file.
A description of how the Samba application was IPv6-enabled is given on slides 29-35.
Preparing Samba for Windows Server 2008 and IPv6, from Erion, Ltd.
For more recent presentations and additional information on using SAMBA and the Common Internet File System (CIFS) with IPv6, please visit this blog.
Current information about open source sendmail after the acquisition of Sendmail, Inc. by Proofpoint, Inc. in 2013 is available on the Proofpoint website. Information for earlier versions of Sendmail up to 8.15.2 (released in 2015) is available on this website. Also, an archive of Sendmail, Inc. Documentation, Tips and Tricks, and Support FAQ files is available on this website.
An introduction to setting up the sendmail daemon versions 8.10.0 and later on many Linux systems to support Internet Protocol version 6 (IPv6) appears below. Because of the many variations among implementations and between versions of Sendmail, differences are to be expected. Earlier versions can be more involved to setup, when it is even possible.
Notes:
1. Make sure you have completed the applicable steps described in this Get Your Site Ready for IPv6 article for the host computer your Sendmail daemon is installed on. (That article was written for a web server, but the DNS-specific steps also apply to Sendmail.)
2. Sendmail by default typically adds a Daemon_Options for port 587. When you want that behavior, omit the first line below. Otherwise, include the first line and sendmail will then use just port 25.
To configure sendmail to listen on both IPv4 and IPv6 at the same time:
FEATURE(`no_default_msa', `dnl') dnl
DAEMON_OPTIONS(`Port=submission, M=Ea, Name=MSA, Family=inet6') dnl
DAEMON_OPTIONS(`Port=smtp,Name=MTA, Family=inet6') dnl
Then "make" and restart sendmail.
On many O/Ses, sendmail will accept IPv4 via the IPv6 socket without any explicit IPv4 configuration. If not, it may be necessary to use the line:
DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6') dnl
instead of the last line above.
A more extensive example of an IPv6 configuration for sendmail is available here.
For FreeBSD, an example configuration file is available here.
Internet Information Services (IIS) 6.x had limited support for IPv6, but IIS7.x and later has good support for IPv6 features, from creating site bindings to logging to security features like IP Restriction. IIS7.x and later versions also work well under Server 2008 and later. Using IPv6 can be as simple as starting IIS after installing it on your system. IPv6 support with earlier operating systems is problematic.
A basic IIS6.x configuration example would be
Open IIS Manager (inetmgr)
Select the site you wish to enable IPv6 on
From the Action pane choose “Bindings…”
type = http (for a basic web server)
IP address = ipv6 address (or use the drop down list)
port = 80
host name = the name you want the server to respond to
Click Ok
Configuring IIS7.x and later changed. The IIS6.x metabase was replaced by an XML-based procedure. Microsoft provides a website for general IIS support: www.iis.net. For more detailed information about using IIS7.0 with IPv6 visit Nazim's IIS Security Blog. Another IIS7.0 write-up is available on the SoftLayer KnowledgeBase. Remember to install an updated file transfer protocol (FTP) publishing service. It was released after IIS7.0. This step is mentioned by both articles. Articles on the Microsoft learn.microsoft.com website for IIS configuration are available: IIS7.5, IIS8.0, and IIS8.5. (IIS10.0 configuration is just like IIS8.5 except IIS10.0 is only available on Windows 10/11.)
Limited information about IIS6.x support for IPv6 running under Server 2003 is available in this article and security guide.
For all versions of IIS, complete the 8 steps described in this Get Your Site Ready for IPv6 article for the host computer your IIS web server is installed on.
Note: If you want both IIS and an instance of the Microsoft .NET Framework on the same computer in Windows Server 2003 (also applies to 2008 and later), it is better to install IIS first. (If the Microsoft .NET Framework was installed before installing IIS, see this article for a possible solution).
Virtual Private Network (VPN) clients usually support several versions of these operating systems: Android, Apple iOS and macOS, Chrome OS, Linux, Microsoft Windows, and UNIX. The website VPN University describes the general characteristics of VPNs and reviews many available VPNs.
While newer VPN clients support Internet Protocol version 6 (IPv6) packet flow, older VPN clients may not be able to intercept and tunnel IPv6 packets. Instead, they give an error message something like
“name-of-VPN-server” IP address could not be found.
Older VPN clients often cannot support IPv6 packet flow. They can only tunnel IPv4 packets and are not able to tunnel IPv6 packets.
Corporate computer users often have no choice but to use the VPN software installed on the computer provided by their company. Along with home users they can, however, test whether their VPN software is working correctly by going to the DNS leak test website and clicking on the standard test button.
Some organizations have recognized that a VPN alone is not enough to maintain secure remote access. They are deploying zero-trust network access (ZTNA) solutions in addition to (or sometimes even instead of) VPNs.
Some best practices when deploying VPNs are described in this article. Some best practices when transitioning from the use of a VPN to a ZTNA solution are described in this article.
To prevent insecure traffic via the IPv6 network stack while using a VPN client that can only tunnel IPv4 traffic, it is recommended to temporarily disable IPv6 and then reboot before activating the VPN client and then re-enable IPv6 upon terminating the VPN client. The recommended procedure to disable or enable IPv6 traffic on specific host Operating Systems is described in separate articles in the IP Transport section of the IPv6 knowledge base.
For Windows 8 (and later) users using any VPN client that tunnels only IPv4, disabling the Smart Multi-Homed Name Resolution feature is recommended. The reason for this recommendation and techniques for disabling the feature are described in this Turn off smart multi-homed name resolution in Windows article.
Some VPN clients for the home and small office/home office (SOHO) individual user that tunnels the flow of IPv6 traffic include: AirVPN, Avast SecureLine, Avira Phantom VPN, AzireVPN, Bitdefender VPN (Windows only), ExpressVPN.com, hide.me, HotSpot Shield (Windows only), IPVanish, Mullvad.net, OVPN, Perfect-Privacy.com, PrivateInternetAccess.com, PrivateVPN.com, Purevpn.com, and TorGuard.net. Reviews of several of these VPN clients are available here.
In alphabetical order, some enterprise-level VPNs that are able to simultaneously tunnel both IPv6 and IPv4 protocols include:
1. Check Point End Point Remote Access VPN, when used in conjunction with a Check Point Security Gateway (VSX version R68 and later)
2. Cisco AnyConnect SSL VPN (version 2.5 and later)
3. LogMeIn Hamachi VPN using the vpn.net service (version 2.1.0.122 and later Microsoft Windows and 2.1.0.65 and later Apple macOS and OS X)
4. Forcepoint Stonesoft SSL VPN (version 1.1.0 and later)
5. Fortinet SSL VPN FortiClient, when used in conjunction with a FortiNet security appliance running FortiOS
6. The GreenBow VPN Client (version 6.1 and later)
7. Juniper Networks Junos OS on SSG-140 or any SRX-series device
8. Microsoft Always On VPN supported by Windows 10 clients and later
9. Microsoft Secure Socket Layer (SSL) VPN over the Secure Socket Tunneling Protocol (SSTP) supported by Windows Server 2008 and later
10. NCP Secure Engineering Secure Entry Client (version 9.3 or later)
11. OpenVPN Technologies Inc. Access Server (version 2.3.x and later), Client (version 2.3.x and later) and Connect (all versions when connecting to an Access Server that supports IPv6).
12. Palo Alto Networks GlobalProtect (version 4.0 or later), when used in conjunction with a Palo Alto Networks firewall running PAN OS (version 8.0 or later)
13. Pulse Secure when using their SSL VPN appliances (version 7.3 and later)
14. realVNC Ltd. Enterprise Edition (version 4.1.7 and later), Personal Edition (version 4.1.2 and later)
15. SonicWALL SSL VPN (version 3.5 and later)
Additional VPNs that do (and some that do not) simultaneously tunnel both protocols are identified in this article.
While it does more than just tunnel packets, Microsoft DirectAccess also tunnels both IPv4 and IPv6 packets.