The following revision refers to this bug:
  https://chromium.googlesource.com/aosp/platform/system/connectivity/shill/+/88dc9bec810eb7b88c17d8f56910b1f2ae3ce32a

commit 88dc9bec810eb7b88c17d8f56910b1f2ae3ce32a
Author: Kevin Cernekee <cernekee@chromium.org>
Date: Wed Nov 22 22:42:37 2017

shill: Enable blackhole_ipv6 for OpenVPN and L2TP/IPsec

The builtin VPN clients do not currently support IPv6.  If the system's
physical network connection supports IPv6, IPv6 traffic will "leak" past
the VPN and out onto the untrusted LAN.  Third party VPN clients
on Chrome OS and on Android block this, but:

 - OpenVPN doesn't enable the option at all (blackhole_ipv6=false).

 - L2TP/IPsec does enable the option, but it only works when
   per_device_routing is enabled, because adding a blackhole route with
   metric (x) to the `main` routing table collides with other metric (x)
   routes.  The kernel will not let the two routes coexist, even
   temporarily.

So, enable blackhole_ipv6=true on OpenVPN, and always use per-device
routing tables if blackhole_ipv6 is enabled.

BUG=chromium:787674
TEST=`ping6 ipv6.google.com` while connected to each VPN
TEST=`test_that -b samus network_VPNConnect.openvpn`
TEST=`test_that -b samus network_VPNConnect.l2tpipsec_psk`

Change-Id: I7d3359db12d18dd322576ce2c841e297ffe2e13e
Reviewed-on: https://chromium-review.googlesource.com/784311
Commit-Ready: Kevin Cernekee <cernekee@chromium.org>
Tested-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>
Reviewed-by: Kevin Cernekee <cernekee@chromium.org>

[modify] https://crrev.com/88dc9bec810eb7b88c17d8f56910b1f2ae3ce32a/connection_unittest.cc
[modify] https://crrev.com/88dc9bec810eb7b88c17d8f56910b1f2ae3ce32a/vpn/openvpn_driver.cc
[modify] https://crrev.com/88dc9bec810eb7b88c17d8f56910b1f2ae3ce32a/connection.cc
[modify] https://crrev.com/88dc9bec810eb7b88c17d8f56910b1f2ae3ce32a/vpn/openvpn_driver_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/80de77a887f505c4b9a19d94444e60fb0d9f3a66

commit 80de77a887f505c4b9a19d94444e60fb0d9f3a66
Author: Kevin Cernekee <cernekee@chromium.org>
Date: Sat Nov 25 01:41:50 2017

network_VPNConnect: Add IPv6 blackhole test

shill was recently updated to blackhole IPv6 traffic when connected to
an IPv4-only VPN.  Check to make sure the routing change is working as
intended.

BUG=chromium:787674
TEST=run network_VPNConnect tests
CQ-DEPEND=CL:784311

Change-Id: Ia12640802db80df6b655ad10df77ada46738f691
Reviewed-on: https://chromium-review.googlesource.com/784358
Commit-Ready: Kevin Cernekee <cernekee@chromium.org>
Tested-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>

[modify] https://crrev.com/80de77a887f505c4b9a19d94444e60fb0d9f3a66/client/site_tests/network_VPNConnect/network_VPNConnect.py

One risk of rolling this out before shill's IPConfig logic fully supports IPv6 is that if the OpenVPN gateway itself is available via IPv6 (e.g. it has both AAAA and A records in DNS), the blackhole route may block access after the connection is established.  We don't have a clean way to add an exclusion for it.

I don't think this is the case for v.ext but maybe other installations will be affected.