Dual-stack IPv6 not working

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
maher1
OpenVpn Newbie
Posts: 5
Joined: Fri Mar 24, 2017 11:24 am

Dual-stack IPv6 not working

Post by maher1 » Fri Mar 24, 2017 12:08 pm

I have dual-stack server (Centos 7) and IPv4 only client (Windows 10) but want for him IPv6 also.
IPv6 connectivity on server works fine.
IPv4 VPN works correctly.
IPv6 VPN does not work at all.
OpenVPN server 2.3.14-1
OpenVPN GUI client 11.4

Server:

Code: Select all

#ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 1.2.3.4  netmask 255.255.255.0  broadcast 1.2.3.255
        inet6 fe80::250:56ff:febc:731a  prefixlen 64  scopeid 0x20<link>
        inet6 2001:1111:2222:3333::11  prefixlen 64  scopeid 0x0<global>
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 192.168.111.1  netmask 255.255.255.0  destination 192.168.111.1
        inet6 2001:1111:2222:3333::1  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        
#route -6 -n
Destination                    Next Hop                   Flag Met Ref Use If
::/96                          ::                         !n   1024 0     0 lo
0.0.0.0/96                     ::                         !n   1024 0     0 lo
2001:1111:2222:3333::/64        ::                         U    256 0     0 eth0
2001:1111:2222:3333::/64        ::                         U    256 0     0 tun0
fe80::/64                      ::                         U    256 1    20 eth0
::/0                           fe80::1                    UG   1   1   829 eth0
::/0                           ::                         !n   -1  1   946 lo
::1/128                        ::                         Un   0   2    47 lo
2001:1111:2222:3333::/128       ::                         Un   0   1     0 lo
2001:1111:2222:3333::/128       ::                         Un   0   1     0 lo
2001:1111:2222:3333::1/128      ::                         Un   0   1     0 lo
2001:1111:2222:3333::11/128     ::                         Un   0   2   203 lo
fe80::/128                     ::                         Un   0   1     0 lo
fe80::250:56ff:febc:731a/128   ::                         Un   0   2   662 lo
ff00::/8                       ::                         U    256 1   242 eth0
ff00::/8                       ::                         U    256 1     4 tun0
::/0                           ::                         !n   -1  1   946 lo

#cat sysctl.conf
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
net.ipv4.ip_forward = 1

#lsmod | grep ipv6
nf_reject_ipv6         13717  1 ip6t_REJECT
nf_conntrack_ipv6      18894  6
nf_defrag_ipv6         35104  1 nf_conntrack_ipv6
nf_nat_ipv6            14131  1 ip6table_nat
nf_nat                 26147  3 nf_nat_ipv4,nf_nat_ipv6,xt_nat
nf_conntrack          111302  6 nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,nf_conntrack_ipv4,nf_conntrack_ipv6

#iptables -nvL
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   512            all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
  603 50699 ACCEPT     all      tun0   *       ::/0                 ::/0
    4   512 ACCEPT     all      *      tun0    ::/0                 ::/0
    0     0 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-adm-prohibited

Chain OUTPUT (policy ACCEPT 706 packets, 53256 bytes)
 pkts bytes target     prot opt in     out     source               destination
Client

Code: Select all

c:\ipconfig

 Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-6F-54-70-95
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:1111:2222:3333::1000(Preferred)
   Link-local IPv6 Address . . . . . : fe80::91b2:541f:9a5a:6ff7%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.111.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 192.168.111.254
   DHCPv6 IAID . . . . . . . . . . . : 167837551
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-26-CE-34-D4-C9-EF-4F-FD-5B
   DNS Servers . . . . . . . . . . . : 2001:4860:4860::8888
                                       2001:4860:4860::8844
                                       8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled


c:\>route print
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 10    276 2000::/3                 fe80::8
 10    276 2001:1111:2222:3333::/64  On-link
 10    276 2001:1111:2222:3333::/64  fe80::8
 10    276 2001:1111:2222:3333::1000/128
                                    On-link
 10    276 fe80::/64                On-link
 10    276 fe80::91b2:541f:9a5a:6ff7/128
                                    On-link
  1    306 ff00::/8                 On-link
 10    276 ff00::/8                 On-link
===========================================================================
Server:

Code: Select all

mode server
tls-server
topology subnet
port 443
proto tcp
dev tun
tun-ipv6

server-ipv6 2001:1111:2222:3333::/64
push "route-ipv6 2000::/3"
push "redirect-gateway def1"

push "dhcp-option DNS6 2001:4860:4860::8888"
push "dhcp-option DNS6 2001:4860:4860::8844"
comp-lzo

persist-key
persist-tun
Client:

Code: Select all

client
dev tun
cipher AES-256-CBC
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
Client gets fe80::8 as default gateway. I cannot ping that gateway.

Code: Select all

CLIENT c:\> ping -6 fe80::8%24

Pinging fe80::8%24 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for fe80::8%24:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    
SERVER $ping6  fe80::8%tun0
PING fe80::8%tun0(fe80::8%tun0) 56 data bytes
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable

CLIENT PS C:\> get-wmiobject win32_networkadapter | select-object ServiceName, MACAddress, AdapterType, Index, Name
ServiceName : tap0901
MACAddress  : 00:FF:6F:54:70:95
AdapterType : Ethernet 802.3
Index       : 24
Name        : TAP-Windows Adapter V9
However, ICMP gets through VPN and reaches a remote site which responds but that response never arrives on my client or even server.
I presume it's the same with TCP/UDP packets.
It's not problem of upstream gateway - I checked various IPv6 addresses from 2001:1111:2222:3333::/64 and they're routed correctly.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Dual-stack IPv6 not working

Post by TinCanTech » Fri Mar 24, 2017 1:30 pm

From the server try:

Code: Select all

$ ping6 2001:1111:2222:3333::1000
From the client try:

Code: Select all

C:\> ping -6 2001:1111:2222:3333::1
Top
maher1
OpenVpn Newbie
Posts: 5
Joined: Fri Mar 24, 2017 11:24 am

Re: Dual-stack IPv6 not working

Post by maher1 » Fri Mar 24, 2017 1:50 pm

TinCanTech wrote:From the server try:

Code: Select all

$ ping6 2001:1111:2222:3333::1000
Does not work:
From 2001:1111:2222:3333::11 icmp_seq=1 Destination unreachable: Address unreachable
TinCanTech wrote: From the client try:

Code: Select all

C:\> ping -6 2001:1111:2222:3333::1
Works.
Top
TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: Dual-stack IPv6 not working

Post by TiTex » Mon Mar 27, 2017 8:44 am

Check your windows firewall
Top
maher1
OpenVpn Newbie
Posts: 5
Joined: Fri Mar 24, 2017 11:24 am

Re: Dual-stack IPv6 not working

Post by maher1 » Tue Mar 28, 2017 7:04 am

TiTex wrote:Check your windows firewall
Firewall is turned off.

I have exactly same problem as described here (see the last but one comment) http://unix.stackexchange.com/questions ... vpn-tunnel. I'd like to avoid installing NPD6.
Top
maher1
OpenVpn Newbie
Posts: 5
Joined: Fri Mar 24, 2017 11:24 am

Re: Dual-stack IPv6 not working

Post by maher1 » Tue Mar 28, 2017 9:29 am

I figured it out. There's a mistake in that StackExchange post.
Correct command would be

Code: Select all

ip neigh add proxy 2001:1111:2222:3333::1000 dev eth0
That means not tun0 but eth0.

Solution:
1. OpenVPN server: use server 2001:1111:2222:3333::/112 instead of /64
2. OpenVPN server: enable NDP proxy net.ipv6.conf.all.proxy_ndp=1 in sysctl.conf
3. OpenVPN server: add client's IPv6 address to server database(ip neigh add proxy 2001:1111:2222:3333::1000 dev eth0)
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Dual-stack IPv6 not working

Post by TinCanTech » Tue Mar 28, 2017 12:23 pm

maher1 wrote:Does not work:
From 2001:1111:2222:3333::11 icmp_seq=1 Destination unreachable: Address unreachable
Why does your server apparently use 2001:1111:2222:3333::11 and not 2001:1111:2222:3333::1 ?
Top
maher1
OpenVpn Newbie
Posts: 5
Joined: Fri Mar 24, 2017 11:24 am

Re: Dual-stack IPv6 not working

Post by maher1 » Wed Mar 29, 2017 9:02 am

TinCanTech wrote:Why does your server apparently use 2001:1111:2222:3333::11 and not 2001:1111:2222:3333::1 ?
Because after I setup OpenVPN, tun0 had also 2001:1111:2222:3333::1. So to avoid future conflicts, I changed eth0's IPv6 address to 11.
Top
Post Reply

Return to “Server Administration”