Requesting help with ubuntu 16.04 LTS OpenVPN 2.4 dual-stack server

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
bimmerdriver
OpenVPN Power User
Posts: 54
Joined: Thu Sep 08, 2016 7:56 pm

Requesting help with ubuntu 16.04 LTS OpenVPN 2.4 dual-stack server

Post by bimmerdriver » Wed Jun 07, 2017 2:00 am

I'm trying to get an openvpn server operating in dual-stack. I have ipv4 working, but I'm stuck on ipv6. I'm using ufw to configure the server to pass the traffic. I'm a linux novice, so I need some help, preferably a working configuration to use as an example.

I'm using the latest versions of linux and windows openvpn, as of yesterday.

I have read the how-to but I could not find any examples of how to configure the server to pass ipv6 traffic. I previously was trying to get a dual-stack windows 10 server working. I was able to get the client and server connected with both ipv4 and ipv6, but I could not get the server to pass the ipv6 traffic. Openvpn documentation is sorely lacking in this area.

The server is connected to the internet via a pfsense 2.4 router. It has dhcp ipv4 and dhcpv6 ipv6 addresses and it's on a /64 subnet. (I have access to multiple /64 subnets if required.) The server is running on hyper-v 2012r2 so i could easily add additional network interfaces if required. The client is windows 10.

Currently, the vpn is working for ipv4. I can ping the openvpn server using ipv4 and ipv6 from the client and vice versa. I can ping outside ipv4 addresses, but I cannot ping ipv6 addresses.

I used ufw rules from a tutorial on digital ocean to configure the ipv4 nat. The rules work fine for ipv4, but they do not deal with ipv6. This is what I need help with. I am unclear how to configure ufw (or iptables) to pass the ipv6 traffic and I'm also unclear what address is supposed to be used.
ufw rules
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o wlp11s0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
server.conf
port 1194
proto udp
dev tun

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh4096.pem

cipher AES-256-CBC
auth SHA512

server 10.8.0.0 255.255.255.0
server-ipv6 fc00::/64
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS6 2001:4860:4860::8888"

ifconfig-pool-persist ipp.txt
keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log
log openvpn.log
verb 3
client.ovpn
ca ca.crt
cert client.crt
key client.key

remote xxx.20.118.8 1194
comp-lzo
client
dev tun
redirect-gateway def1

remote-cert-tls server
cipher AES-256-CBC
auth SHA512

proto udp
resolv-retry infinite
nobind

persist-key
persist-tun

verb 3
mute 20
server log
Tue Jun 6 13:50:12 2017 OpenVPN 2.4.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 11 2017
Tue Jun 6 13:50:12 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Tue Jun 6 13:50:12 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Tue Jun 6 13:50:12 2017 Diffie-Hellman initialized with 4096 bit key
Tue Jun 6 13:50:12 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=00:15:5d:5c:e2:26
Tue Jun 6 13:50:12 2017 TUN/TAP device tun0 opened
Tue Jun 6 13:50:12 2017 TUN/TAP TX queue length set to 100
Tue Jun 6 13:50:12 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Tue Jun 6 13:50:12 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 6 13:50:12 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 6 13:50:12 2017 /sbin/ip -6 addr add fc00::1/64 dev tun0
Tue Jun 6 13:50:12 2017 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Tue Jun 6 13:50:12 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Tue Jun 6 13:50:12 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jun 6 13:50:12 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Tue Jun 6 13:50:12 2017 UDPv4 link remote: [AF_UNSPEC]
Tue Jun 6 13:50:12 2017 MULTI: multi_init called, r=256 v=256
Tue Jun 6 13:50:12 2017 IFCONFIG POOL IPv6: (IPv4) size=62, size_ipv6=65536, netbits=64, base_ipv6=fc00::1000
Tue Jun 6 13:50:12 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=1
Tue Jun 6 13:50:12 2017 ifconfig_pool_read(), in='client,10.8.0.4,fc00::1000', TODO: IPv6
Tue Jun 6 13:50:12 2017 succeeded -> ifconfig_pool_set()
Tue Jun 6 13:50:12 2017 IFCONFIG POOL LIST
Tue Jun 6 13:50:12 2017 client,10.8.0.4,fc00::1000
Tue Jun 6 13:50:12 2017 Initialization Sequence Completed
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 TLS: Initial packet from [AF_INET]xxx.156.4.171:47818, sid=2d75243e 84c45377
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 VERIFY OK: depth=1, C=CA, ST=BC, L=xxx, O=VPN, OU=SERVER, CN=VPN CA, name=EasyRSA, emailAddress=xxx@xxx.net
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 VERIFY OK: depth=0, C=CA, ST=BC, L=xxx, O=VPN, OU=SERVER, CN=client, name=EasyRSA, emailAddress=xxx@xxx.net
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 peer info: IV_VER=2.4.2
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 peer info: IV_PLAT=win
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 peer info: IV_PROTO=2
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 peer info: IV_NCP=2
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 peer info: IV_LZ4=1
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 peer info: IV_LZ4v2=1
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 peer info: IV_LZO=1
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 peer info: IV_COMP_STUB=1
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 peer info: IV_COMP_STUBv2=1
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 peer info: IV_TCPNL=1
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 peer info: IV_GUI_VER=OpenVPN_GUI_11
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Tue Jun 6 13:50:27 2017 xxx.156.4.171:47818 [client] Peer Connection Initiated with [AF_INET]xxx.156.4.171:47818
Tue Jun 6 13:50:27 2017 client/xxx.156.4.171:47818 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=fc00::1000
Tue Jun 6 13:50:27 2017 client/xxx.156.4.171:47818 MULTI: Learn: 10.8.0.6 -> client/xxx.156.4.171:47818
Tue Jun 6 13:50:27 2017 client/xxx.156.4.171:47818 MULTI: primary virtual IP for client/xxx.156.4.171:47818: 10.8.0.6
Tue Jun 6 13:50:27 2017 client/xxx.156.4.171:47818 MULTI: Learn: fc00::1000 -> client/xxx.156.4.171:47818
Tue Jun 6 13:50:27 2017 client/xxx.156.4.171:47818 MULTI: primary virtual IPv6 for client/xxx.156.4.171:47818: fc00::1000
Tue Jun 6 13:50:28 2017 client/xxx.156.4.171:47818 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jun 6 13:50:28 2017 client/xxx.156.4.171:47818 SENT CONTROL [client]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,redirect-gateway ipv6,dhcp-option DNS 8.8.8.8,dhcp-option DNS6 2001:4860:4860::8888,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig-ipv6 fc00::1000/64 fc00::1,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Tue Jun 6 13:50:28 2017 client/xxx.156.4.171:47818 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jun 6 13:50:28 2017 client/xxx.156.4.171:47818 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jun 6 13:52:12 2017 event_wait : Interrupted system call (code=4)
Tue Jun 6 13:52:12 2017 /sbin/ip route del 10.8.0.0/24
Tue Jun 6 13:52:12 2017 Closing TUN/TAP interface
Tue Jun 6 13:52:12 2017 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 6 13:52:12 2017 /sbin/ip -6 addr del fc00::1/64 dev tun0
Tue Jun 6 13:52:12 2017 SIGTERM[hard,] received, process exiting
client log
Tue Jun 06 13:50:27 2017 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017
Tue Jun 06 13:50:27 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jun 06 13:50:27 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10
Enter Management Password:
Tue Jun 06 13:50:27 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jun 06 13:50:27 2017 Need hold release from management interface, waiting...
Tue Jun 06 13:50:27 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Jun 06 13:50:28 2017 MANAGEMENT: CMD 'state on'
Tue Jun 06 13:50:28 2017 MANAGEMENT: CMD 'log all on'
Tue Jun 06 13:50:28 2017 MANAGEMENT: CMD 'echo all on'
Tue Jun 06 13:50:28 2017 MANAGEMENT: CMD 'hold off'
Tue Jun 06 13:50:28 2017 MANAGEMENT: CMD 'hold release'
Tue Jun 06 13:50:28 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.20.118.8:1194
Tue Jun 06 13:50:28 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jun 06 13:50:28 2017 UDP link local: (not bound)
Tue Jun 06 13:50:28 2017 UDP link remote: [AF_INET]154.20.118.8:1194
Tue Jun 06 13:50:28 2017 MANAGEMENT: >STATE:1496782228,WAIT,,,,,,
Tue Jun 06 13:50:28 2017 MANAGEMENT: >STATE:1496782228,AUTH,,,,,,
Tue Jun 06 13:50:28 2017 TLS: Initial packet from [AF_INET]xxx.20.118.8:1194, sid=306be53c 15fbc3c2
Tue Jun 06 13:50:28 2017 VERIFY OK: depth=1, C=CA, ST=BC, L=xxx, O=VPN, OU=SERVER, CN=VPN CA, name=EasyRSA, emailAddress=xxx@xxx.net
Tue Jun 06 13:50:28 2017 VERIFY KU OK
Tue Jun 06 13:50:28 2017 Validating certificate extended key usage
Tue Jun 06 13:50:28 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jun 06 13:50:28 2017 VERIFY EKU OK
Tue Jun 06 13:50:28 2017 VERIFY OK: depth=0, C=CA, ST=BC, L=xxx, O=VPN, OU=SERVER, CN=server, name=EasyRSA, emailAddress=xxx@xxx.net
Tue Jun 06 13:50:28 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Tue Jun 06 13:50:28 2017 [server] Peer Connection Initiated with [AF_INET]154.20.118.8:1194
Tue Jun 06 13:50:29 2017 MANAGEMENT: >STATE:1496782229,GET_CONFIG,,,,,,
Tue Jun 06 13:50:29 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Jun 06 13:50:29 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,redirect-gateway ipv6,dhcp-option DNS 8.8.8.8,dhcp-option DNS6 2001:4860:4860::8888,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig-ipv6 fc00::1000/64 fc00::1,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Tue Jun 06 13:50:29 2017 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Tue Jun 06 13:50:29 2017 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jun 06 13:50:29 2017 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jun 06 13:50:29 2017 OPTIONS IMPORT: route options modified
Tue Jun 06 13:50:29 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jun 06 13:50:29 2017 OPTIONS IMPORT: peer-id set
Tue Jun 06 13:50:29 2017 OPTIONS IMPORT: adjusting link_mtu to 1625
Tue Jun 06 13:50:29 2017 OPTIONS IMPORT: data channel crypto options modified
Tue Jun 06 13:50:29 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jun 06 13:50:29 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jun 06 13:50:29 2017 interactive service msg_channel=568
Tue Jun 06 13:50:29 2017 ROUTE_GATEWAY 10.28.92.10/255.255.255.0 I=3 HWADDR=00:15:5d:5c:e2:11
Tue Jun 06 13:50:29 2017 GDG6: remote_host_ipv6=n/a
Tue Jun 06 13:50:29 2017 GetBestInterfaceEx() returned if=3
Tue Jun 06 13:50:29 2017 GDG6: II=3 DP=::/0 NH=fe80::1:1
Tue Jun 06 13:50:29 2017 GDG6: Metric=256, Loopback=0, AA=1, I=0
Tue Jun 06 13:50:29 2017 ROUTE6_GATEWAY fe80::1:1 I=3
Tue Jun 06 13:50:29 2017 open_tun
Tue Jun 06 13:50:29 2017 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{01305A9F-1D02-4C48-B0E9-DF8A5D1B5E2B}.tap
Tue Jun 06 13:50:29 2017 TAP-Windows Driver Version 9.21
Tue Jun 06 13:50:29 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {01305A9F-1D02-4C48-B0E9-DF8A5D1B5E2B} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Tue Jun 06 13:50:29 2017 Successful ARP Flush on interface [2] {01305A9F-1D02-4C48-B0E9-DF8A5D1B5E2B}
Tue Jun 06 13:50:29 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Tue Jun 06 13:50:29 2017 MANAGEMENT: >STATE:1496782229,ASSIGN_IP,,10.8.0.6,,,,,fc00::1000
Tue Jun 06 13:50:30 2017 IPv6 dns servers set using service
Tue Jun 06 13:50:30 2017 add_route_ipv6(fc00::/64 -> fc00::1000 metric 0) dev Ethernet 2
Tue Jun 06 13:50:30 2017 IPv6 route addition via service succeeded
Tue Jun 06 13:50:35 2017 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Tue Jun 06 13:50:35 2017 C:\WINDOWS\system32\route.exe ADD 154.20.118.8 MASK 255.255.255.255 10.28.92.10
Tue Jun 06 13:50:35 2017 Route addition via service succeeded
Tue Jun 06 13:50:35 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Jun 06 13:50:35 2017 Route addition via service succeeded
Tue Jun 06 13:50:35 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Jun 06 13:50:35 2017 Route addition via service succeeded
Tue Jun 06 13:50:35 2017 MANAGEMENT: >STATE:1496782235,ADD_ROUTES,,,,,,
Tue Jun 06 13:50:35 2017 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Tue Jun 06 13:50:35 2017 Route addition via service succeeded
Tue Jun 06 13:50:35 2017 add_route_ipv6(::/3 -> fc00::1 metric -1) dev Ethernet 2
Tue Jun 06 13:50:35 2017 IPv6 route addition via service succeeded
Tue Jun 06 13:50:35 2017 add_route_ipv6(2000::/4 -> fc00::1 metric -1) dev Ethernet 2
Tue Jun 06 13:50:35 2017 IPv6 route addition via service succeeded
Tue Jun 06 13:50:35 2017 add_route_ipv6(3000::/4 -> fc00::1 metric -1) dev Ethernet 2
Tue Jun 06 13:50:35 2017 IPv6 route addition via service succeeded
Tue Jun 06 13:50:35 2017 add_route_ipv6(fc00::/7 -> fc00::1 metric -1) dev Ethernet 2
Tue Jun 06 13:50:35 2017 IPv6 route addition via service succeeded
Tue Jun 06 13:50:35 2017 Initialization Sequence Completed
Tue Jun 06 13:50:35 2017 MANAGEMENT: >STATE:1496782235,CONNECTED,SUCCESS,10.8.0.6,154.20.118.8,1194,,,fc00::1000
Tue Jun 06 13:52:03 2017 C:\WINDOWS\system32\route.exe DELETE 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Tue Jun 06 13:52:03 2017 Route deletion via service succeeded
Tue Jun 06 13:52:03 2017 C:\WINDOWS\system32\route.exe DELETE 154.20.118.8 MASK 255.255.255.255 10.28.92.10
Tue Jun 06 13:52:03 2017 Route deletion via service succeeded
Tue Jun 06 13:52:03 2017 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Jun 06 13:52:03 2017 Route deletion via service succeeded
Tue Jun 06 13:52:03 2017 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Jun 06 13:52:03 2017 Route deletion via service succeeded
Tue Jun 06 13:52:03 2017 delete_route_ipv6(::/3)
Tue Jun 06 13:52:03 2017 IPv6 route deletion via service succeeded
Tue Jun 06 13:52:03 2017 delete_route_ipv6(2000::/4)
Tue Jun 06 13:52:03 2017 IPv6 route deletion via service succeeded
Tue Jun 06 13:52:03 2017 delete_route_ipv6(3000::/4)
Tue Jun 06 13:52:03 2017 IPv6 route deletion via service succeeded
Tue Jun 06 13:52:03 2017 delete_route_ipv6(fc00::/7)
Tue Jun 06 13:52:03 2017 IPv6 route deletion via service succeeded
Tue Jun 06 13:52:03 2017 Closing TUN/TAP interface
Tue Jun 06 13:52:03 2017 IPv6 dns servers deleted using service
Tue Jun 06 13:52:03 2017 TAP: DHCP address released
Tue Jun 06 13:52:03 2017 SIGTERM[hard,] received, process exiting
Tue Jun 06 13:52:03 2017 MANAGEMENT: >STATE:1496782323,EXITING,SIGTERM,,,,,

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Requesting help with ubuntu 16.04 LTS OpenVPN 2.4 dual-stack server

Post by TinCanTech » Wed Jun 07, 2017 10:04 am


bimmerdriver
OpenVPN Power User
Posts: 54
Joined: Thu Sep 08, 2016 7:56 pm

Re: Requesting help with ubuntu 16.04 LTS OpenVPN 2.4 dual-stack server

Post by bimmerdriver » Wed Jun 07, 2017 6:21 pm

Yes, I have and if you have, you already know it doesn't explain how to configure the server to pass the ipv6 traffic from the tunnel to the network interface. There are countless examples of the configuration directives on the openvpn website and the internet. Some people are using ULA addresses (i.e., fc00::/7, which are used above) and some people are using the delegated prefix. I've tried both and in both cases, it's possible to establish communication between the client and the server. (I can only assume that the developers intended for the code to be used in a particular manner, but it's not clear.) However, in neither case have I seen the missing part, which is how to configure the server to pass the traffic, with one exception where I found a reference to using iptables for ipv4 traffic, which is https://community.openvpn.net/openvpn/w ... AndRouting. However, this appears to have been written a long time ago and it's only for ipv4, not ipv6. The openvpn documentation verbosely and exhaustively covers the multitude of directives for the configuration files, even for ipv6, but the last 10 feet of the train track are missing!

If someone can direct me to a working dual-stack configuration for a linux (or windows) server and a windows client that's based on ubuntu 16.04, windows 10 and openvpn 2.4, I would appreciate it. Since openvpn supports dual-stack configurations the developers must have tested such configurations. I am completely amazed that it apparently hasn't occurred to anyone to fully document a working configuration. Documentation would be useful for other developers for testing as well as for users.

If anyone reading this has a working dual-stack openvpn configuration, please explain how you configured the ipv6 addresses and how you configured the server to pass the ipv6 traffic.

Thank you.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Requesting help with ubuntu 16.04 LTS OpenVPN 2.4 dual-stack server

Post by TinCanTech » Wed Jun 07, 2017 6:48 pm

Have you enabled IP Forwarding for IPv6 ?

bimmerdriver
OpenVPN Power User
Posts: 54
Joined: Thu Sep 08, 2016 7:56 pm

Re: Requesting help with ubuntu 16.04 LTS OpenVPN 2.4 dual-stack server

Post by bimmerdriver » Wed Jun 07, 2017 9:00 pm

Here are the relevant lines from sysctl.conf:
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

Even with ipv4 forwarding enabled, the server did not pass traffic until I added the lines in the original post to ufw. ufw is a front-end for iptables. The same lines could have been added directly via iptables. I presume lines are required for ipv6, but I haven't found an example.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Requesting help with ubuntu 16.04 LTS OpenVPN 2.4 dual-stack server

Post by TinCanTech » Thu Jun 08, 2017 8:51 am

bimmerdriver wrote:sysctl.conf:
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
Should those slashes / be dots . ?

bimmerdriver
OpenVPN Power User
Posts: 54
Joined: Thu Sep 08, 2016 7:56 pm

Re: Requesting help with ubuntu 16.04 LTS OpenVPN 2.4 dual-stack server

Post by bimmerdriver » Thu Jun 08, 2017 4:50 pm

They are correct. The file is system generated.

bimmerdriver
OpenVPN Power User
Posts: 54
Joined: Thu Sep 08, 2016 7:56 pm

Re: Requesting help with ubuntu 16.04 LTS OpenVPN 2.4 dual-stack server

Post by bimmerdriver » Thu Jun 08, 2017 5:16 pm

I changed server-ipv6 directive to use the delegated prefix. It made no difference. The client connected with the server, and I can ping the client and server from either end using ipv4 and ipv6. I can open a website using ipv4, but not using ipv6. This is exactly the same problem I was having using a windows 10 server. The ipv6 traffic is not being passed.

dimitris
OpenVpn Newbie
Posts: 2
Joined: Sat Jun 10, 2017 7:01 pm

Re: Requesting help with ubuntu 16.04 LTS OpenVPN 2.4 dual-stack server

Post by dimitris » Sat Jun 10, 2017 7:11 pm

I presume lines are required for ipv6, but I haven't found an example.
I think you're correct. I had the same problem, albeit with a Fedora server, and using firewalld instead of ufw. It boiled down to the iptables issue from https://bugzilla.redhat.com/show_bug.cgi?id=1446880.

I think that similarly ufw may be taking care of your IPv4 forwading on the outbound interface, perhaps as part of its support for masquerading, but it doesn't know/do anything about forwarding IPv6. Something like (interface and table will need adjustment):

Code: Select all

ip6tables -A FORWARD_direct -o eth0 -m conntrack --ctstate NEW -j ACCEPT

Post Reply