socket_error for IPv6 connections

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
foobar0815
OpenVpn Newbie
Posts: 5
Joined: Wed Dec 08, 2021 5:20 pm

socket_error for IPv6 connections

Post by foobar0815 » Wed Dec 08, 2021 5:29 pm

Hi,

using OpenVPN connect, I cannot connect to a VPN server using IPv6. If I use OpenVPN GUI v11.25.0.0 from the Version 2.5.4 community package, the very same profile works.

I tried different protocol options (tcp, tcp6, udp, udp6) with the same error:

Transport Error: socket_protect error

This currently only affects OpenVPN Connect for Windows in versions 3.3.2 and 3.3.3 (no older versions tested). Using the current Android build connects fine.

If I use the IPv4 address of the server (or the hostname resolving to both, IPv4 and IPv6), OpenVPN Connect succeeds.

I can reproduce this on all Windows 10 and 11 machines I tried. Disabling Windows Defender or running OpenVPN Connect as Administrator does not help.

Server config:

Code: Select all

cd /etc/openvpn
dev tun0
proto tcp6
port 1194
mode server

max-clients 10
topology subnet

verb 2
log /tmp/openvpn-tcp.log
mute-replay-warnings
mute 10
status /tmp/openvpn-tcp.status 20

management /tmp/openvpn-management-tcp unix

ca ...
cert ...
key ...
crl-verify ...

tls-server
tls-version-min         1.2
tls-auth tls-auth.key 0
verify-client-cert require
remote-cert-tls client
dh /etc/openvpn/dh1024.pem

auth    SHA256
cipher  AES-256-GCM

tls-verify scripts/tls-verify.sh
duplicate-cn
script-security 2

keepalive 10 60
ping-timer-rem
user nobody
group nogroup
persist-tun
persist-key
Profile:

Code: Select all

remote <my-ipv6-address> 1194 udp6
ping 10
ping-exit 60
verb 3
dev tun
persist-tun
persist-key
client
tls-client
key-direction 1
remote-cert-tls server
nobind
resolv-retry 60
cipher AES-256-GCM
auth SHA256
pull
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

</tls-auth>
OpenVPN Connect Log

Code: Select all

[Dec 8, 2021, 15:14:58] OpenVPN core 3.git::d3f8b18b win x86_64 64-bit built on Nov 12 2021 10:45:12
[Dec 8, 2021, 15:14:58] Frame=512/2048/512 mssfix-ctrl=1250
[Dec 8, 2021, 15:14:58] UNUSED OPTIONS
3 [ping-exit] [60]
4 [verb] [3]
6 [persist-tun]
7 [persist-key]
9 [tls-client]
12 [nobind]
13 [resolv-retry] [60]
16 [pull]
[Dec 8, 2021, 15:14:58] EVENT: RESOLVE [Dec 8, 2021, 15:14:58] Contacting [<my-ipv6-address>]:1194 via UDP
[Dec 8, 2021, 15:14:58] EVENT: WAIT [Dec 8, 2021, 15:14:58] WinCommandAgent: transmitting bypass route to <my-ipv6-address>
{
	"host" : "<my-ipv6-address>",
	"ipv6" : true
}

[Dec 8, 2021, 15:14:58] Transport Error: socket_protect error (UDP)
[Dec 8, 2021, 15:14:58] Client terminated, restarting in 2000 ms...
[Dec 8, 2021, 15:15:00] EVENT: RECONNECTING [Dec 8, 2021, 15:15:00] EVENT: RESOLVE [Dec 8, 2021, 15:15:00] Contacting [<my-ipv6-address>]:1194 via UDP
[Dec 8, 2021, 15:15:00] EVENT: WAIT [Dec 8, 2021, 15:15:00] WinCommandAgent: transmitting bypass route to <my-ipv6-address>
{
	"host" : "<my-ipv6-address>",
	"ipv6" : true
}
OpenVPN-GUI Log

Code: Select all

2021-12-08 15:20:23 OpenVPN 2.5.4 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 20 2021
2021-12-08 15:20:23 Windows version 10.0 (Windows 10 or greater) 64bit
2021-12-08 15:20:23 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-12-08 15:20:23 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2021-12-08 15:20:23 Need hold release from management interface, waiting...
2021-12-08 15:20:23 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2021-12-08 15:20:24 MANAGEMENT: CMD 'state on'
2021-12-08 15:20:24 MANAGEMENT: CMD 'log all on'
2021-12-08 15:20:24 MANAGEMENT: CMD 'echo all on'
2021-12-08 15:20:24 MANAGEMENT: CMD 'bytecount 5'
2021-12-08 15:20:24 MANAGEMENT: CMD 'hold off'
2021-12-08 15:20:24 MANAGEMENT: CMD 'hold release'
2021-12-08 15:20:26 MANAGEMENT: CMD 'password [...]'
2021-12-08 15:20:26 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-12-08 15:20:26 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-12-08 15:20:26 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-12-08 15:20:26 TCP/UDP: Preserving recently used remote address: [AF_INET6]<my-ipv6-address>:1194
2021-12-08 15:20:26 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-12-08 15:20:26 UDPv6 link local: (not bound)
2021-12-08 15:20:26 UDPv6 link remote: [AF_INET6]<my-ipv6-address>:1194
2021-12-08 15:20:26 MANAGEMENT: >STATE:1638973226,WAIT,,,,,,
2021-12-08 15:20:26 MANAGEMENT: >STATE:1638973226,AUTH,,,,,,
2021-12-08 15:20:26 TLS: Initial packet from [AF_INET6]<my-ipv6-address>:1194, sid=f62b7e15 1a339e58
2021-12-08 15:20:28 VERIFY OK: depth=1, CN=Root CA, OU=Client, O=ORG, C=DE
2021-12-08 15:20:28 VERIFY KU OK
2021-12-08 15:20:28 Validating certificate extended key usage
2021-12-08 15:20:28 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-12-08 15:20:28 VERIFY EKU OK
2021-12-08 15:20:28 VERIFY OK: depth=0, C=DE, O=ORG, OU=Server Certificate, CN=vpn
2021-12-08 15:20:28 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
2021-12-08 15:20:28 [vpn] Peer Connection Initiated with [AF_INET6]<my-ipv6-address>:1194
2021-12-08 15:20:28 PUSH: Received control message: 'PUSH_REPLY,route 192.168.177.0 255.255.255.0,dhcp-option DNS 192.168.177.1,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,tun-ipv6,route-gateway 10.23.2.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fd60:dc0:ffee:600d:2::1000/64 fd60:dc0:ffee:600d:2::1,ifconfig 10.23.2.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2021-12-08 15:20:28 OPTIONS IMPORT: timers and/or timeouts modified
2021-12-08 15:20:28 OPTIONS IMPORT: --ifconfig/up options modified
2021-12-08 15:20:28 OPTIONS IMPORT: route options modified
2021-12-08 15:20:28 OPTIONS IMPORT: route-related options modified
2021-12-08 15:20:28 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-12-08 15:20:28 OPTIONS IMPORT: peer-id set
2021-12-08 15:20:28 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-12-08 15:20:28 OPTIONS IMPORT: data channel crypto options modified
2021-12-08 15:20:28 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-12-08 15:20:28 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-12-08 15:20:28 interactive service msg_channel=580
2021-12-08 15:20:28 open_tun
2021-12-08 15:20:28 tap-windows6 device [OpenVPN TAP-Windows6] opened
2021-12-08 15:20:28 TAP-Windows Driver Version 9.24 
2021-12-08 15:20:28 Set TAP-Windows TUN subnet mode network/local/netmask = 10.23.2.0/10.23.2.2/255.255.255.0 [SUCCEEDED]
2021-12-08 15:20:28 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.23.2.2/255.255.255.0 on interface {31424D54-3974-4700-93FA-2AE2C7E7B10C} [DHCP-serv: 10.23.2.254, lease-time: 31536000]
2021-12-08 15:20:28 Successful ARP Flush on interface [18] {31424D54-3974-4700-93FA-2AE2C7E7B10C}
2021-12-08 15:20:28 MANAGEMENT: >STATE:1638973228,ASSIGN_IP,,10.23.2.2,,,,,fd60:dc0:ffee:600d:2::1000
2021-12-08 15:20:28 IPv4 MTU set to 1500 on interface 18 using service
2021-12-08 15:20:28 INET6 address service: add fd60:dc0:ffee:600d:2::1000/128
2021-12-08 15:20:28 add_route_ipv6(fd60:dc0:ffee:600d::/64 -> fd60:dc0:ffee:600d:2::1000 metric 0) dev OpenVPN TAP-Windows6
2021-12-08 15:20:28 IPv6 route addition via service succeeded
2021-12-08 15:20:28 IPv6 MTU set to 1500 on interface 18 using service
2021-12-08 15:20:31 Closing TUN/TAP interface
2021-12-08 15:20:31 delete_route_ipv6(fd60:dc0:ffee:600d::/64)
2021-12-08 15:20:31 IPv6 route deletion via service succeeded
2021-12-08 15:20:31 INET6 address service: remove fd60:dc0:ffee:600d:2::1000/128
2021-12-08 15:20:31 TAP: DHCP address released
2021-12-08 15:20:31 SIGTERM[hard,] received, process exiting
2021-12-08 15:20:31 MANAGEMENT: >STATE:1638973231,EXITING,SIGTERM,,,,,

Any ideas? Did not find much about that error.

Thank you!

User avatar
TinCanTech
Forum Team
Posts: 10275
Joined: Fri Jun 03, 2016 1:17 pm

Re: socket_error for IPv6 connections

Post by TinCanTech » Wed Dec 08, 2021 8:37 pm

See your server log for problems.

inverse137
OpenVpn Newbie
Posts: 1
Joined: Thu Dec 09, 2021 2:33 am

Re: socket_error for IPv6 connections

Post by inverse137 » Thu Dec 09, 2021 2:37 am

@TinCanTEch

I know you've convinced yourself that you are assisting people...but you're kind of an idiot and not a SINGLE OF THE 20 posts of yours I read offered ANYTHING that pointed anyone in remotely the right direction. You posting is WORSE than you never signing onto this board again

We have flagged this board as useless and blocked it at our corporate firewall

Nice work dumbass

you are a waste of time, bro

STOP! Just stop.

Dumb people annoy me.

User avatar
TinCanTech
Forum Team
Posts: 10275
Joined: Fri Jun 03, 2016 1:17 pm

Re: socket_error for IPv6 connections

Post by TinCanTech » Thu Dec 09, 2021 3:11 am

inverse137 wrote:
Thu Dec 09, 2021 2:37 am
Dumb people annoy me
You must be some fun to live with ..


If you have an issue with me then you can take it here:
viewtopic.php?f=1&t=33408

User avatar
TinCanTech
Forum Team
Posts: 10275
Joined: Fri Jun 03, 2016 1:17 pm

Re: socket_error for IPv6 connections

Post by TinCanTech » Thu Dec 09, 2021 3:13 am

@ foobar0815

Your server log will show you any connection problems.

foobar0815
OpenVpn Newbie
Posts: 5
Joined: Wed Dec 08, 2021 5:20 pm

Re: socket_error for IPv6 connections

Post by foobar0815 » Mon Dec 13, 2021 5:21 pm

Hi,
TinCanTech wrote:
Thu Dec 09, 2021 3:13 am
Your server log will show you any connection problems.
I would be glad but OpenVPN Connect does not open a connection at all so nothing to see on the server.

I did the following:

Use OpenVPN Connect (Version listed above), loaded a profile, disabled IPv6 on the network interface. Everything works fine - connection is established. This is also visible in wireshark.

Enabled IPv6 on the network interface - socket_errors and nothing in wireshark.

ping to the resolve IPv6 address works, so basically ip and route is correct.

It may be a Windows issue but maybe you have any hints which Windows logs might exist/help.

User avatar
TinCanTech
Forum Team
Posts: 10275
Joined: Fri Jun 03, 2016 1:17 pm

Re: socket_error for IPv6 connections

Post by TinCanTech » Mon Dec 13, 2021 6:00 pm

I think you need to report it here: https://myaccount.openvpn.com/product-select

foobar0815
OpenVpn Newbie
Posts: 5
Joined: Wed Dec 08, 2021 5:20 pm

Re: socket_error for IPv6 connections

Post by foobar0815 » Tue Dec 14, 2021 8:27 am

I tried that before but got
"Unfortunately, this is a support channel for the commercial OpenVPN Access Server or Cloud, we don't provide support for the community version here." as a reply.

Will try it again.

Maybe someone can confirm that IPv6-only connections on Windows using OpenVPN Connect 3 work for them?

User avatar
TinCanTech
Forum Team
Posts: 10275
Joined: Fri Jun 03, 2016 1:17 pm

Re: socket_error for IPv6 connections

Post by TinCanTech » Tue Dec 14, 2021 2:32 pm

What you state is untrue..

Either you are using the Community Edition, which you are not.

Or you are using the commercial product Openvpn-Connect, which you are.

Please concentrate, it is hard enough to help people as it is, let alone when you don't have a clue what you're doing ...

foobar0815
OpenVpn Newbie
Posts: 5
Joined: Wed Dec 08, 2021 5:20 pm

Re: socket_error for IPv6 connections

Post by foobar0815 » Tue Dec 14, 2021 2:52 pm

I am using the Community Edition of the OpenVPN server as on https://openvpn.net/community-downloads/
I do not require support for that since everything works with the Community Edition of the Client.

I am using the OpenVPN Connect (Windows) from https://openvpn.net/vpn-client, so I chose this board not only by accident but because it is called "OpenVPN Inc. enterprise business solutions OpenVPN Connect (Windows)".

This all is already stated in the first post, so please enlighten me of the untrueness and lack of concentration you assume.

User avatar
TinCanTech
Forum Team
Posts: 10275
Joined: Fri Jun 03, 2016 1:17 pm

Re: socket_error for IPv6 connections

Post by TinCanTech » Tue Dec 14, 2021 3:26 pm

It makes no difference what you are using for your server, the problem is the client and it is Connect not community.

foobar0815
OpenVpn Newbie
Posts: 5
Joined: Wed Dec 08, 2021 5:20 pm

Re: socket_error for IPv6 connections

Post by foobar0815 » Tue Dec 14, 2021 6:37 pm

And it is Connect board not community.

I still hope for someone to give me a hint into the right direction.

Post Reply