IPv6 option resulting in MULTI:bad source address on V4

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
npr
OpenVpn Newbie
Posts: 3
Joined: Tue Dec 07, 2021 3:50 pm

IPv6 option resulting in MULTI:bad source address on V4

Post by npr » Tue Dec 07, 2021 4:08 pm

So I've got a working openVPN site to site tunnel configuration, which uses subnet 10.0.32.0/30; a server at 10.0.32.1 and a client at 10.0.32.2.
I can do 'ping 10.0.32.2' from the machine at 10.0.32.1 and get replies, as well as route traffic across the VPN.

Next, I add these two lines to the config to also enable a V6 tunnel, using private ipv6 address space, which should work just like private v4 space, just be way bigger (fc00::/7):

Code: Select all

 server-ipv6 fd18:ac94:4732:ffff::20/123
 ifconfig-ipv6 fd18:ac94:4732:ffff::21 fd18:ac94:4732:ffff::22
Now I can no longer do a regular ping or route any v4 traffic over the tunnel. I can ping6 the v6 addresses, and route v6 traffic, however.
This is true for openVPN 2.5.2 talking to openVPN 2.5.2.
Interestingly: This does work for openVPN 2.5.2 talking to openVPN 2.4.9 (just the strangest thing, why would having different versions make compatibility better?!?).
Even more fascinating: Using:

Code: Select all

 server-ipv6 fd18:ac94:4732:ffff::20/126
 ifconfig-ipv6 fd18:ac94:4732:ffff::21 fd18:ac94:4732:ffff::22
appears to also break the 2.5.2 to 2.4.9 link.

With a default configuration, everything in the logs for the failing cases appears normal and working. Increasing the log level to 4 reveals a possible culprit (ip address and real hostname masked for example purposes):

Code: Select all

fw.consoso.com/1.2.3.4:49241 MULTI: bad source address from client [10.0.32.2], packet dropped 
The error messages that display roughly every second match the keepalive pings that are sent out by the client periodically to (re-) establish a connection if one side goes down/restarts. They don't make any sense whatsoever. 10.0.32.2 is the address of the interface, as an ifconfig will show:

Code: Select all

ovpns2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        description: VPN2CON
        options=80000<LINKSTATE>
        inet6 fe80::7285:c2ff:fec2:1e48%ovpns2 prefixlen 64 scopeid 0xc
        inet6 fd18:ac94:4732:ffff::21 prefixlen 123
        inet 10.0.32.1 --> 10.0.32.2 netmask 0xffffffff
        groups: tun openvpn
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 19511
And in the working config, this looks like:

Code: Select all

 
 ovpns2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        description: VPN2CON
        options=80000<LINKSTATE>
        inet6 fe80::7285:c2ff:fec2:1e48%ovpns2 prefixlen 64 scopeid 0xc
        inet 10.0.32.1 --> 10.0.32.2 netmask 0xffffffff
        groups: tun openvpn
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 77909

 
I'm stumped. Why? How does inet6 have any effect on v4 pings? Or have I uncovered some subtle bugs?

EDIT: Attaching logs:

While posting these logs I've noticed that, using version 2.4.9, the server appears to assume the network is a /64, ignoring my configuration. Is it the case that openVPN is buggy with any other network size?

I know for a fact that site to site VPN does not work for IPv4 if you take any network other than a /30, so a /126 seems like a logical choice for IPv6 (as it's also got two routable addresses in it). While the full network config is very complex, these VPNs should not be, they are just two machines both functioning as routers on a VPN, routing some private networks over the internet, not being able to reach eachother.

But, openVPN 2.5.2 will complain with the following message and refuse to start:

Code: Select all

Options error: --server-ipv6 settings: network must be between /64 and /124 (not /126) 
This already is strange, in fact, the internet standards body IETF allows via RFC 6164 using smaller prefixes for point to point networks. See https://datatracker.ietf.org/doc/html/rfc6164. I.e. this should work, but inexplicably openVPN won't allow it.

Thus, I choose a /123 instead, as it's the smallest network between a /64 and /124. I suspect there are some bugs in openVPN. IPv6 address space runs from a /0 to a /128, not /124, so it might not handle the final few bits of an IPv6 address internally correctly. If you pick a small network, then things might fail.

Logs below:
In these logs, the real IP addresses are changed to 1.2.3.4; and the domains are changed to the fictional contoso.com domain. Certificate CN/C/ST/L/O/OU data is masked to not reveal location information.

For the working configuration:

Client log, 2.5.2 talking to server version 2.4.9:

Code: Select all


openvpn --version 

OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021
library versions: OpenSSL 1.1.1k-freebsd  25 Mar 2021, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

tail -n 10000 /var/log/openvpn.log | grep 8028 | mask-private-data

openvpn[68028]: OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021
openvpn[68028]: library versions: OpenSSL 1.1.1k-freebsd  25 Mar 2021, LZO 2.10
openvpn[68063]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client6/sock
openvpn[68063]: WARNING: using --pull/--client and --ifconfig together is probably not what you want
openvpn[68063]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
openvpn[68063]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
openvpn[68063]: WARNING: experimental option --capath /var/etc/openvpn/client6/ca
openvpn[68063]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
openvpn[68063]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
openvpn[68063]: Control Channel MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
openvpn[68063]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
openvpn[68063]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
openvpn[68063]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
openvpn[68063]: Output Traffic Shaping initialized at 6553600 bytes per second
openvpn[68063]: TCP/UDP: Preserving recently used remote address: [AF_INET]1.2.5.6:1197
openvpn[68063]: Socket Buffers: R=[42080->42080] S=[57344->57344]
openvpn[68063]: UDP link local (bound): [AF_INET][undef]:0
openvpn[68063]: UDP link remote: [AF_INET]1.2.5.6:1197
openvpn[68063]: TLS: Initial packet from [AF_INET]1.2.5.6:1197 (via [AF_INET]1.2.3.4%), sid=437fbffa f10140b7
openvpn[68063]: VERIFY WARNING: depth=0, unable to get certificate CRL: CN=<DATA EXPUNGED>
openvpn[68063]: VERIFY WARNING: depth=1, unable to get certificate CRL: CN=<DATA EXPUNGED>
openvpn[68063]: VERIFY OK: depth=1, CN=<DATA EXPUNGED>
openvpn[68063]: VERIFY OK: depth=0, CN=<DATA EXPUNGED>
openvpn[68063]: WARNING: 'ifconfig' is present in remote config but missing in local config, remote='ifconfig 10.0.32.14 10.0.32.13'
openvpn[68063]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
openvpn[68063]: [vpnsrv.contoso.com] Peer Connection Initiated with [AF_INET]1.2.5.6:1197 (via [AF_INET]1.2.3.4%)
openvpn[68063]: Key [AF_INET]1.2.5.6:1197 (via [AF_INET]1.2.3.4%) [0] not initialized (yet), dropping packet.
openvpn[68063]: Key [AF_INET]1.2.5.6:1197 (via [AF_INET]1.2.3.4%) [0] not initialized (yet), dropping packet.
openvpn[68063]: Key [AF_INET]1.2.5.6:1197 (via [AF_INET]1.2.3.4%) [0] not initialized (yet), dropping packet.
openvpn[68063]: Key [AF_INET]1.2.5.6:1197 (via [AF_INET]1.2.3.4%) [0] not initialized (yet), dropping packet.
openvpn[68063]: MANAGEMENT: Client connected from /var/etc/openvpn/client6/sock
openvpn[68063]: MANAGEMENT: CMD 'state 1'
openvpn[68063]: MANAGEMENT: Client disconnected
openvpn[68063]: Key [AF_INET]1.2.5.6:1197 (via [AF_INET]1.2.3.4%) [0] not initialized (yet), dropping packet.
openvpn[68063]: SENT CONTROL [vpnsrv.contoso.com]: 'PUSH_REQUEST' (status=1)
openvpn[68063]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0,route-ipv6 fc44:d4d6:091c:e409::0/64,peer-id 0'
openvpn[68063]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
openvpn[68063]: Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
openvpn[68063]: OPTIONS IMPORT: peer-id set
openvpn[68063]: OPTIONS IMPORT: adjusting link_mtu to 1624
openvpn[68063]: Using peer cipher 'AES-256-GCM'
openvpn[68063]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[68063]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[68063]: TUN/TAP device ovpnc6 exists previously, keep at program end
openvpn[68063]: TUN/TAP device /dev/tun6 opened
openvpn[68063]: do_ifconfig, ipv4=1, ipv6=1
openvpn[68063]: /sbin/ifconfig ovpnc6 10.0.32.14 10.0.32.13 mtu 1500 netmask 255.255.255.255 up
openvpn[68063]: /sbin/ifconfig ovpnc6 inet6 fd18:ac94:4732:ffff::62/64 mtu 1500 up
openvpn[68063]: /sbin/ifconfig ovpnc6 inet6 -ifdisabled
openvpn[68063]: /usr/local/sbin/ovpn-linkup ovpnc6 1500 1624 10.0.32.14 10.0.32.13 init
openvpn[68063]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
openvpn[68063]: Initialization Sequence Completed
Server log, using 2.4.9 talking with a 2.5.2 client:

The TLS errors here seem to be normal; it's the server waiting for the client to re-verify the TLS key. This happens after a minute or so, after which the messages stop and everything works.

Code: Select all

 
 
 openvpn --version
 
 OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  4 2020
library versions: OpenSSL 1.0.2u-freebsd  20 Dec 2019, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

tail -n 10000 /var/log/openvpn.log | grep 8028 | mask-private-data
 
openvpn[8028]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server3.sock
openvpn[8028]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
openvpn[8028]: Diffie-Hellman initialized with 2048 bit key
openvpn[8028]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
openvpn[8028]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
openvpn[8028]: Control Channel MTU parms [ L:1549 D:1140 EF:110 EB:0 ET:0 EL:3 ]
openvpn[8028]: ROUTE_GATEWAY 1.2.5.254/255.255.255.0 IFACE=bridge0 HWADDR=02:52:d0:74:d6:00
openvpn[8028]: GDG6: remote_host_ipv6=n/a
openvpn[8028]: ROUTE6_GATEWAY 2001:dead:beef:1234::1 IFACE=bridge0
openvpn[8028]: TUN/TAP device ovpns3 exists previously, keep at program end
openvpn[8028]: TUN/TAP device /dev/tun3 opened
openvpn[8028]: do_ifconfig, tt->did_ifconfig_ipv6_setup=1
openvpn[8028]: /sbin/ifconfig ovpns3 10.0.32.13 10.0.32.14 mtu 1500 netmask 255.255.255.255 up
openvpn[8028]: /sbin/ifconfig ovpns3 inet6 fd18:ac94:4732:ffff::61/64
openvpn[8028]: /usr/local/sbin/ovpn-linkup ovpns3 1500 1549 10.0.32.13 10.0.32.14 init
openvpn[8028]: /sbin/route add -net 10.16.4.0 10.0.32.14 255.255.255.0
openvpn[8028]: add_route_ipv6(fd18:ac94:4732:4::/64 -> fd18:ac94:4732:ffff::62 metric -1) dev ovpns3
openvpn[8028]: /sbin/route add -inet6 fd18:ac94:4732:4::/64 -iface ovpns3
openvpn[8028]: Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:394 ET:0 EL:3 ]
openvpn[8028]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,tun-ipv6,ifconfig 10.0.32.14 10.0.32.13,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
openvpn[8028]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,tun-ipv6,ifconfig 10.0.32.13 10.0.32.14,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
openvpn[8028]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
openvpn[8028]: Socket Buffers: R=[42080->42080] S=[57344->57344]
openvpn[8028]: setsockopt(IPV6_V6ONLY=0)
openvpn[8028]: UDPv6 link local (bound): [AF_INET6][undef]:1197
openvpn[8028]: UDPv6 link remote: [AF_UNSPEC]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock
openvpn[8028]: MANAGEMENT: CMD 'state 1'
openvpn[8028]: MANAGEMENT: Client disconnected
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock
openvpn[8028]: MANAGEMENT: CMD 'status 2'
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: MANAGEMENT: CMD 'quit'
openvpn[8028]: MANAGEMENT: Client disconnected
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS Error: local/remote TLS keys are out of sync: [AF_INET6]::ffff:1.2.3.4:18067 (via ::ffff:1.2.5.6%bridge0) [0]
openvpn[8028]: TLS: Initial packet from [AF_INET6]::ffff:1.2.3.4:32139 (via ::ffff:1.2.5.6%bridge0), sid=53e95508 ef95324c
openvpn[8028]: VERIFY SCRIPT OK: depth=1, <DATA EXPUNGED>
openvpn[8028]: VERIFY OK: depth=1, <DATA EXPUNGED>
openvpn[8028]: VERIFY SCRIPT OK: depth=0, <DATA EXPUNGED>
openvpn[8028]: VERIFY OK: depth=0, <DATA EXPUNGED>
openvpn[8028]: peer info: IV_VER=2.5.2
openvpn[8028]: peer info: IV_PLAT=freebsd
openvpn[8028]: peer info: IV_PROTO=6
openvpn[8028]: peer info: IV_CIPHERS=AES-256-GCM
openvpn[8028]: peer info: IV_LZ4=1
openvpn[8028]: peer info: IV_LZ4v2=1
openvpn[8028]: peer info: IV_LZO=1
openvpn[8028]: peer info: IV_COMP_STUB=1
openvpn[8028]: peer info: IV_COMP_STUBv2=1
openvpn[8028]: peer info: IV_TCPNL=1
openvpn[8028]: WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.0.32.13 10.0.32.14'
openvpn[8028]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[8028]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[8028]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
openvpn[8028]: [remote.consoso.com] Peer Connection Initiated with [AF_INET6]::ffff:1.2.3.4:32139 (via ::ffff:1.2.5.6%bridge0)
openvpn[8028]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
openvpn[8028]: Initialization Sequence Completed
openvpn[8028]: PUSH: Received control message: 'PUSH_REQUEST'
openvpn[8028]: SENT CONTROL [remote.consoso.com]: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0,route-ipv6 fc44:d4d6:091c:e409::0/64,peer-id 0' (status=1)
 
See two posts below for additional logs (too big to fit).
Last edited by npr on Wed Dec 08, 2021 9:59 am, edited 3 times in total.

User avatar
TinCanTech
Forum Team
Posts: 10196
Joined: Fri Jun 03, 2016 1:17 pm

Re: IPv6 option resulting in MULTI:bad source address on V4

Post by TinCanTech » Tue Dec 07, 2021 4:19 pm


npr
OpenVpn Newbie
Posts: 3
Joined: Tue Dec 07, 2021 3:50 pm

Re: IPv6 option resulting in MULTI:bad source address on V4

Post by npr » Wed Dec 08, 2021 9:55 am

Server log; version 2.5.2 talking to a 2.5.2 client:

Code: Select all


openvpn --version 

OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021
library versions: OpenSSL 1.1.1k-freebsd  25 Mar 2021, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

tail -n 10000 /var/log/openvpn.log | mask-private-data

openvpn[59484]: Current Parameter Settings:
openvpn[59484]:   config = '/var/etc/openvpn/server2/config.ovpn'
openvpn[59484]:   mode = 1
openvpn[59484]:   show_ciphers = DISABLED
openvpn[59484]:   show_digests = DISABLED
openvpn[59484]:   show_engines = DISABLED
openvpn[59484]:   genkey = DISABLED
openvpn[59484]:   genkey_filename = '[UNDEF]'
openvpn[59484]:   key_pass_file = '[UNDEF]'
openvpn[59484]:   show_tls_ciphers = DISABLED
openvpn[59484]:   connect_retry_max = 0
openvpn[59484]: Connection profiles [0]:
openvpn[59484]:   proto = udp
openvpn[59484]:   local = '[UNDEF]'
openvpn[59484]:   local_port = '1196'
openvpn[59484]:   remote = '[UNDEF]'
openvpn[59484]:   remote_port = '1194'
openvpn[59484]:   remote_float = ENABLED
openvpn[59484]:   bind_defined = DISABLED
openvpn[59484]:   bind_local = ENABLED
openvpn[59484]:   bind_ipv6_only = DISABLED
openvpn[59484]:   connect_retry_seconds = 5
openvpn[59484]:   connect_timeout = 120
openvpn[59484]:   socks_proxy_server = '[UNDEF]'
openvpn[59484]:   socks_proxy_port = '[UNDEF]'
openvpn[59484]:   tun_mtu = 1500
openvpn[59484]:   tun_mtu_defined = ENABLED
openvpn[59484]:   link_mtu = 1500
openvpn[59484]:   link_mtu_defined = DISABLED
openvpn[59484]:   tun_mtu_extra = 0
openvpn[59484]:   tun_mtu_extra_defined = DISABLED
openvpn[59484]:   mtu_discover_type = -1
openvpn[59484]:   fragment = 0
openvpn[59484]:   mssfix = 1450
openvpn[59484]:   explicit_exit_notification = 1
openvpn[59484]:   tls_auth_file = '[INLINE]'
openvpn[59484]:   key_direction = 0
openvpn[59484]:   tls_crypt_file = '[UNDEF]'
openvpn[59484]:   tls_crypt_v2_file = '[UNDEF]'
openvpn[59484]: Connection profiles END
openvpn[59484]:   remote_random = DISABLED
openvpn[59484]:   ipchange = '[UNDEF]'
openvpn[59484]:   dev = 'ovpns2'
openvpn[59484]:   dev_type = 'tun'
openvpn[59484]:   dev_node = '/dev/tun2'
openvpn[59484]:   lladdr = '[UNDEF]'
openvpn[59484]:   topology = 1
openvpn[59484]:   ifconfig_local = '10.0.32.1'
openvpn[59484]:   ifconfig_remote_netmask = '10.0.32.2'
openvpn[59484]:   ifconfig_noexec = DISABLED
openvpn[59484]:   ifconfig_nowarn = DISABLED
openvpn[59484]:   ifconfig_ipv6_local = 'fd18:ac94:4732:ffff::21'
openvpn[59484]:   ifconfig_ipv6_netbits = 123
openvpn[59484]:   ifconfig_ipv6_remote = 'fd18:ac94:4732:ffff::22'
openvpn[59484]:   shaper = 0
openvpn[59484]:   mtu_test = 0
openvpn[59484]:   mlock = DISABLED
openvpn[59484]:   keepalive_ping = 10
openvpn[59484]:   keepalive_timeout = 60
openvpn[59484]:   inactivity_timeout = 0
openvpn[59484]:   ping_send_timeout = 10
openvpn[59484]:   ping_rec_timeout = 120
openvpn[59484]:   ping_rec_timeout_action = 2
openvpn[59484]:   ping_timer_remote = ENABLED
openvpn[59484]:   remap_sigusr1 = 0
openvpn[59484]:   persist_tun = ENABLED
openvpn[59484]:   persist_local_ip = DISABLED
openvpn[59484]:   persist_remote_ip = ENABLED
openvpn[59484]:   persist_key = ENABLED
openvpn[59484]:   passtos = DISABLED
openvpn[59484]:   resolve_retry_seconds = 1000000000
openvpn[59484]:   resolve_in_advance = DISABLED
openvpn[59484]:   username = '[UNDEF]'
openvpn[59484]:   groupname = '[UNDEF]'
openvpn[59484]:   chroot_dir = '[UNDEF]'
openvpn[59484]:   cd_dir = '[UNDEF]'
openvpn[59484]:   writepid = '/var/run/openvpn_server2.pid'
openvpn[59484]:   up_script = '/usr/local/sbin/ovpn-linkup'
openvpn[59484]:   down_script = '/usr/local/sbin/ovpn-linkdown'
openvpn[59484]:   down_pre = DISABLED
openvpn[59484]:   up_restart = DISABLED
openvpn[59484]:   up_delay = DISABLED
openvpn[59484]:   daemon = ENABLED
openvpn[59484]:   inetd = 0
openvpn[59484]:   log = DISABLED
openvpn[59484]:   suppress_timestamps = DISABLED
openvpn[59484]:   machine_readable_output = DISABLED
openvpn[59484]:   nice = 0
openvpn[59484]:   verbosity = 4
openvpn[59484]:   mute = 0
openvpn[59484]:   gremlin = 0
openvpn[59484]:   status_file = '[UNDEF]'
openvpn[59484]:   status_file_version = 1
openvpn[59484]:   status_file_update_freq = 60
openvpn[59484]:   occ = ENABLED
openvpn[59484]:   rcvbuf = 0
openvpn[59484]:   sndbuf = 0
openvpn[59484]:   sockflags = 1
openvpn[59484]:   fast_io = DISABLED
openvpn[59484]:   comp.alg = 0
openvpn[59484]:   comp.flags = 0
openvpn[59484]:   route_script = '[UNDEF]'
openvpn[59484]:   route_default_gateway = '[UNDEF]'
openvpn[59484]:   route_default_metric = 0
openvpn[59484]:   route_noexec = DISABLED
openvpn[59484]:   route_delay = 0
openvpn[59484]:   route_delay_window = 30
openvpn[59484]:   route_delay_defined = DISABLED
openvpn[59484]:   route_nopull = DISABLED
openvpn[59484]:   route_gateway_via_dhcp = DISABLED
openvpn[59484]:   allow_pull_fqdn = DISABLED
openvpn[59484]:   route 10.16.2.0/255.255.255.0/default (not set)/default (not set)
openvpn[59484]:   management_addr = '/var/etc/openvpn/server2/sock'
openvpn[59484]:   management_port = 'unix'
openvpn[59484]:   management_user_pass = '[UNDEF]'
openvpn[59484]:   management_log_history_cache = 250
openvpn[59484]:   management_echo_buffer_size = 100
openvpn[59484]:   management_write_peer_info_file = '[UNDEF]'
openvpn[59484]:   management_client_user = '[UNDEF]'
openvpn[59484]:   management_client_group = '[UNDEF]'
openvpn[59484]:   management_flags = 256
openvpn[59484]:   shared_secret_file = '[UNDEF]'
openvpn[59484]:   key_direction = 0
openvpn[59484]:   ciphername = 'AES-256-GCM'
openvpn[59484]:   ncp_enabled = ENABLED
openvpn[59484]:   ncp_ciphers = 'AES-256-GCM'
openvpn[59484]:   authname = 'SHA512'
openvpn[59484]:   prng_hash = 'SHA1'
openvpn[59484]:   prng_nonce_secret_len = 16
openvpn[59484]:   keysize = 0
openvpn[59484]:   engine = DISABLED
openvpn[59484]:   replay = ENABLED
openvpn[59484]:   mute_replay_warnings = DISABLED
openvpn[59484]:   replay_window = 64
openvpn[59484]:   replay_time = 15
openvpn[59484]:   packet_id_file = '[UNDEF]'
openvpn[59484]:   test_crypto = DISABLED
openvpn[59484]:   tls_server = ENABLED
openvpn[59484]:   tls_client = DISABLED
openvpn[59484]:   ca_file = '[UNDEF]'
openvpn[59484]:   ca_path = '/var/etc/openvpn/server2/ca'
openvpn[59484]:   dh_file = '/etc/dh-parameters.2048'
openvpn[59484]:   cert_file = '/var/etc/openvpn/server2/cert'
openvpn[59484]:   extra_certs_file = '[UNDEF]'
openvpn[59484]:   priv_key_file = '/var/etc/openvpn/server2/key'
openvpn[59484]:   pkcs12_file = '[UNDEF]'
openvpn[59484]:   cipher_list = '[UNDEF]'
openvpn[59484]:   cipher_list_tls13 = '[UNDEF]'
openvpn[59484]:   tls_cert_profile = '[UNDEF]'
openvpn[59484]:   tls_verify = '/usr/local/sbin/ovpn_auth_verify tls 'vpn2srv.client.contoso.com' 1'
openvpn[59484]:   tls_export_cert = '[UNDEF]'
openvpn[59484]:   verify_x509_type = 0
openvpn[59484]:   verify_x509_name = '[UNDEF]'
openvpn[59484]:   crl_file = '[UNDEF]'
openvpn[59484]:   ns_cert_type = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_ku[i] = 0
openvpn[59484]:   remote_cert_eku = '[UNDEF]'
openvpn[59484]:   ssl_flags = 0
openvpn[59484]:   tls_timeout = 2
openvpn[59484]:   renegotiate_bytes = -1
openvpn[59484]:   renegotiate_packets = 0
openvpn[59484]:   renegotiate_seconds = 3600
openvpn[59484]:   handshake_window = 60
openvpn[59484]:   transition_window = 3600
openvpn[59484]:   single_session = DISABLED
openvpn[59484]:   push_peer_info = DISABLED
openvpn[59484]:   tls_exit = DISABLED
openvpn[59484]:   tls_crypt_v2_metadata = '[UNDEF]'
openvpn[59484]:   server_network = 0.0.0.0
openvpn[59484]:   server_netmask = 0.0.0.0
openvpn[59484]:   server_network_ipv6 = fd18:ac94:4732:ffff::20
openvpn[59484]:   server_netbits_ipv6 = 123
openvpn[59484]:   server_bridge_ip = 0.0.0.0
openvpn[59484]:   server_bridge_netmask = 0.0.0.0
openvpn[59484]:   server_bridge_pool_start = 0.0.0.0
openvpn[59484]:   server_bridge_pool_end = 0.0.0.0
openvpn[59484]:   push_entry = 'route 192.168.2.0 255.255.255.0'
openvpn[59484]:   push_entry = 'route 10.0.0.0 255.255.255.0'
openvpn[59484]:   push_entry = 'tun-ipv6'
openvpn[59484]:   push_entry = 'ping 10'
openvpn[59484]:   push_entry = 'ping-restart 60'
openvpn[59484]:   ifconfig_pool_defined = DISABLED
openvpn[59484]:   ifconfig_pool_start = 0.0.0.0
openvpn[59484]:   ifconfig_pool_end = 0.0.0.0
openvpn[59484]:   ifconfig_pool_netmask = 0.0.0.0
openvpn[59484]:   ifconfig_pool_persist_filename = '[UNDEF]'
openvpn[59484]:   ifconfig_pool_persist_refresh_freq = 600
openvpn[59484]:   ifconfig_ipv6_pool_defined = ENABLED
openvpn[59484]:   ifconfig_ipv6_pool_base = fd18:ac94:4732:ffff::22
openvpn[59484]:   ifconfig_ipv6_pool_netbits = 123
openvpn[59484]:   n_bcast_buf = 256
openvpn[59484]:   tcp_queue_limit = 64
openvpn[59484]:   real_hash_size = 256
openvpn[59484]:   virtual_hash_size = 256
openvpn[59484]:   client_connect_script = '[UNDEF]'
openvpn[59484]:   learn_address_script = '[UNDEF]'
openvpn[59484]:   client_disconnect_script = '[UNDEF]'
openvpn[59484]:   client_config_dir = '/var/etc/openvpn/server2/csc'
openvpn[59484]:   ccd_exclusive = DISABLED
openvpn[59484]:   tmp_dir = '/tmp'
openvpn[59484]:   push_ifconfig_defined = DISABLED
openvpn[59484]:   push_ifconfig_local = 0.0.0.0
openvpn[59484]:   push_ifconfig_remote_netmask = 0.0.0.0
openvpn[59484]:   push_ifconfig_ipv6_defined = DISABLED
openvpn[59484]:   push_ifconfig_ipv6_local = ::/0
openvpn[59484]:   push_ifconfig_ipv6_remote = ::
openvpn[59484]:   enable_c2c = DISABLED
openvpn[59484]:   duplicate_cn = DISABLED
openvpn[59484]:   cf_max = 0
openvpn[59484]:   cf_per = 0
openvpn[59484]:   max_clients = 4
openvpn[59484]:   max_routes_per_client = 256
openvpn[59484]:   auth_user_pass_verify_script = '[UNDEF]'
openvpn[59484]:   auth_user_pass_verify_script_via_file = DISABLED
openvpn[59484]:   auth_token_generate = DISABLED
openvpn[59484]:   auth_token_lifetime = 0
openvpn[59484]:   auth_token_secret_file = '[UNDEF]'
openvpn[59484]:   port_share_host = '[UNDEF]'
openvpn[59484]:   port_share_port = '[UNDEF]'
openvpn[59484]:   vlan_tagging = DISABLED
openvpn[59484]:   vlan_accept = all
openvpn[59484]:   vlan_pvid = 1
openvpn[59484]:   client = DISABLED
openvpn[59484]:   pull = DISABLED
openvpn[59484]:   auth_user_pass_file = '[UNDEF]'
openvpn[59484]: OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021
openvpn[59484]: library versions: OpenSSL 1.1.1k-freebsd  25 Mar 2021, LZO 2.10
openvpn[59673]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server2/sock
openvpn[59673]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
openvpn[59673]: Diffie-Hellman initialized with 2048 bit key
openvpn[59673]: WARNING: experimental option --capath /var/etc/openvpn/server2/ca
openvpn[59673]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
openvpn[59673]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
openvpn[59673]: TLS-Auth MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
openvpn[59673]: ROUTE_GATEWAY 159.100.104.241/255.255.255.252 IFACE=igb0 HWADDR=f4:ce:46:a8:b1:c0
openvpn[59673]: GDG6: remote_host_ipv6=n/a
openvpn[59673]: ROUTE6_GATEWAY fd18:ac94:4732:ffff::22 IFACE=ovpns2
openvpn[59673]: TUN/TAP device ovpns2 exists previously, keep at program end
openvpn[59673]: TUN/TAP device /dev/tun2 opened
openvpn[59673]: do_ifconfig, ipv4=1, ipv6=1
openvpn[59673]: /sbin/ifconfig ovpns2 10.0.32.1 10.0.32.2 mtu 1500 netmask 255.255.255.255 up
openvpn[59673]: /sbin/ifconfig ovpns2 inet6 fd18:ac94:4732:ffff::21/123 mtu 1500 up
openvpn[59673]: /sbin/ifconfig ovpns2 inet6 -ifdisabled
openvpn[59673]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1621 10.0.32.1 10.0.32.2 init
openvpn[59673]: /sbin/route add -net 10.16.2.0 10.0.32.2 255.255.255.0
openvpn[59673]: add_route_ipv6(fd18:ac94:4732:2::/64 -> fd18:ac94:4732:ffff::22 metric -1) dev ovpns2
openvpn[59673]: /sbin/route add -inet6 fd18:ac94:4732:2::/64 -iface ovpns2
openvpn[59673]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
openvpn[59673]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
openvpn[59673]: Socket Buffers: R=[42080->42080] S=[57344->57344]
openvpn[59673]: setsockopt(IPV6_V6ONLY=0)
openvpn[59673]: UDPv6 link local (bound): [AF_INET6][undef]:1196
openvpn[59673]: UDPv6 link remote: [AF_UNSPEC]
openvpn[59673]: MULTI: multi_init called, r=256 v=256
openvpn[59673]: IFCONFIG POOL IPv6: base=fd18:ac94:4732:ffff::22 size=30 netbits=123
openvpn[59673]: Initialization Sequence Completed
openvpn[59673]: MULTI: multi_create_instance called
openvpn[59673]: 1.2.3.4:8596 Re-using SSL/TLS context
openvpn[59673]: 1.2.3.4:8596 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
openvpn[59673]: 1.2.3.4:8596 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
openvpn[59673]: 1.2.3.4:8596 Control Channel MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
openvpn[59673]: 1.2.3.4:8596 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
openvpn[59673]: 1.2.3.4:8596 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
openvpn[59673]: 1.2.3.4:8596 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
openvpn[59673]: 1.2.3.4:8596 TLS: Initial packet from [AF_INET6]::ffff:1.2.3.4:8596 (via ::ffff:1.2.5.6%igb0), sid=7bf78172 99d89713
openvpn[59673]: 1.2.3.4:8596 VERIFY WARNING: depth=0, unable to get certificate CRL: <DATA EXPUNGED>
openvpn[59673]: 1.2.3.4:8596 VERIFY WARNING: depth=1, unable to get certificate CRL: <DATA EXPUNGED>
openvpn[59673]: 1.2.3.4:8596 VERIFY SCRIPT OK: depth=1, <DATA EXPUNGED>
openvpn[59673]: 1.2.3.4:8596 VERIFY OK: depth=1, <DATA EXPUNGED>
openvpn[59673]: 1.2.3.4:8596 VERIFY SCRIPT OK: depth=0, <DATA EXPUNGED>
openvpn[59673]: 1.2.3.4:8596 VERIFY OK: depth=0, <DATA EXPUNGED>
openvpn[59673]: 1.2.3.4:8596 peer info: IV_VER=2.5.2
openvpn[59673]: 1.2.3.4:8596 peer info: IV_PLAT=freebsd
openvpn[59673]: 1.2.3.4:8596 peer info: IV_PROTO=6
openvpn[59673]: 1.2.3.4:8596 peer info: IV_CIPHERS=AES-256-GCM
openvpn[59673]: 1.2.3.4:8596 peer info: IV_LZ4=1
openvpn[59673]: 1.2.3.4:8596 peer info: IV_LZ4v2=1
openvpn[59673]: 1.2.3.4:8596 peer info: IV_LZO=1
openvpn[59673]: 1.2.3.4:8596 peer info: IV_COMP_STUB=1
openvpn[59673]: 1.2.3.4:8596 peer info: IV_COMP_STUBv2=1
openvpn[59673]: 1.2.3.4:8596 peer info: IV_TCPNL=1
openvpn[59673]: 1.2.3.4:8596 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
openvpn[59673]: 1.2.3.4:8596 [fw.client.contoso.com] Peer Connection Initiated with [AF_INET6]::ffff:1.2.3.4:8596 (via ::ffff:1.2.5.6%igb0)
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI_sva: pool returned IPv4=(Not enabled), IPv6=fd18:ac94:4732:ffff::22
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: no dynamic or static remote--ifconfig address is available for fw.client.contoso.com/1.2.3.4:8596
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: Learn: fd18:ac94:4732:ffff::22 -> fw.client.contoso.com/1.2.3.4:8596
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: primary virtual IPv6 for fw.client.contoso.com/1.2.3.4:8596: fd18:ac94:4732:ffff::22
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 SENT CONTROL [fw.client.contoso.com]: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 10.0.0.0 255.255.255.0,tun-ipv6,ping 10,ping-restart 60,ifconfig-ipv6 fd18:ac94:4732:ffff::22/123 fd18:ac94:4732:ffff::21,peer-id 0,cipher AES-256-GCM' (status=1)
openvpn[59673]: MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
openvpn[59673]: MANAGEMENT: CMD 'state 1'
openvpn[59673]: MANAGEMENT: CMD 'status 2'
openvpn[59673]: MANAGEMENT: Client disconnected
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [::], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [::], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [::], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [::], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [::], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
openvpn[59673]: MANAGEMENT: CMD 'state 1'
openvpn[59673]: MANAGEMENT: CMD 'status 2'
openvpn[59673]: MANAGEMENT: Client disconnected
openvpn[59673]: MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
openvpn[59673]: MANAGEMENT: CMD 'state 1'
openvpn[59673]: MANAGEMENT: CMD 'status 2'
openvpn[59673]: MANAGEMENT: Client disconnected
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
openvpn[59673]: MANAGEMENT: CMD 'state 1'
openvpn[59673]: MANAGEMENT: CMD 'status 2'
openvpn[59673]: MANAGEMENT: Client disconnected
openvpn[59673]: MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
openvpn[59673]: MANAGEMENT: CMD 'state 1'
openvpn[59673]: MANAGEMENT: CMD 'status 2'
openvpn[59673]: MANAGEMENT: Client disconnected
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: MANAGEMENT: CMD 'status 2'
openvpn[59673]: MANAGEMENT: CMD 'quit'
openvpn[59673]: MANAGEMENT: Client disconnected
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
openvpn[59673]: fw.client.contoso.com/1.2.3.4:8596 MULTI: bad source address from client [10.0.32.2], packet dropped
Client log, 2.5.2 talking to a 2.5.2 server:

Code: Select all


openvpn --version | mask-private-data

OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021
library versions: OpenSSL 1.1.1k-freebsd  25 Mar 2021, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

tail -n 10000 /var/log/openvpn.log | grep 1332| mask-private-data

openvpn[1332]: Current Parameter Settings:
openvpn[1332]:   config = '/var/etc/openvpn/client1/config.ovpn'
openvpn[1332]:   mode = 0
openvpn[1332]:   show_ciphers = DISABLED
openvpn[1332]:   show_digests = DISABLED
openvpn[1332]:   show_engines = DISABLED
openvpn[1332]:   genkey = DISABLED
openvpn[1332]:   genkey_filename = '[UNDEF]'
openvpn[1332]:   key_pass_file = '[UNDEF]'
openvpn[1332]:   show_tls_ciphers = DISABLED
openvpn[1332]:   connect_retry_max = 0
openvpn[1332]: Connection profiles [0]:
openvpn[1332]:   proto = udp
openvpn[1332]:   local = '[UNDEF]'
openvpn[1332]:   local_port = '0'
openvpn[1332]:   remote = '1.2.5.6'
openvpn[1332]:   remote_port = '1196'
openvpn[1332]:   remote_float = DISABLED
openvpn[1332]:   bind_defined = DISABLED
openvpn[1332]:   bind_local = ENABLED
openvpn[1332]:   bind_ipv6_only = DISABLED
openvpn[1332]:   connect_retry_seconds = 5
openvpn[1332]:   connect_timeout = 120
openvpn[1332]:   socks_proxy_server = '[UNDEF]'
openvpn[1332]:   socks_proxy_port = '[UNDEF]'
openvpn[1332]:   tun_mtu = 1500
openvpn[1332]:   tun_mtu_defined = ENABLED
openvpn[1332]:   link_mtu = 1500
openvpn[1332]:   link_mtu_defined = DISABLED
openvpn[1332]:   tun_mtu_extra = 0
openvpn[1332]:   tun_mtu_extra_defined = DISABLED
openvpn[1332]:   mtu_discover_type = -1
openvpn[1332]:   fragment = 0
openvpn[1332]:   mssfix = 1450
openvpn[1332]:   explicit_exit_notification = 0
openvpn[1332]:   tls_auth_file = '[INLINE]'
openvpn[1332]:   key_direction = 1
openvpn[1332]:   tls_crypt_file = '[UNDEF]'
openvpn[1332]:   tls_crypt_v2_file = '[UNDEF]'
openvpn[1332]: Connection profiles END
openvpn[1332]:   remote_random = DISABLED
openvpn[1332]:   ipchange = '[UNDEF]'
openvpn[1332]:   dev = 'ovpnc1'
openvpn[1332]:   dev_type = 'tun'
openvpn[1332]:   dev_node = '/dev/tun1'
openvpn[1332]:   lladdr = '[UNDEF]'
openvpn[1332]:   topology = 1
openvpn[1332]:   ifconfig_local = '10.0.32.2'
openvpn[1332]:   ifconfig_remote_netmask = '10.0.32.1'
openvpn[1332]:   ifconfig_noexec = DISABLED
openvpn[1332]:   ifconfig_nowarn = DISABLED
openvpn[1332]:   ifconfig_ipv6_local = 'fd18:ac94:4732:ffff::22'
openvpn[1332]:   ifconfig_ipv6_netbits = 64
openvpn[1332]:   ifconfig_ipv6_remote = 'fd18:ac94:4732:ffff::21'
openvpn[1332]:   shaper = 6553600
openvpn[1332]:   mtu_test = 0
openvpn[1332]:   mlock = DISABLED
openvpn[1332]:   keepalive_ping = 10
openvpn[1332]:   keepalive_timeout = 60
openvpn[1332]:   inactivity_timeout = 0
openvpn[1332]:   ping_send_timeout = 10
openvpn[1332]:   ping_rec_timeout = 60
openvpn[1332]:   ping_rec_timeout_action = 2
openvpn[1332]:   ping_timer_remote = ENABLED
openvpn[1332]:   remap_sigusr1 = 0
openvpn[1332]:   persist_tun = ENABLED
openvpn[1332]:   persist_local_ip = DISABLED
openvpn[1332]:   persist_remote_ip = DISABLED
openvpn[1332]:   persist_key = ENABLED
openvpn[1332]:   passtos = DISABLED
openvpn[1332]:   resolve_retry_seconds = 1000000000
openvpn[1332]:   resolve_in_advance = DISABLED
openvpn[1332]:   username = '[UNDEF]'
openvpn[1332]:   groupname = '[UNDEF]'
openvpn[1332]:   chroot_dir = '[UNDEF]'
openvpn[1332]:   cd_dir = '[UNDEF]'
openvpn[1332]:   writepid = '/var/run/openvpn_client1.pid'
openvpn[1332]:   up_script = '/usr/local/sbin/ovpn-linkup'
openvpn[1332]:   down_script = '/usr/local/sbin/ovpn-linkdown'
openvpn[1332]:   down_pre = DISABLED
openvpn[1332]:   up_restart = DISABLED
openvpn[1332]:   up_delay = DISABLED
openvpn[1332]:   daemon = ENABLED
openvpn[1332]:   inetd = 0
openvpn[1332]:   log = DISABLED
openvpn[1332]:   suppress_timestamps = DISABLED
openvpn[1332]:   machine_readable_output = DISABLED
openvpn[1332]:   nice = 0
openvpn[1332]:   verbosity = 4
openvpn[1332]:   mute = 0
openvpn[1332]:   gremlin = 0
openvpn[1332]:   status_file = '[UNDEF]'
openvpn[1332]:   status_file_version = 1
openvpn[1332]:   status_file_update_freq = 60
openvpn[1332]:   occ = ENABLED
openvpn[1332]:   rcvbuf = 0
openvpn[1332]:   sndbuf = 0
openvpn[1332]:   sockflags = 1
openvpn[1332]:   fast_io = DISABLED
openvpn[1332]:   comp.alg = 0
openvpn[1332]:   comp.flags = 0
openvpn[1332]:   route_script = '[UNDEF]'
openvpn[1332]:   route_default_gateway = '[UNDEF]'
openvpn[1332]:   route_default_metric = 0
openvpn[1332]:   route_noexec = DISABLED
openvpn[1332]:   route_delay = 0
openvpn[1332]:   route_delay_window = 30
openvpn[1332]:   route_delay_defined = DISABLED
openvpn[1332]:   route_nopull = ENABLED
openvpn[1332]:   route_gateway_via_dhcp = DISABLED
openvpn[1332]:   allow_pull_fqdn = DISABLED
openvpn[1332]:   management_addr = '/var/etc/openvpn/client1/sock'
openvpn[1332]:   management_port = 'unix'
openvpn[1332]:   management_user_pass = '[UNDEF]'
openvpn[1332]:   management_log_history_cache = 250
openvpn[1332]:   management_echo_buffer_size = 100
openvpn[1332]:   management_write_peer_info_file = '[UNDEF]'
openvpn[1332]:   management_client_user = '[UNDEF]'
openvpn[1332]:   management_client_group = '[UNDEF]'
openvpn[1332]:   management_flags = 256
openvpn[1332]:   shared_secret_file = '[UNDEF]'
openvpn[1332]:   key_direction = 1
openvpn[1332]:   ciphername = 'AES-256-GCM'
openvpn[1332]:   ncp_enabled = ENABLED
openvpn[1332]:   ncp_ciphers = 'AES-256-GCM'
openvpn[1332]:   authname = 'SHA512'
openvpn[1332]:   prng_hash = 'SHA1'
openvpn[1332]:   prng_nonce_secret_len = 16
openvpn[1332]:   keysize = 0
openvpn[1332]:   engine = DISABLED
openvpn[1332]:   replay = ENABLED
openvpn[1332]:   mute_replay_warnings = DISABLED
openvpn[1332]:   replay_window = 64
openvpn[1332]:   replay_time = 15
openvpn[1332]:   packet_id_file = '[UNDEF]'
openvpn[1332]:   test_crypto = DISABLED
openvpn[1332]:   tls_server = DISABLED
openvpn[1332]:   tls_client = ENABLED
openvpn[1332]:   ca_file = '[UNDEF]'
openvpn[1332]:   ca_path = '/var/etc/openvpn/client1/ca'
openvpn[1332]:   dh_file = '[UNDEF]'
openvpn[1332]:   cert_file = '/var/etc/openvpn/client1/cert'
openvpn[1332]:   extra_certs_file = '[UNDEF]'
openvpn[1332]:   priv_key_file = '/var/etc/openvpn/client1/key'
openvpn[1332]:   pkcs12_file = '[UNDEF]'
openvpn[1332]:   cipher_list = '[UNDEF]'
openvpn[1332]:   cipher_list_tls13 = '[UNDEF]'
openvpn[1332]:   tls_cert_profile = '[UNDEF]'
openvpn[1332]:   tls_verify = '[UNDEF]'
openvpn[1332]:   tls_export_cert = '[UNDEF]'
openvpn[1332]:   verify_x509_type = 0
openvpn[1332]:   verify_x509_name = '[UNDEF]'
openvpn[1332]:   crl_file = '[UNDEF]'
openvpn[1332]:   ns_cert_type = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_ku[i] = 0
openvpn[1332]:   remote_cert_eku = '[UNDEF]'
openvpn[1332]:   ssl_flags = 0
openvpn[1332]:   tls_timeout = 2
openvpn[1332]:   renegotiate_bytes = -1
openvpn[1332]:   renegotiate_packets = 0
openvpn[1332]:   renegotiate_seconds = 3600
openvpn[1332]:   handshake_window = 60
openvpn[1332]:   transition_window = 3600
openvpn[1332]:   single_session = DISABLED
openvpn[1332]:   push_peer_info = DISABLED
openvpn[1332]:   tls_exit = DISABLED
openvpn[1332]:   tls_crypt_v2_metadata = '[UNDEF]'
openvpn[1332]:   server_network = 0.0.0.0
openvpn[1332]:   server_netmask = 0.0.0.0
openvpn[1332]:   server_network_ipv6 = ::
openvpn[1332]:   server_netbits_ipv6 = 0
openvpn[1332]:   server_bridge_ip = 0.0.0.0
openvpn[1332]:   server_bridge_netmask = 0.0.0.0
openvpn[1332]:   server_bridge_pool_start = 0.0.0.0
openvpn[1332]:   server_bridge_pool_end = 0.0.0.0
openvpn[1332]:   ifconfig_pool_defined = DISABLED
openvpn[1332]:   ifconfig_pool_start = 0.0.0.0
openvpn[1332]:   ifconfig_pool_end = 0.0.0.0
openvpn[1332]:   ifconfig_pool_netmask = 0.0.0.0
openvpn[1332]:   ifconfig_pool_persist_filename = '[UNDEF]'
openvpn[1332]:   ifconfig_pool_persist_refresh_freq = 600
openvpn[1332]:   ifconfig_ipv6_pool_defined = DISABLED
openvpn[1332]:   ifconfig_ipv6_pool_base = ::
openvpn[1332]:   ifconfig_ipv6_pool_netbits = 0
openvpn[1332]:   n_bcast_buf = 256
openvpn[1332]:   tcp_queue_limit = 64
openvpn[1332]:   real_hash_size = 256
openvpn[1332]:   virtual_hash_size = 256
openvpn[1332]:   client_connect_script = '[UNDEF]'
openvpn[1332]:   learn_address_script = '[UNDEF]'
openvpn[1332]:   client_disconnect_script = '[UNDEF]'
openvpn[1332]:   client_config_dir = '[UNDEF]'
openvpn[1332]:   ccd_exclusive = DISABLED
openvpn[1332]:   tmp_dir = '/tmp'
openvpn[1332]:   push_ifconfig_defined = DISABLED
openvpn[1332]:   push_ifconfig_local = 0.0.0.0
openvpn[1332]:   push_ifconfig_remote_netmask = 0.0.0.0
openvpn[1332]:   push_ifconfig_ipv6_defined = DISABLED
openvpn[1332]:   push_ifconfig_ipv6_local = ::/0
openvpn[1332]:   push_ifconfig_ipv6_remote = ::
openvpn[1332]:   enable_c2c = DISABLED
openvpn[1332]:   duplicate_cn = DISABLED
openvpn[1332]:   cf_max = 0
openvpn[1332]:   cf_per = 0
openvpn[1332]:   max_clients = 1024
openvpn[1332]:   max_routes_per_client = 256
openvpn[1332]:   auth_user_pass_verify_script = '[UNDEF]'
openvpn[1332]:   auth_user_pass_verify_script_via_file = DISABLED
openvpn[1332]:   auth_token_generate = DISABLED
openvpn[1332]:   auth_token_lifetime = 0
openvpn[1332]:   auth_token_secret_file = '[UNDEF]'
openvpn[1332]:   port_share_host = '[UNDEF]'
openvpn[1332]:   port_share_port = '[UNDEF]'
openvpn[1332]:   vlan_tagging = DISABLED
openvpn[1332]:   vlan_accept = all
openvpn[1332]:   vlan_pvid = 1
openvpn[1332]:   client = ENABLED
openvpn[1332]:   pull = ENABLED
openvpn[1332]:   auth_user_pass_file = '[UNDEF]'
openvpn[1332]: OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021

tail -n 10000 /var/log/openvpn.log | grep 1458 | mask-private-data

openvpn[1458]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1/sock
openvpn[1458]: WARNING: using --pull/--client and --ifconfig together is probably not what you want
openvpn[1458]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
openvpn[1458]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
openvpn[1458]: WARNING: experimental option --capath /var/etc/openvpn/client1/ca
openvpn[1458]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
openvpn[1458]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
openvpn[1458]: Control Channel MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
openvpn[1458]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
openvpn[1458]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
openvpn[1458]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
openvpn[1458]: Output Traffic Shaping initialized at 6553600 bytes per second
openvpn[1458]: TCP/UDP: Preserving recently used remote address: [AF_INET]1.2.5.6:1196
openvpn[1458]: Socket Buffers: R=[42080->42080] S=[57344->57344]
openvpn[1458]: UDP link local (bound): [AF_INET][undef]:0
openvpn[1458]: UDP link remote: [AF_INET]1.2.5.6:1196
openvpn[1458]: TLS: Initial packet from [AF_INET]1.2.5.6:1196 (via [AF_INET]1.2.3.4%), sid=85461626 7c25a8f3
openvpn[1458]: VERIFY WARNING: depth=0, unable to get certificate CRL: <DATA EXPUNGED>
openvpn[1458]: VERIFY WARNING: depth=1, unable to get certificate CRL: <DATA EXPUNGED>
openvpn[1458]: VERIFY OK: depth=1, <DATA EXPUNGED>
openvpn[1458]: VERIFY OK: depth=0, <DATA EXPUNGED>
openvpn[1458]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
openvpn[1458]: MANAGEMENT: CMD 'state 1'
openvpn[1458]: MANAGEMENT: Client disconnected
openvpn[1458]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
openvpn[1458]: [vpn2srv.client.contoso.com] Peer Connection Initiated with [AF_INET]1.2.5.6:1196 (via [AF_INET]1.2.3.4%)
openvpn[1458]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 10.0.0.0 255.255.255.0,tun-ipv6,ping 10,ping-restart 60,ifconfig-ipv6 fd18:ac94:4732:ffff::22/123 fd18:ac94:4732:ffff::21,peer-id 0,cipher AES-256-GCM'
openvpn[1458]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
openvpn[1458]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
openvpn[1458]: OPTIONS IMPORT: timers and/or timeouts modified
openvpn[1458]: OPTIONS IMPORT: --ifconfig/up options modified
openvpn[1458]: OPTIONS IMPORT: peer-id set
openvpn[1458]: OPTIONS IMPORT: adjusting link_mtu to 1624
openvpn[1458]: OPTIONS IMPORT: data channel crypto options modified
openvpn[1458]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[1458]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[1458]: TUN/TAP device ovpnc1 exists previously, keep at program end
openvpn[1458]: TUN/TAP device /dev/tun1 opened
openvpn[1458]: do_ifconfig, ipv4=1, ipv6=1
openvpn[1458]: /sbin/ifconfig ovpnc1 10.0.32.2 10.0.32.1 mtu 1500 netmask 255.255.255.255 up
openvpn[1458]: /sbin/ifconfig ovpnc1 inet6 fd18:ac94:4732:ffff::22/123 mtu 1500 up
openvpn[1458]: /sbin/ifconfig ovpnc1 inet6 -ifdisabled
openvpn[1458]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1624 10.0.32.2 10.0.32.1 init
openvpn[1458]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
openvpn[1458]: Initialization Sequence Completed
openvpn[1458]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
openvpn[1458]: MANAGEMENT: CMD 'state 1'
openvpn[1458]: MANAGEMENT: CMD 'status 2'
openvpn[1458]: MANAGEMENT: Client disconnected

npr
OpenVpn Newbie
Posts: 3
Joined: Tue Dec 07, 2021 3:50 pm

Re: IPv6 option resulting in MULTI:bad source address on V4

Post by npr » Wed Dec 08, 2021 10:15 am

The next thing I've tried, is using a 2.5.2 to 2.5.2 connection using an explicit /64 IPv6 network. This does not function as well.

The logs are as above, with this changed:

Code: Select all

openvpn[82285]:   ifconfig_ipv6_pool_defined = ENABLED
openvpn[82285]:   ifconfig_ipv6_pool_base = fd18:ac94:4732:f000::1000
openvpn[82285]:   ifconfig_ipv6_pool_netbits = 64
Example configuration file for a not working connection:
To change/fiddle with IPv6 point to point I modify the two options ifconfig-ipv6 and server-ipv6. The former containing the client, then server ip (and vice versa on the server), the latter containing the range to pick from. It's explained in https://community.openvpn.net/openvpn/wiki/IPv6.

(server):

server

dev ovpns2
verb 4
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
multihome
tls-server
server-ipv6 fd18:ac94:4732:ffff::60/123
client-config-dir /var/etc/openvpn/server2/csc
ifconfig 10.0.32.1 10.0.32.2
ifconfig-ipv6 fd18:ac94:4732:ffff::61 fd18:ac94:4732:ffff::62
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn2con.contoso.com' 1"
lport 1196
management /var/etc/openvpn/server2/sock unix
max-clients 4
push "route 192.168.2.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
route 10.16.2.0 255.255.255.0
route-ipv6 fd18:ac94:4732:0002::0/64
capath /var/etc/openvpn/server2/ca
cert /var/etc/openvpn/server2/cert
key /var/etc/openvpn/server2/key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server2/tls-auth 0
data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCM
allow-compression asym
persist-remote-ip
float
explicit-exit-notify 1



(client):

client

dev ovpnc1
verb 4
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
multihome
tls-client
client
lport 0
management /var/etc/openvpn/client1/sock unix
remote 1.2.5.6 1196 udp
shaper 6553600
ifconfig 10.0.32.2 10.0.32.1
ifconfig-ipv6 fd18:ac94:4732:ffff::62 fd18:ac94:4732:ffff::61
capath /var/etc/openvpn/client1/ca
cert /var/etc/openvpn/client1/cert
key /var/etc/openvpn/client1/key
tls-auth /var/etc/openvpn/client1/tls-auth 1
data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCM
allow-compression asym
resolv-retry infinite
route-nopull


I found the particular patch that changed opvnVPNs handling of IPv6 ranges at https://www.mail-archive.com/openvpn-de ... 19948.html. Seems like it's just a mistake and '124' should be '128' here (file: options.c, line (current github version) 5705.

Code: Select all


            if (netbits < 64 || netbits > 124)
            {
                msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
                goto err;
            }


User avatar
TinCanTech
Forum Team
Posts: 10196
Joined: Fri Jun 03, 2016 1:17 pm

Re: IPv6 option resulting in MULTI:bad source address on V4

Post by TinCanTech » Wed Dec 08, 2021 2:48 pm

Your use of --ifconfig is moot .. so remove them.

You may also like to check --topology in the manual.

You are using --topology net30 .. which is highly discouraged, in favour of --topology subnet.

Post Reply