Some explanation about the IP's and such.
2001:aaaa:bbbb:1::/64 = Subnet of my provider.
2001:aaaa:bbbb:1:10:1:1::/112 = Subnet I want to use for my OpenVPN clients (reachable for the world).
Furthermore, I have 2 tunnel configs. One for UDP and the other for TCP which is routed via my iptable config to use port 443 and share it with Apache. The UDP tunnel is what I use to test IPv6 + IPv4. The TCP tunnel is only IPv4 at the moment.
I use OpenVPN 2.4.0-6+deb9u2 on Raspbian 9 (Stretch) which is installed on a Raspberry Pi 3B+.
My TCP (IPv4 only) server config.
Code: Select all
local 10.1.0.1
port 1194
port-share 127.0.0.1 443
proto tcp
dev tun
ca server/example.com/pki/ca.crt
cert server/example.com/pki/issued/vpn.example.com.crt
key server/example.com/pki/private/vpn.example.com.key
dh server/example.com/dh.pem
tls-auth server/example.com/ta.key 0
crl-verify server/example.com/pki/crl.pem
server 10.1.1.0 255.255.255.0
push "route 10.1.0.0 255.255.255.0"
client-config-dir server/example.com/ccd
ccd-exclusive
topology subnet
learn-address /usr/local/sbin/learn-address.sh
script-security 2
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.1.0.1"
push "dhcp-option DOMAIN home.lan"
push "dhcp-option DOMAIN home.vpn"
keepalive 10 30
remote-cert-tls client
auth SHA256
cipher AES-128-GCM
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
tls-version-min 1.2 or-highest
comp-lzo no
push "comp-lzo no"
user openvpn
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
sndbuf 0
rcvbuf 0
push "sndbuf 0"
push "rcvbuf 0"
Code: Select all
local 10.1.0.1
#local 2001:aaaa:bbbb:1:10:1:0:1
port 1194
proto udp
#proto udp6
dev tun
ca server/example.com/pki/ca.crt
cert server/example.com/pki/issued/vpn.example.com.crt
key server/example.com/pki/private/vpn.example.com.key
dh server/example.com/dh.pem
tls-auth server/example.com/ta.key 0
crl-verify server/example.com/pki/crl.pem
server 10.1.1.0 255.255.255.0
server-ipv6 2001:aaaa:bbbb:1:10:1:1::/112
push "route 10.1.0.0 255.255.255.0"
push "route-ipv6 2001:aaaa:bbbb:1::/64"
push "route-ipv6 2000::/3"
client-config-dir server/example.com/ccd
ccd-exclusive
topology subnet
learn-address /usr/local/sbin/learn-address.sh
script-security 2
push "redirect-gateway def1 bypass-dhcp"
#push "redirect-gateway ipv6"
push "dhcp-option DNS 10.1.0.1"
push "dhcp-option DOMAIN home.lan"
push "dhcp-option DOMAIN home.vpn"
keepalive 10 30
remote-cert-tls client
auth SHA256
cipher AES-128-GCM
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
tls-version-min 1.2 or-highest
comp-lzo no
push "comp-lzo no"
user openvpn
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 5
sndbuf 0
rcvbuf 0
push "sndbuf 0"
push "rcvbuf 0"
Code: Select all
ifconfig-push 10.1.1.3 255.255.255.0
ifconfig-ipv6-push 2001:aaaa:bbbb:1:10:1:1:3/112 2001:aaaa:bbbb:1:10:1:1:1
Code: Select all
source-directory /etc/network/interfaces.d
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.1.0.1
netmask 255.255.255.0
gateway 10.1.0.10
dns-nameservers 10.1.0.1 10.1.0.10
dns-search home.lan home.vpn
iface eth0 inet6 static
address 2001:aaaa:bbbb:1:10:1:0:1
netmask 64
gateway gateway fe80::7eff:aaaa:bbbb:cccc
accept_ra 1
privext 2
Code: Select all
#kernel.domainname = example.com
#kernel.printk = 3 4 1 3
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.ip_forward=1
#net.ipv6.conf.all.forwarding=1
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
#net.ipv4.conf.all.send_redirects = 0
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
#kernel.sysrq=1
#fs.protected_hardlinks=0
#fs.protected_symlinks=0
net.ipv4.tcp_rfc1337 = 1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1
My phone gets the IPv4 and IPv6 IP's, but connectivity is only possible with IPv4. I don't see any ip6table drops or accepts for that matter (not in INPUT or FORWARD). The client and server can't ping each other.
These are the blogs/manuals I consulted.
https://community.openvpn.net/openvpn/wiki/IPv6
https://blog.apnic.net/2017/06/09/using-openvpn-ipv6/
https://cuzimageek.wordpress.com/2016/0 ... -and-ipv6/
https://feeding.cloud.geek.nz/posts/ipv ... on-linode/
https://techblog.synagila.com/2016/02/2 ... over-ipv4/
https://blog.kmp.or.at/ipv6-enabled-openvpn/
https://tomsalmon.eu/2013/04/openvpn-ip ... un-device/
https://blog.angenieux.info/linux/serve ... -sans-ndp/
viewtopic.php?t=21051
https://www.bjoerns-techblog.de/2017/07 ... -und-ipv6/
My guess is that I'm missing a routing option, here is a relevant snippet of my openvpn.log.
Code: Select all
rWRwRwRwRwRSat Aug 4 13:48:51 2018 us=319238 intrepid.home.vpn/62.251.111.222:44356 MULTI: bad source address from client [10.1.0.13], packet dropped
RwRSat Aug 4 13:48:52 2018 us=640405 intrepid.home.vpn/62.251.111.222:44356 MULTI: bad source address from client [2001:aaa:bbbb:1:10:1:1:3], packet dropped