ipv6 ICMP6, destination port unreachable

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
harry66
OpenVpn Newbie
Posts: 5
Joined: Fri Jun 18, 2021 7:47 am

ipv6 ICMP6, destination port unreachable

Post by harry66 » Fri Jun 18, 2021 8:34 am

I've problems after changing ISP from O2 ipv4 to Deutsche Glasfaser ipv6 to get my openvpn connection to work.
I need it to connect from my Android handy to my router / server at home.
Before changing ISP the connection with dyndns was no problem.
I set up my ipv6 network with prefix delegation, also a vtun interface. It has got its own address- range. The ipv6 prefix is fix.
When I start the openvpn client on my handy it can't reach the server. On the server itself there arrives no connection at the openvpn server.
The only sign on the server is when I captue the traffic on the wan port

Code: Select all

harry@EdgeRouter-4:~$ show interfaces ethernet eth0 capture | grep ac88
10:15:05.398904 IP6 2a02:3031:0:180:a4b3:9d9c:b26a:891.40368 > 2a00:6020:b4a9:ac88::1.1194: UDP, length 14
10:15:05.399114 IP6 2a00:6020:b4a9:ac88::1 > 2a02:3031:0:180:a4b3:9d9c:b26a:891: ICMP6, destination unreachable, unreachable port, 2a00:6020:b4a9:ac88::1 udp port 1194, length 70
10:15:07.410206 IP6 2a02:3031:0:180:a4b3:9d9c:b26a:891.40368 > 2a00:6020:b4a9:ac88::1.1194: UDP, length 14
10:15:07.410383 IP6 2a00:6020:b4a9:ac88::1 > 2a02:3031:0:180:a4b3:9d9c:b26a:891: ICMP6, destination unreachable, unreachable port, 2a00:6020:b4a9:ac88::1 udp port 1194, length 70
10:15:11.412519 IP6 2a02:3031:0:180:a4b3:9d9c:b26a:891.40368 > 2a00:6020:b4a9:ac88::1.1194: UDP, length 14
10:15:11.412726 IP6 2a00:6020:b4a9:ac88::1 > 2a02:3031:0:180:a4b3:9d9c:b26a:891: ICMP6, destination unreachable, unreachable port, 2a00:6020:b4a9:ac88::1 udp port 1194, length 70
looking for openvpn or vtun is with no output.
As nothing arrives at the openvpn server I think I hab to add a route or someting
My server is an Ubiquiti Edgerouter 4 with openvpn 2.4 installed
On my handy runs openvpn for Android 0.7.22from Arne Schwabe
server config

Code: Select all

server
--dev-type tun 
--dev vtun0 
--mode server 
--tls-server 
--topology subnet 
--keepalive 10 60 
--lport 442 
--proto udp6 
--ca /config/auth/cacert.pem 
--cert /config/auth/server.pem 
--key /config/auth/server.key 
--dh /config/auth/dh.pem 
--management /tmp/openvpn-mgmt-intf unix 
--push dhcp-option DNS 10.0.10.1 
--server 10.8.0.0 255.255.255.0 
--client-config-dir /var/run/openvpn/ccd/vtun0 
--push redirect-gateway 
--verb 3 
--server-ipv6 2a00:6020:b4a9:ac88::/64
client config

Code: Select all

client
dev tun
proto udp6
remote 2a00:6020:b4a9:ac88::1 1194
remote-cert-tls server
resolv-retry infinite 
nobind
persist-key
persist-tun
ca /sdcard/Download/openvpnubiquitti/cacert.pem 
key /sdcard/Download/openvpnubiquitti/client1.key
cert /sdcard/Download/openvpnubiquitti/client1.pem
verb 3
I need help what to do with the unreachable destination / port

harry66
OpenVpn Newbie
Posts: 5
Joined: Fri Jun 18, 2021 7:47 am

Re: ipv6 ICMP6, destination port unreachable

Post by harry66 » Wed Jun 30, 2021 9:10 am

I had a wrong port in the firewall, after changing it now I can reach openvpn and have a " TLS handshake failed" error
If someone would be so kind and have a look at it and a tip for me.
I've googled the error and can't find a solution so far.

Code: Select all

Jun 30 10:48:40 EdgeRouter-4 openvpn[16709]: 2a01:c23:940a:6100:1d52:b8e0:4fdf:3808 TLS: Initial packet from [AF_INET6]2a01:c23:940a:6100:1d52:b8e0:4fdf:3808:55122, sid=a5af74bc 91fa9729
Jun 30 10:49:40 EdgeRouter-4 openvpn[16709]: 2a01:c23:940a:6100:1d52:b8e0:4fdf:3808 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 30 10:49:40 EdgeRouter-4 openvpn[16709]: 2a01:c23:940a:6100:1d52:b8e0:4fdf:3808 TLS Error: TLS handshake failed
Jun 30 10:49:40 EdgeRouter-4 openvpn[16709]: 2a01:c23:940a:6100:1d52:b8e0:4fdf:3808 SIGUSR1[soft,tls-error] received, client-instance restarting
I've tried to connect with my android from another ipv6 wlan where I can ping my android handy from the router that runs the openvpn- server and got the same error.
I shutdown the firewall on the router and still the same error
Maybe I had to change something in my config
thanks for having a look
Last edited by harry66 on Wed Jun 30, 2021 4:50 pm, edited 3 times in total.

User avatar
TinCanTech
Forum Team
Posts: 9392
Joined: Fri Jun 03, 2016 1:17 pm

Re: ipv6 ICMP6, destination port unreachable

Post by TinCanTech » Wed Jun 30, 2021 4:46 pm

harry66 wrote:
Wed Jun 30, 2021 9:10 am
I had a wrong port in the firewall, after changing it now I can reach openvpn
The error you are getting indicates that you probably have not opened the correct port.

Read your server log.

harry66
OpenVpn Newbie
Posts: 5
Joined: Fri Jun 18, 2021 7:47 am

Re: ipv6 ICMP6, destination port unreachable

Post by harry66 » Wed Jun 30, 2021 4:52 pm

update!!!!!!!!
the connection over wifi works - I've changed 2 settings on the client config
added fload, deleted- remote-cert-tls server
but still no success over mobil
when I run
ipv6-test
it returns:
Icmp - filterd
that is the problem. O2 filters the ICMP answer
does someone know how to fix this?

User avatar
TinCanTech
Forum Team
Posts: 9392
Joined: Fri Jun 03, 2016 1:17 pm

Re: ipv6 ICMP6, destination port unreachable

Post by TinCanTech » Wed Jun 30, 2021 6:55 pm

When you are on your local wifi you are not using the internet, which is why it works that way.

To use mobile, you are using the internet. Use your public IP address in the client config to connect.

harry66
OpenVpn Newbie
Posts: 5
Joined: Fri Jun 18, 2021 7:47 am

Re: ipv6 ICMP6, destination port unreachable

Post by harry66 » Thu Jul 01, 2021 7:03 am

It's not the same wifi,
My handy is connected over wifi to router 1(ISP O2) - internet - my router(ISP Deutsche Glasfaser)with openvpn server
this works
when I'm in the same wifi as my router it works too.
It doesn't work when I use the mobil connection, then I get the ICMP error

harry66
OpenVpn Newbie
Posts: 5
Joined: Fri Jun 18, 2021 7:47 am

Re: ipv6 ICMP6, destination port unreachable

Post by harry66 » Thu Jul 01, 2021 9:48 am

and now comes a little wonder
when i connect in strange wifi and shutdown wifi on my handy
the connection still works over mobile !!!!!!!
I found somewhere openvpn uses ICMP to findout MTU
is it possible to forbid this in openvpn or to set it on a fix value?
I tried
tun-mtu 1500
push tun-mtu 1500
on the server that doesn't work

Post Reply