OS Client: Windows 10 - OpenVPN 4.4
Behiavour: -sometime- wrong ipv6 route only in Windows (no Linux, no macOS). Probably a BUG.
OpenVPN Client log:
Code: Select all
Sun Jan 28 14:48:08 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Nov 3 2017
Sun Jan 28 14:48:08 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Jan 28 14:48:08 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Sun Jan 28 14:48:08 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 28 14:48:08 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 28 14:48:08 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]21.207.57.114:443
Sun Jan 28 14:48:08 2018 Socket Buffers: R=[65536->262144] S=[65536->262144]
Sun Jan 28 14:48:08 2018 Attempting to establish TCP connection with [AF_INET]21.207.57.114:443 [nonblock]
Sun Jan 28 14:48:09 2018 TCP connection established with [AF_INET]21.207.57.114:443
Sun Jan 28 14:48:09 2018 TCP_CLIENT link local: (not bound)
Sun Jan 28 14:48:09 2018 TCP_CLIENT link remote: [AF_INET]21.207.57.114:443
Sun Jan 28 14:48:09 2018 TLS: Initial packet from [AF_INET]21.207.57.114:443, sid=e223d9b9 0d06253d
Sun Jan 28 14:48:09 2018 VERIFY OK: depth=1, C=(omissis), ST=(omissis), L=(omissis), O=(omissis), CN=(omissis) CA, emailAddress=(omissis)
Sun Jan 28 14:48:09 2018 VERIFY KU OK
Sun Jan 28 14:48:09 2018 Validating certificate extended key usage
Sun Jan 28 14:48:09 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jan 28 14:48:09 2018 VERIFY EKU OK
Sun Jan 28 14:48:09 2018 VERIFY OK: depth=0, C=(omissis), ST=(omissis), L=(omissis), O=(omissis), CN=(omissis), emailAddress=info@(omissis)
Sun Jan 28 14:48:10 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Jan 28 14:48:10 2018 [Castor] Peer Connection Initiated with [AF_INET]21.207.57.114:443
Sun Jan 28 14:48:11 2018 SENT CONTROL [Castor]: 'PUSH_REQUEST' (status=1)
Sun Jan 28 14:48:12 2018 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.17.0.1,dhcp-option DNS6 fde6:2a:7c20:17::1,tun-ipv6,route-gateway 10.17.0.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:2a:7c20:17::1001/64 fde6:2a:7c20:17::1,ifconfig 10.17.0.3 255.255.0.0,peer-id 0,cipher AES-256-GCM'
Sun Jan 28 14:48:12 2018 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: compression parms modified
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: route options modified
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: route-related options modified
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: peer-id set
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: adjusting link_mtu to 1627
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: data channel crypto options modified
Sun Jan 28 14:48:12 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jan 28 14:48:12 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan 28 14:48:12 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan 28 14:48:12 2018 interactive service msg_channel=0
Sun Jan 28 14:48:12 2018 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=32 HWADDR=00:24:1d:cf:7f:d3
Sun Jan 28 14:48:12 2018 GDG6: remote_host_ipv6=n/a
Sun Jan 28 14:48:12 2018 GetBestInterfaceEx() returned if=32
Sun Jan 28 14:48:12 2018 GDG6: II=32 DP=::/0 NH=fe80::21d:aaff:fef3:eb8
Sun Jan 28 14:48:12 2018 GDG6: Metric=256, Loopback=0, AA=1, I=0
Sun Jan 28 14:48:12 2018 ROUTE6_GATEWAY fe80::21d:aaff:fef3:eb8 I=32
Sun Jan 28 14:48:12 2018 open_tun
Sun Jan 28 14:48:12 2018 TAP-WIN32 device [MyTap] opened: \\.\Global\{FE2FD68F-0B3A-4C25-B76E-E7E0ADC4358E}.tap
Sun Jan 28 14:48:12 2018 TAP-Windows Driver Version 9.21
Sun Jan 28 14:48:12 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 10.17.0.0/10.17.0.3/255.255.0.0 [SUCCEEDED]
Sun Jan 28 14:48:12 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.17.0.3/255.255.0.0 on interface {FE2FD68F-0B3A-4C25-B76E-E7E0ADC4358E} [DHCP-serv: 10.17.255.254, lease-time: 31536000]
Sun Jan 28 14:48:12 2018 Successful ARP Flush on interface [38] {FE2FD68F-0B3A-4C25-B76E-E7E0ADC4358E}
Sun Jan 28 14:48:12 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Sun Jan 28 14:48:13 2018 NETSH: C:\WINDOWS\system32\netsh.exe interface ipv6 set address interface=38 fde6:2a:7c20:17::1001 store=active
Sun Jan 28 14:48:14 2018 NETSH: C:\WINDOWS\system32\netsh.exe interface ipv6 set dns MyTap static fde6:2a:7c20:17::1 validate=no
Sun Jan 28 14:48:14 2018 add_route_ipv6(fde6:2a:7c20:17::/64 -> fde6:2a:7c20:17::1001 metric 0) dev MyTap
Sun Jan 28 14:48:14 2018 C:\WINDOWS\system32\netsh.exe interface ipv6 add route fde6:2a:7c20:17::/64 interface=38 fe80::8 store=active
Sun Jan 28 14:48:14 2018 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 28 14:48:19 2018 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\route.exe ADD 21.207.57.114 MASK 255.255.255.255 192.168.1.1
Sun Jan 28 14:48:19 2018 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Sun Jan 28 14:48:19 2018 Route addition via IPAPI succeeded [adaptive]
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.17.0.1
Sun Jan 28 14:48:19 2018 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Sun Jan 28 14:48:19 2018 Route addition via IPAPI succeeded [adaptive]
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.17.0.1
Sun Jan 28 14:48:19 2018 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Sun Jan 28 14:48:19 2018 Route addition via IPAPI succeeded [adaptive]
Sun Jan 28 14:48:19 2018 add_route_ipv6(::/3 -> fde6:2a:7c20:17::1 metric -1) dev MyTap
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\netsh.exe interface ipv6 add route ::/3 interface=38 fe80::8 store=active
Sun Jan 28 14:48:19 2018 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 28 14:48:19 2018 add_route_ipv6(2000::/4 -> fde6:2a:7c20:17::1 metric -1) dev MyTap
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\netsh.exe interface ipv6 add route 2000::/4 interface=38 fe80::8 store=active
Sun Jan 28 14:48:19 2018 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 28 14:48:19 2018 add_route_ipv6(3000::/4 -> fde6:2a:7c20:17::1 metric -1) dev MyTap
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\netsh.exe interface ipv6 add route 3000::/4 interface=38 fe80::8 store=active
Sun Jan 28 14:48:19 2018 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 28 14:48:19 2018 add_route_ipv6(fc00::/7 -> fde6:2a:7c20:17::1 metric -1) dev MyTap
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\netsh.exe interface ipv6 add route fc00::/7 interface=38 fe80::8 store=active
Sun Jan 28 14:48:19 2018 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 28 14:48:19 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan 28 14:48:19 2018 Initialization Sequence Completed
Code: Select all
===========================================================================
Interface List
38...00 ff fe 2f d6 8f ......TAP-Windows Adapter V9
32...00 24 1d cf 7f d3 ......Realtek PCIe GBE Family Controller #2
1...........................Software Loopback Interface 1
25...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
32 281 ::/0 fe80::21d:aaff:fef3:eb8
38 259 ::/3 fe80::8
1 331 ::1/128 On-link
38 259 2000::/4 fe80::8
32 281 2001:750:8b42:3601::2/128
On-link
32 281 2001:750:8b43:e201::/64 On-link
32 281 2001:750:8b43:e201:18cd:cb57:e974:d76a/128
On-link
32 281 2001:750:8b43:e201:80e2:7730:10ae:a66d/128
On-link
38 259 3000::/4 fe80::8
38 259 fc00::/7 fe80::8
38 259 fde6:2a:7c20:17::/64 On-link
38 259 fde6:2a:7c20:17::/64 fe80::8
38 259 fde6:2a:7c20:17::1001/128
On-link
38 259 fe80::/64 On-link
32 281 fe80::/64 On-link
32 281 fe80::18cd:cb57:e974:d76a/128
On-link
38 259 fe80::9de5:e3cf:dfed:cb08/128
On-link
1 331 ff00::/8 On-link
38 259 ff00::/8 On-link
32 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
When OpenVPN do
they create the routeadd_route_ipv6(fde6:2a:7c20:17::/64 -> fde6:2a:7c20:17::1001 metric 0) dev MyTap
C:\WINDOWS\system32\netsh.exe interface ipv6 add route fde6:2a:7c20:17::/64 interface=38 fe80::8 store=active
Code: Select all
38 259 fde6:2a:7c20:17::/64 fe80::8
Code: Select all
38 259 fde6:2a:7c20:17::/64 On-link
Only under Windows. Not occur on Linux or macOS.
So, cannot ping:
Now i manually launchC:\WINDOWS\system32>ping fde6:2a:7c20:17::1
Pinging fde6:2a:7c20:17::1 with 32 bytes of data:
Destination host unreachable.
Code: Select all
C:\WINDOWS\system32\netsh.exe interface ipv6 del route fde6:2a:7c20:17::/64 interface=38
So now works:
C:\WINDOWS\system32>ping fde6:2a:7c20:17::1
Pinging fde6:2a:7c20:17::1 with 32 bytes of data:
Reply from fde6:2a:7c20:17::1: time=257ms
Reply from fde6:2a:7c20:17::1: time=250ms
Reply from fde6:2a:7c20:17::1: time=282ms
Reply from fde6:2a:7c20:17::1: time=299ms
Client Config
client
dev tun
remote 21.207.57.114 443
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto tcp
key-direction 1
<ca>(omissis)</ca>
<cert>(omissis)</cert>
<key>(omissis)</key>
<tls-auth>(omissis)</tls-auth>
Server Config
proto tcp6
port 443
dev tun
ca /home/myvpn/ca_servers.crt
dh /home/myvpn/dh-openvpn.pem
cert /home/myvpn/server.crt
key /home/myvpn/server.key
cipher AES-256-CBC
topology subnet
persist-key
persist-tun
server 10.7.0.0 255.255.0.0
server-ipv6 fde6:2a:7c20:7::/64
push "comp-lzo no"
push "redirect-gateway ipv6 def1 bypass-dhcp"
push "dhcp-option DNS 10.7.0.1"
push "dhcp-option DNS6 fde6:2a:7c20:7::1"
keepalive 10 60
comp-lzo no
verb 3
tmp-dir /dev/shm
script-security 2
mode server
persist-local-ip
persist-remote-ip
tls-auth /home/myvpn/ta.key 0
port 443
dev tun
ca /home/myvpn/ca_servers.crt
dh /home/myvpn/dh-openvpn.pem
cert /home/myvpn/server.crt
key /home/myvpn/server.key
cipher AES-256-CBC
topology subnet
persist-key
persist-tun
server 10.7.0.0 255.255.0.0
server-ipv6 fde6:2a:7c20:7::/64
push "comp-lzo no"
push "redirect-gateway ipv6 def1 bypass-dhcp"
push "dhcp-option DNS 10.7.0.1"
push "dhcp-option DNS6 fde6:2a:7c20:7::1"
keepalive 10 60
comp-lzo no
verb 3
tmp-dir /dev/shm
script-security 2
mode server
persist-local-ip
persist-remote-ip
tls-auth /home/myvpn/ta.key 0
Any idea?