Issue with IPv6 route (Windows only) - Maybe a bug

Clodo · Post by **Clodo** » Sun Jan 28, 2018 2:25 pm

OS Server: Linux Debian 9 - OpenVPN 4.4
OS Client: Windows 10 - OpenVPN 4.4

Behiavour: -sometime- wrong ipv6 route only in Windows (no Linux, no macOS). Probably a BUG.

OpenVPN Client log:

Code: Select all

Sun Jan 28 14:48:08 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Nov  3 2017
Sun Jan 28 14:48:08 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Jan 28 14:48:08 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Sun Jan 28 14:48:08 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 28 14:48:08 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 28 14:48:08 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]21.207.57.114:443
Sun Jan 28 14:48:08 2018 Socket Buffers: R=[65536->262144] S=[65536->262144]
Sun Jan 28 14:48:08 2018 Attempting to establish TCP connection with [AF_INET]21.207.57.114:443 [nonblock]
Sun Jan 28 14:48:09 2018 TCP connection established with [AF_INET]21.207.57.114:443
Sun Jan 28 14:48:09 2018 TCP_CLIENT link local: (not bound)
Sun Jan 28 14:48:09 2018 TCP_CLIENT link remote: [AF_INET]21.207.57.114:443
Sun Jan 28 14:48:09 2018 TLS: Initial packet from [AF_INET]21.207.57.114:443, sid=e223d9b9 0d06253d
Sun Jan 28 14:48:09 2018 VERIFY OK: depth=1, C=(omissis), ST=(omissis), L=(omissis), O=(omissis), CN=(omissis) CA, emailAddress=(omissis)
Sun Jan 28 14:48:09 2018 VERIFY KU OK
Sun Jan 28 14:48:09 2018 Validating certificate extended key usage
Sun Jan 28 14:48:09 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jan 28 14:48:09 2018 VERIFY EKU OK
Sun Jan 28 14:48:09 2018 VERIFY OK: depth=0, C=(omissis), ST=(omissis), L=(omissis), O=(omissis), CN=(omissis), emailAddress=info@(omissis)
Sun Jan 28 14:48:10 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Jan 28 14:48:10 2018 [Castor] Peer Connection Initiated with [AF_INET]21.207.57.114:443
Sun Jan 28 14:48:11 2018 SENT CONTROL [Castor]: 'PUSH_REQUEST' (status=1)
Sun Jan 28 14:48:12 2018 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.17.0.1,dhcp-option DNS6 fde6:2a:7c20:17::1,tun-ipv6,route-gateway 10.17.0.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:2a:7c20:17::1001/64 fde6:2a:7c20:17::1,ifconfig 10.17.0.3 255.255.0.0,peer-id 0,cipher AES-256-GCM'
Sun Jan 28 14:48:12 2018 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: compression parms modified
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: route options modified
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: route-related options modified
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: peer-id set
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: adjusting link_mtu to 1627
Sun Jan 28 14:48:12 2018 OPTIONS IMPORT: data channel crypto options modified
Sun Jan 28 14:48:12 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jan 28 14:48:12 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan 28 14:48:12 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan 28 14:48:12 2018 interactive service msg_channel=0
Sun Jan 28 14:48:12 2018 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=32 HWADDR=00:24:1d:cf:7f:d3
Sun Jan 28 14:48:12 2018 GDG6: remote_host_ipv6=n/a
Sun Jan 28 14:48:12 2018 GetBestInterfaceEx() returned if=32
Sun Jan 28 14:48:12 2018 GDG6: II=32 DP=::/0 NH=fe80::21d:aaff:fef3:eb8
Sun Jan 28 14:48:12 2018 GDG6: Metric=256, Loopback=0, AA=1, I=0
Sun Jan 28 14:48:12 2018 ROUTE6_GATEWAY fe80::21d:aaff:fef3:eb8 I=32
Sun Jan 28 14:48:12 2018 open_tun
Sun Jan 28 14:48:12 2018 TAP-WIN32 device [MyTap] opened: \\.\Global\{FE2FD68F-0B3A-4C25-B76E-E7E0ADC4358E}.tap
Sun Jan 28 14:48:12 2018 TAP-Windows Driver Version 9.21
Sun Jan 28 14:48:12 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 10.17.0.0/10.17.0.3/255.255.0.0 [SUCCEEDED]
Sun Jan 28 14:48:12 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.17.0.3/255.255.0.0 on interface {FE2FD68F-0B3A-4C25-B76E-E7E0ADC4358E} [DHCP-serv: 10.17.255.254, lease-time: 31536000]
Sun Jan 28 14:48:12 2018 Successful ARP Flush on interface [38] {FE2FD68F-0B3A-4C25-B76E-E7E0ADC4358E}
Sun Jan 28 14:48:12 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Sun Jan 28 14:48:13 2018 NETSH: C:\WINDOWS\system32\netsh.exe interface ipv6 set address interface=38 fde6:2a:7c20:17::1001 store=active
Sun Jan 28 14:48:14 2018 NETSH: C:\WINDOWS\system32\netsh.exe interface ipv6 set dns MyTap static fde6:2a:7c20:17::1 validate=no
Sun Jan 28 14:48:14 2018 add_route_ipv6(fde6:2a:7c20:17::/64 -> fde6:2a:7c20:17::1001 metric 0) dev MyTap
Sun Jan 28 14:48:14 2018 C:\WINDOWS\system32\netsh.exe interface ipv6 add route fde6:2a:7c20:17::/64 interface=38 fe80::8 store=active
Sun Jan 28 14:48:14 2018 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 28 14:48:19 2018 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\route.exe ADD 21.207.57.114 MASK 255.255.255.255 192.168.1.1
Sun Jan 28 14:48:19 2018 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Sun Jan 28 14:48:19 2018 Route addition via IPAPI succeeded [adaptive]
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.17.0.1
Sun Jan 28 14:48:19 2018 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Sun Jan 28 14:48:19 2018 Route addition via IPAPI succeeded [adaptive]
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.17.0.1
Sun Jan 28 14:48:19 2018 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Sun Jan 28 14:48:19 2018 Route addition via IPAPI succeeded [adaptive]
Sun Jan 28 14:48:19 2018 add_route_ipv6(::/3 -> fde6:2a:7c20:17::1 metric -1) dev MyTap
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\netsh.exe interface ipv6 add route ::/3 interface=38 fe80::8 store=active
Sun Jan 28 14:48:19 2018 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 28 14:48:19 2018 add_route_ipv6(2000::/4 -> fde6:2a:7c20:17::1 metric -1) dev MyTap
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\netsh.exe interface ipv6 add route 2000::/4 interface=38 fe80::8 store=active
Sun Jan 28 14:48:19 2018 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 28 14:48:19 2018 add_route_ipv6(3000::/4 -> fde6:2a:7c20:17::1 metric -1) dev MyTap
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\netsh.exe interface ipv6 add route 3000::/4 interface=38 fe80::8 store=active
Sun Jan 28 14:48:19 2018 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 28 14:48:19 2018 add_route_ipv6(fc00::/7 -> fde6:2a:7c20:17::1 metric -1) dev MyTap
Sun Jan 28 14:48:19 2018 C:\WINDOWS\system32\netsh.exe interface ipv6 add route fc00::/7 interface=38 fe80::8 store=active
Sun Jan 28 14:48:19 2018 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 28 14:48:19 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan 28 14:48:19 2018 Initialization Sequence Completed

At this point, "route -6 print" output:

Code: Select all

===========================================================================
Interface List
 38...00 ff fe 2f d6 8f ......TAP-Windows Adapter V9
 32...00 24 1d cf 7f d3 ......Realtek PCIe GBE Family Controller #2
  1...........................Software Loopback Interface 1
 25...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 32    281 ::/0                     fe80::21d:aaff:fef3:eb8
 38    259 ::/3                     fe80::8
  1    331 ::1/128                  On-link
 38    259 2000::/4                 fe80::8
 32    281 2001:750:8b42:3601::2/128
                                    On-link
 32    281 2001:750:8b43:e201::/64  On-link
 32    281 2001:750:8b43:e201:18cd:cb57:e974:d76a/128
                                    On-link
 32    281 2001:750:8b43:e201:80e2:7730:10ae:a66d/128
                                    On-link
 38    259 3000::/4                 fe80::8
 38    259 fc00::/7                 fe80::8
 38    259 fde6:2a:7c20:17::/64     On-link
 38    259 fde6:2a:7c20:17::/64     fe80::8
 38    259 fde6:2a:7c20:17::1001/128
                                    On-link
 38    259 fe80::/64                On-link
 32    281 fe80::/64                On-link
 32    281 fe80::18cd:cb57:e974:d76a/128
                                    On-link
 38    259 fe80::9de5:e3cf:dfed:cb08/128
                                    On-link
  1    331 ff00::/8                 On-link
 38    259 ff00::/8                 On-link
 32    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

When OpenVPN do

add_route_ipv6(fde6:2a:7c20:17::/64 -> fde6:2a:7c20:17::1001 metric 0) dev MyTap
C:\WINDOWS\system32\netsh.exe interface ipv6 add route fde6:2a:7c20:17::/64 interface=38 fe80::8 store=active

they create the route

Code: Select all

 38    259 fde6:2a:7c20:17::/64     fe80::8

BUT some fraction of seconds before (or after, difficult to understand) the route

Code: Select all

 38    259 fde6:2a:7c20:17::/64     On-link

are created (sometime, not always reproducible).
Only under Windows. Not occur on Linux or macOS.

So, cannot ping:

C:\WINDOWS\system32>ping fde6:2a:7c20:17::1

Pinging fde6:2a:7c20:17::1 with 32 bytes of data:
Destination host unreachable.

Now i manually launch

Code: Select all

C:\WINDOWS\system32\netsh.exe interface ipv6 del route fde6:2a:7c20:17::/64 interface=38

this (without the nexthop parameter) delete only the wrong route "on-link".
So now works:

C:\WINDOWS\system32>ping fde6:2a:7c20:17::1

Pinging fde6:2a:7c20:17::1 with 32 bytes of data:
Reply from fde6:2a:7c20:17::1: time=257ms
Reply from fde6:2a:7c20:17::1: time=250ms
Reply from fde6:2a:7c20:17::1: time=282ms
Reply from fde6:2a:7c20:17::1: time=299ms

Client Config

client
dev tun
remote 21.207.57.114 443
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto tcp
key-direction 1
<ca>(omissis)</ca>
<cert>(omissis)</cert>
<key>(omissis)</key>
<tls-auth>(omissis)</tls-auth>

Server Config

proto tcp6
port 443
dev tun
ca /home/myvpn/ca_servers.crt
dh /home/myvpn/dh-openvpn.pem
cert /home/myvpn/server.crt
key /home/myvpn/server.key
cipher AES-256-CBC
topology subnet
persist-key
persist-tun
server 10.7.0.0 255.255.0.0
server-ipv6 fde6:2a:7c20:7::/64
push "comp-lzo no"
push "redirect-gateway ipv6 def1 bypass-dhcp"
push "dhcp-option DNS 10.7.0.1"
push "dhcp-option DNS6 fde6:2a:7c20:7::1"
keepalive 10 60
comp-lzo no
verb 3
tmp-dir /dev/shm
script-security 2
mode server
persist-local-ip
persist-remote-ip
tls-auth /home/myvpn/ta.key 0

Any idea?

Clodo · Post by **Clodo** » Mon Jan 29, 2018 10:58 am

Note the following log lines:

Sun Jan 28 14:48:14 2018 NETSH: C:\WINDOWS\system32\netsh.exe interface ipv6 set dns MyTap static fde6:2a:7c20:17::1 validate=no
Sun Jan 28 14:48:14 2018 add_route_ipv6(fde6:2a:7c20:17::/64 -> fde6:2a:7c20:17::1001 metric 0) dev MyTap
Sun Jan 28 14:48:14 2018 C:\WINDOWS\system32\netsh.exe interface ipv6 add route fde6:2a:7c20:17::/64 interface=38 fe80::8 store=active

Imho, OpenVPN need to do the "ipv6 set dns" AFTER adding the route.

If i don't use "dhcp-option DNS6" (or ignore with a pull-filter), the bug described in the first post don't occur.

progman · Post by **progman** » Wed Jun 20, 2018 8:31 am

I am having the same in my setup.
I am not used DHCP6 option.

Any way to fix that?

TinCanTech · Post by **TinCanTech** » Wed Jun 20, 2018 12:03 pm

progman wrote: ↑
Wed Jun 20, 2018 8:31 am
I am having the same in my setup.

Your problem is not the same because this thread is specific to IPv6 and as you say:

progman wrote: ↑
Wed Jun 20, 2018 8:31 am
I am not used DHCP6 option

the problem is something else.

Please see:
HOWTO: Request Help !

TinCanTech · Post by **TinCanTech** » Wed Jun 20, 2018 12:39 pm

Clodo wrote: ↑
Mon Jan 29, 2018 10:58 am
If i don't use "dhcp-option DNS6" (or ignore with a pull-filter), the bug described in the first post don't occur

I have done some preliminary testing and I believe you have found something unusual ..

I have tried your setup and one time I could not ping the server on IPv6
but the problem does not happen after disconnect/reconnect ..

Have you managed to isolate your problem or is it still intermittent ?

OpenVPN Support Forum

Issue with IPv6 route (Windows only) - Maybe a bug

Issue with IPv6 route (Windows only) - Maybe a bug

Re: Issue with IPv6 route (Windows only) - Maybe a bug

Re: Issue with IPv6 route (Windows only) - Maybe a bug

Re: Issue with IPv6 route (Windows only) - Maybe a bug

Re: Issue with IPv6 route (Windows only) - Maybe a bug