Clients can only connect when using UDPv6

[sjharrison]

I'm having an issue with my OpenVPN Community Edition which is running on a raspberry pi 3
I've recently switched to the latest BT Smart Hub 2 and since then I cannot connect to my openVPN using UDPv4
I've added in port forwarding rules to my router but no joy, even wiped my raspberry pi SD and started from scratch but still nothing

I have 3 scenarios

Using public/external ip (via dns) - using UDPv4 - fails
Using public/external ip (via dns) - using UDPv6 - succeeds
Using internal IP - using UDPv4 - succeeds (this one obviously means I can only connect to VPN when on internal network)

my server conf is as follows

Code: Select all

dev tun
proto udp
port 2604
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_QuHiUytVSmlC2iAx.crt
key /etc/openvpn/easy-rsa/pki/private/server_QuHiUytVSmlC2iAx.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 4
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io

server log file - only successful connections are logged
so when udpv4 is being used nothing is logged

Client Configuration

Code: Select all

client
dev tun
proto udp
remote [DNS] 2604
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_QuHiUytVSmlC2iAx name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 4

Client Logging

Public IP - UDPv4 - Fail

Code: Select all

13:48:31.329 -- ----- OpenVPN Start -----

13:48:31.329 -- EVENT: CORE_THREAD_ACTIVE

13:48:31.330 -- Frame=512/2048/512 mssfix-ctrl=1250

13:48:31.331 -- UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
11 [verify-x509-name] [server_QuHiUytVSmlC2iAx] [name] 
14 [auth-nocache] 
15 [verb] [4] 


13:48:31.331 -- EVENT: RESOLVE

13:48:31.389 -- Contacting [ExternalIP]:2604 via UDP

13:48:31.390 -- EVENT: WAIT

13:48:31.393 -- Connecting to [DNS]:2604 (ExternalIP) via UDPv4

13:48:41.331 -- Server poll timeout, trying next remote entry...

13:48:41.331 -- EVENT: RECONNECTING

13:48:41.336 -- EVENT: RESOLVE

13:48:41.340 -- Contacting ExternalIP:2604 via UDP

13:48:41.340 -- EVENT: WAIT

13:48:41.342 -- Connecting to [DNS]:2604 (ExternalIP) via UDPv4

13:48:43.656 -- EVENT: DISCONNECTED

13:48:43.658 -- EVENT: CORE_THREAD_INACTIVE

13:48:43.659 -- Tunnel bytes per CPU second: 0

13:48:43.659 -- ----- OpenVPN Stop -----

Public IP - UDPv6 - Succeed

Code: Select all

13:50:24.254 -- ----- OpenVPN Start -----

13:50:24.254 -- EVENT: CORE_THREAD_ACTIVE

13:50:24.259 -- Frame=512/2048/512 mssfix-ctrl=1250

13:50:24.261 -- UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
11 [verify-x509-name] [server_QuHiUytVSmlC2iAx] [name] 
14 [auth-nocache] 
15 [verb] [4] 


13:50:24.261 -- EVENT: RESOLVE

13:50:24.391 -- Contacting [IPv6]:2604 via UDP

13:50:24.391 -- EVENT: WAIT

13:50:24.393 -- Connecting to [DNS]:2604 (IPv6) via UDPv6

13:50:24.442 -- EVENT: CONNECTING

13:50:24.444 -- Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client

13:50:24.445 -- Creds: UsernameEmpty/PasswordEmpty

13:50:24.445 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_IPv6=1
IV_AUTO_SESS=1


13:50:24.595 -- VERIFY OK : depth=1
cert. version     : 3
serial number     : BE:A4:36:6B:32:47:1A:31
issuer name       : CN=ChangeMe
subject name      : CN=ChangeMe
issued  on        : 2019-01-14 10:15:35
expires on        : 2029-01-11 10:15:35
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign


13:50:24.596 -- VERIFY OK : depth=0
cert. version     : 3
serial number     : B8:B9:10:53:F9:2C:31:CC:F2:2D:38:5C:FF:B3:67:36
issuer name       : CN=ChangeMe
subject name      : CN=server_QuHiUytVSmlC2iAx
issued  on        : 2019-01-14 10:15:40
expires on        : 2029-01-11 10:15:40
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : server_QuHiUytVSmlC2iAx
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication


13:50:24.866 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

13:50:24.867 -- Session is ACTIVE

13:50:24.867 -- EVENT: GET_CONFIG

13:50:24.869 -- Sending PUSH_REQUEST to server...

13:50:24.927 -- OPTIONS:
0 [dhcp-option] [DNS] [8.8.8.8] 
1 [dhcp-option] [DNS] [8.8.4.4] 
2 [block-outside-dns] 
3 [redirect-gateway] [def1] 
4 [route-gateway] [10.8.0.1] 
5 [topology] [subnet] 
6 [ping] [1800] 
7 [ping-restart] [3600] 
8 [ifconfig] [10.8.0.2] [255.255.255.0] 
9 [peer-id] [0] 
10 [cipher] [AES-256-GCM] 


13:50:24.928 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA256
  compress: NONE
  peer ID: 0

13:50:24.928 -- EVENT: ASSIGN_IP

13:50:24.941 -- Connected via tun

13:50:24.943 -- EVENT: CONNECTED info='@DNS:2604 (IPv6) via /UDPv6 on tun/10.8.0.2/ gw=[10.8.0.1/]' trans=TO_CONNECTED