server doesn't bind to IPv6 and IPv4 address when using proto udp6

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
JanZorz
OpenVpn Newbie
Posts: 6
Joined: Wed Aug 10, 2022 3:01 pm

server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by JanZorz » Wed Aug 10, 2022 3:05 pm

Hi,

Should server bind to IPv6 and IPv4 address if I use proto udp6 ?

If I use proto udp then it says that it can't determine which protocol I would like to use and binds to IPv4 address. If I use proto udp6 then it binds just to IPv6.

OpenVPN 2.5.7 amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 25 2022

FreeBSD fw1-test.6clabs.com 13.1-RELEASE FreeBSD 13.1-RELEASE stable/22.7-n250212-a26d6065f1f SMP amd64

root@fw1-test:/usr/ports # sockstat -l | grep open
root openvpn 75619 4 stream /tmp/php-fastcgi.socket-1
root openvpn 75619 6 stream /var/etc/openvpn/server2.sock
root openvpn 75619 9 udp6 2607:fae0:a000:5::78:1194 *:*

root@fw1-test:~ # sysctl -a | grep v6only
net.inet6.ip6.v6only: 0

Any idea?

Cheers, Jan Zorz

TinCanTech
Forum Team
Posts: 11124
Joined: Fri Jun 03, 2016 1:17 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by TinCanTech » Wed Aug 10, 2022 5:57 pm

Your config file will have the answer ..

JanZorz
OpenVpn Newbie
Posts: 6
Joined: Wed Aug 10, 2022 3:01 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by JanZorz » Thu Aug 11, 2022 9:43 am

TinCanTech wrote:
Wed Aug 10, 2022 5:57 pm
Your config file will have the answer ..
Server config
dev ovpns2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp6
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 2607:fae0:a000:5::78
ifconfig 10.16.16.1 10.16.16.2
ifconfig-ipv6 2607:fae0:a000:e16::1 2607:fae0:a000:e16::2
lport 1194
management /var/etc/openvpn/server2.sock unix
push "route 67.221.246.248 255.255.255.248"
push "route-ipv6 2607:fae0:a000:11::/64"
route 67.221.250.224 255.255.255.224
route 67.221.250.160 255.255.255.224
route-ipv6 2607:fae0:b000:6000::/64
route-ipv6 2607:fae0:b000:2000::/64
secret /var/etc/openvpn/server2.secret
comp-lzo adaptive
persist-remote-ip
float


This is running on opnsense firewall. Local directive is automatically generated from WAN interface address... I can add directives to "Advanced" window if needed.

If we make this one work I can take this to opnsense community and make improvement suggestions there so their config tool would spit out correct configuration.

Cheers and thnx, Jan

JanZorz
OpenVpn Newbie
Posts: 6
Joined: Wed Aug 10, 2022 3:01 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by JanZorz » Thu Aug 11, 2022 10:06 am

Hmm... seems that adding "local ::" to advanced tab (and to the end of config) makes things a bit better:

root@fw1-test:~ # sockstat -l | grep open | grep udp
root openvpn 93620 9 udp46 *:1194 *:*

But now it's listening on all interfaces... how to limit it to just listening on WAN?

Cheers, Jan

TinCanTech
Forum Team
Posts: 11124
Joined: Fri Jun 03, 2016 1:17 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by TinCanTech » Thu Aug 11, 2022 11:45 am

That is how Openvpn works.

If you do not specify --local then it listens on all interfaces/addresses.
If you do not specify --local and do specify --proto udp6 then it listens on IPv6 and IPv4 UDP.

If you do specify --local then pick your --proto, default is udp4, I believe.

TinCanTech
Forum Team
Posts: 11124
Joined: Fri Jun 03, 2016 1:17 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by TinCanTech » Thu Aug 11, 2022 11:47 am

JanZorz wrote:
Thu Aug 11, 2022 10:06 am
seems that adding "local ::" to advanced tab (and to the end of config) makes things a bit better:
That is the same as not specifying --local.

TinCanTech
Forum Team
Posts: 11124
Joined: Fri Jun 03, 2016 1:17 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by TinCanTech » Thu Aug 11, 2022 11:47 am

JanZorz wrote:
Thu Aug 11, 2022 10:06 am
how to limit it to just listening on WAN?
Use --local.

JanZorz
OpenVpn Newbie
Posts: 6
Joined: Wed Aug 10, 2022 3:01 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by JanZorz » Thu Aug 11, 2022 12:07 pm

TinCanTech wrote:
Thu Aug 11, 2022 11:47 am
JanZorz wrote:
Thu Aug 11, 2022 10:06 am
how to limit it to just listening on WAN?
Use --local.
Yes, if I don't specify "local ::" then it's listening on all interfaces on both protocols. I still did not find a proper combination that it would listen on both protocols but just on one interface.

Is there a way to say something like:

proto udp
local IPv6_addr, IPv4_addr

so it would bind only to two addresses on specified interface? Or even better:

proto udp
local vtnet0

and it would bind to all addresses (IPv6 and IPv4) on that interface?

Cheers, Jan

TinCanTech
Forum Team
Posts: 11124
Joined: Fri Jun 03, 2016 1:17 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by TinCanTech » Thu Aug 11, 2022 1:02 pm

The short answer is No.

If you do not specify --local then Openvpn binds to all interfaces/addresses.

It is not possible to bind to a specific interface, only address is supported by --local.

If you do specify --local then Openvpn only uses one --proto.

JanZorz
OpenVpn Newbie
Posts: 6
Joined: Wed Aug 10, 2022 3:01 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by JanZorz » Thu Aug 11, 2022 2:02 pm

TinCanTech wrote:
Thu Aug 11, 2022 1:02 pm
If you do specify --local then Openvpn only uses one --proto.
Ok, thnx for your answer. However, we have udp, udp4 and udp6. Shouldn't udp be dual-stack? In FreeBSD it's called udp46 :)

root openvpn 93620 9 udp46 *:1194 *:*

Something to consider in development?

Cheers, Jan

TinCanTech
Forum Team
Posts: 11124
Joined: Fri Jun 03, 2016 1:17 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by TinCanTech » Thu Aug 11, 2022 2:40 pm

It has been and is being considered in development.

If you prefer then you can ask the developers yourself.

There is the openvpn developers mailing list openvpn-devel at lists.sourceforge.net
or IRC channel #openvpn-devel on libera.chat

JanZorz
OpenVpn Newbie
Posts: 6
Joined: Wed Aug 10, 2022 3:01 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by JanZorz » Thu Aug 11, 2022 3:24 pm

Thnx, appreciated!

Post Reply