Setting OpenVPN dual stack (IPv4 +IPv6)

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Sep 02, 2022 11:30 am

Setting OpenVPN dual stack (IPv4 +IPv6)

Guys, I need your help to configure OpenVPN dual stack (IPv4 +IPv6)
Right to the point:
I have Ubuntu 22 with this IPv6 block 2a05:8280:f:43aa::/64
After reading hundreds of guides on the Internet, I divided the block into 2:
2a05:8280:f:43aa::/65 and 2a05:8280:f:43aa:8000::/65
Here’s my server config:
Server Config
#
dev tun0
proto tcp6
proto tcp-server
port 2023
topology subnet
client-to-client
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server-ipv6 2a05:8280:f:43aa:8000::/65
server 192.168.7.0 255.255.255.0
push "route-ipv6 2a05:8280:f:43aa::/64"
push "route-ipv6 2000::/3"
;push "redirect-gateway-ipv6"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS6 2620:0:ccc::2"
push "dhcp-option DNS6 2620:0:ccd::2"
client-config-dir /etc/openvpn/ccd
ccd-exclusive
cipher AES-256-CBC
user root
group root
status /etc/openvpn/server/logs/openvpn-status.log
log-append /etc/openvpn/server/logs/openvpn.log
verb 3
mute 20
max-clients 100
management 127.0.0.1 25341
keepalive 10 120
tls-server
persist-key
persist-tun


OpenVPN client log and Tcpdump are attached:
Image
Image

I added these parameters to /etc/sysctl.conf
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp = 1

I didn’t add anything to /etc/ufw/before6.rules

I’m not able to solve this without your help.

TinCanTech
OpenVPN Protagonist
Posts: 11147
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by TinCanTech » Fri Sep 02, 2022 1:41 pm

adroman wrote:
Fri Sep 02, 2022 11:30 am
not able to solve this without your help
Solve what, exactly ?

Please don't use screenies to show your information, use text and BB code: < code > foo < /code >

I don't read screenies because they suck.

viewtopic.php?t=22603

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Sep 02, 2022 4:53 pm

Sorry for scrennies, my first post. Never again!
I guest the main problem in infinite TCP connect state
I don't get if it's UFW misconfig or OpenVPN

TinCanTech
OpenVPN Protagonist
Posts: 11147
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by TinCanTech » Fri Sep 02, 2022 6:00 pm

adroman wrote:
Fri Sep 02, 2022 11:30 am

Code: Select all

proto tcp6
proto tcp-server
That is the problem. If you read your server log you will see what I mean.

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Sep 02, 2022 6:12 pm

Thanks dude, I deleted "proto tcp-server", but still same result.
Is it necessarily to use UDP6? The problem is - Mikrtotik router OS v6. doesn't support udp.

TinCanTech
OpenVPN Protagonist
Posts: 11147
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by TinCanTech » Fri Sep 02, 2022 8:35 pm

adroman wrote:
Fri Sep 02, 2022 6:12 pm
Mikrtotik router
No idea, check your router manual.

See --proto here:
https://build.openvpn.net/man/openvpn-2 ... vpn.8.html

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Tue Sep 06, 2022 9:33 am

TinCanTech wrote:
Fri Sep 02, 2022 8:35 pm
adroman wrote:
Fri Sep 02, 2022 6:12 pm
Mikrtotik router
No idea, check your router manual.

See --proto here:
https://build.openvpn.net/man/openvpn-2 ... vpn.8.html

Thank you very much for the hint. I have changed my configs according to this guide and now I can connect to the server and can get IP settings. I’ve removed splitting of routable block to make settings more simple.
Server Config
#
dev tun0
proto tcp6-server
port 2023
topology subnet
client-to-client
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 192.168.7.0 255.255.255.0
server-ipv6 2a05:8280:f:43aa::/64
ifconfig-ipv6 2a05:8280:f:43aa::1 2a05:8280:f:43aa::2
push "route-ipv6 2a05:8280:f:43aa::/64"
push "route-ipv6 2000::/3"
;push "redirect-gateway-ipv6"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS6 2620:0:ccc::2"
push "dhcp-option DNS6 2620:0:ccd::2"
client-config-dir /etc/openvpn/ccd
ccd-exclusive
cipher AES-256-CBC
user root
group root
status /etc/openvpn/server/logs/openvpn-status.log
log-append /etc/openvpn/server/logs/openvpn.log
verb 3
mute 20
max-clients 100
management 127.0.0.1 25341
keepalive 10 120
persist-key
persist-tun


Here’s my Windows client config:
Client Config
#
client
dev tun
proto tcp6-client
remote vps1.linkpc.net 2023
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\laptop2.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\laptop2.key"
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth SHA1
;auth-user-pass
auth-nocache
redirect-gateway ipv6 def1
verb 3


At /etc/sysctl.conf file a added «net.ipv6.conf.all.forwarding=1» option and removed all rules from /etc/ufw/before6.rules file because I don’t understand what to add : )
Now I can connect to server and get IP settings but can’t reach internet.
I don’t understand these things:
1) If I have IPv6 block from ISP 2a05:8280:f:43aa::/64 – is it necessarily to split it to make VPN work?
2) What rules I have to add to UFW6
3) During google this topic I found that some guys use NDP proxy, do I have to use it too?
Could you please help me : )

TinCanTech
OpenVPN Protagonist
Posts: 11147
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by TinCanTech » Tue Sep 06, 2022 9:51 am

You now understand the requirements to achieve a successful connection.

To setup web browsing via the VPN, you can read the openvpn howto ..
Or you can try one of the many scripts available to automate this function.

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Tue Sep 06, 2022 9:57 am

TinCanTech wrote:
Tue Sep 06, 2022 9:51 am
You now understand the requirements to achieve a successful connection.

To setup web browsing via the VPN, you can read the openvpn howto ..
Or you can try one of the many scripts available to automate this function.
Trust me I’ve read them hungered times especially IPv6 chapter and hundred guides in internet and that didn’t help me – stupid me! I’m able to make IPv4 VPN work easily but with IPv6 I have an issue that I wasn’t able to resolve by myself. That’s why I registered here :)

User avatar
ordex
OpenVPN Inc.
Posts: 404
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by ordex » Sun Sep 11, 2022 10:36 pm

@adroman when specifying server-ipv6, don't specify ifconfig-ipv6 too. The server-ipv6 directive is enough to instruct OpenVPN about which IP to configure on the TUN device.

Then, you talked about "splitting your /64 in 2x /65" but your latest config seems to assign the entire /64 to OpenVPN. is that what you really want to do?

Whether you have to split it or not depends on you. If you want that /64 to be entirely dedicated to the VPN and not use it on any other interface, then it's ok to not split.

Also, no need for "push "route-ipv6 2a05:8280:f:43aa::/64"" as that is exactly the same network you have specified to server-ipv6.

Regarding NDP proxy or not, that depends on whether your ISP is routing that network to you or not. Is it?

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Thu Oct 06, 2022 10:58 pm

ordex wrote:
Sun Sep 11, 2022 10:36 pm
@adroman when specifying server-ipv6, don't specify ifconfig-ipv6 too. The server-ipv6 directive is enough to instruct OpenVPN about which IP to configure on the TUN device.

Then, you talked about "splitting your /64 in 2x /65" but your latest config seems to assign the entire /64 to OpenVPN. is that what you really want to do?

Whether you have to split it or not depends on you. If you want that /64 to be entirely dedicated to the VPN and not use it on any other interface, then it's ok to not split.

Also, no need for "push "route-ipv6 2a05:8280:f:43aa::/64"" as that is exactly the same network you have specified to server-ipv6.

Regarding NDP proxy or not, that depends on whether your ISP is routing that network to you or not. Is it?
Thank you so much for your help, it’s extremely valuable for me! : )

I checked with my VPS provider about the IPv6 block, they route it, so there is no need to use an NDP proxy.
And I removed the division of the block, because the original 64-bit block can be used.

Here’s my SERVER CONFIG:
Server Config

dev tun0
proto tcp6-server
port 2023
topology subnet
client-to-client
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 192.168.7.0 255.255.255.0
server-ipv6 2a05:8280:f:43aa::/64
push "route-ipv6 2000::/3"
;push "redirect-gateway-ipv6"

route 192.168.5.0 255.255.255.0 192.168.7.2
route 192.168.50.0 255.255.255.0 192.168.7.2
route 192.168.55.0 255.255.255.0 192.168.7.2
route 192.168.8.0 255.255.255.0 192.168.7.2
route 192.168.9.0 255.255.255.0 192.168.7.2
route 192.168.88.0 255.255.255.0 192.168.7.2
route 192.168.80.0 255.255.255.0 192.168.7.2
route 192.168.150.0 255.255.255.0 192.168.7.2
route 192.168.5.0 255.255.255.0 192.168.7.1
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS6 2620:0:ccc::2"
push "dhcp-option DNS6 2620:0:ccd::2"

client-config-dir /etc/openvpn/ccd
ccd-exclusive
;duplicate-cn
cipher AES-256-CBC
user root
group root
status /etc/openvpn/server/logs/openvpn-status.log
log-append /etc/openvpn/server/logs/openvpn.log
verb 3
mute 20
max-clients 100
management 127.0.0.1 25341
keepalive 10 120
persist-key
persist-tun


Windows CLIENT CONFIG:
client


client
dev tun
proto tcp6-client
remote vps1.linkpc.net 2023
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\laptop2.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\laptop2.key"
remote-cert-tls server
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth SHA1
auth-nocache
redirect-gateway ipv6 def1
verb 3


OpenVPN Server LOG:

SERVER LOG (--verb 3):

Code: Select all

DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
WARNING: file '/etc/openvpn/easy-rsa/pki/private/server.key' is group or others accessible
OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 89.38.135.1 dev eth0
Diffie-Hellman initialized with 2048 bit key
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 89.38.135.1 dev eth0
ROUTE_GATEWAY 89.38.135.1/255.255.255.0 IFACE=eth0 HWADDR=8a:3b:12:dc:de:b0
TUN/TAP device tun0 opened
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v4_add: 192.168.7.1/24 dev tun0
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v6_add: 2a05:8280:f:43aa::1/64 dev tun0
net_route_v4_add: 192.168.5.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.50.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.55.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.8.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.9.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.88.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.80.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.150.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.5.0/24 via 192.168.7.1 dev [NULL] table 0 metric -1
Socket Buffers: R=[87380->87380] S=[65536->65536]
setsockopt(IPV6_V6ONLY=0)
Listening for incoming TCP connection on [AF_INET6][undef]:2023
TCPv6_SERVER link local (bound): [AF_INET6][undef]:2023
TCPv6_SERVER link remote: [AF_UNSPEC]
GID set to root
UID set to root
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL IPv4: base=192.168.7.2 size=253
IFCONFIG POOL IPv6: base=2a05:8280:f:43aa::1000 size=65536 netbits=64
NOTE: IPv4 pool size is 253, IPv6 pool size is 65536. IPv4 pool size limits the number of clients that can be served from the pool
MULTI: TCP INIT maxclients=100 maxevents=104
Initialization Sequence Completed
TCP connection established with [AF_INET6]2a02:2168:8e8a:5000:b04f:a4e1:228c:745f:52894
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f TLS: Initial packet from [AF_INET6]2a02:2168:8e8a:5000:b04f:a4e1:228c:745f:52894, sid=a986953f 23a751dd
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f VERIFY OK: depth=1, CN=vps
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f VERIFY OK: depth=0, CN=laptop2
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_VER=2.5.6
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_PLAT=win
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_PROTO=6
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_CIPHERS=AES-256-CBC
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_LZ4=1
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_LZ4v2=1
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_LZO=1
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_COMP_STUB=1
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_COMP_STUBv2=1
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_TCPNL=1
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_GUI_VER=OpenVPN_GUI_11
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_SSO=openurl,crtext
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f [laptop2] Peer Connection Initiated with [AF_INET6]2a02:2168:8e8a:5000:b04f:a4e1:228c:745f:52894
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f MULTI_sva: pool returned IPv4=192.168.7.2, IPv6=2a05:8280:f:43aa::1000
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/laptop2
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work.  Use --ifconfig-ipv6-push for IPv6 then.
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f MULTI: Learn: 192.168.7.10 -> laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f MULTI: primary virtual IP for laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f: 192.168.7.10
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f MULTI: Learn: 2a05:8280:f:43aa::1000 -> laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f MULTI: primary virtual IPv6 for laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f: 2a05:8280:f:43aa::1000
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f SENT CONTROL [laptop2]: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa::1000/64 2a05:8280:f:43aa::1,ifconfig 192.168.7.10 255.255.255.0,peer-id 0,cipher AES-256-CBC' (status=1)
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f Connection reset, restarting [-1]
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f SIGUSR1[soft,connection-reset] received, client-instance restarting

Windows CLIENT LOG (--verb 3):

Code: Select all

2022-10-07 01:26:48 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 16 2022
2022-10-07 01:26:48 Windows version 10.0 (Windows 10 or greater) 64bit
2022-10-07 01:26:48 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-10-07 01:26:48 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25345
2022-10-07 01:26:48 Need hold release from management interface, waiting...
2022-10-07 01:26:49 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25345
2022-10-07 01:26:49 MANAGEMENT: CMD 'state on'
2022-10-07 01:26:49 MANAGEMENT: CMD 'log all on'
2022-10-07 01:26:49 MANAGEMENT: CMD 'echo all on'
2022-10-07 01:26:49 MANAGEMENT: CMD 'bytecount 5'
2022-10-07 01:26:49 MANAGEMENT: CMD 'hold off'
2022-10-07 01:26:49 MANAGEMENT: CMD 'hold release'
2022-10-07 01:26:49 MANAGEMENT: >STATE:1665095209,RESOLVE,,,,,,
2022-10-07 01:26:50 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 01:26:50 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-10-07 01:26:50 Attempting to establish TCP connection with [AF_INET6]2a05:8280:f:43aa::1:2023 [nonblock]
2022-10-07 01:26:50 MANAGEMENT: >STATE:1665095210,TCP_CONNECT,,,,,,
2022-10-07 01:26:50 TCP connection established with [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 01:26:50 TCPv6_CLIENT link local: (not bound)
2022-10-07 01:26:50 TCPv6_CLIENT link remote: [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 01:26:50 MANAGEMENT: >STATE:1665095210,WAIT,,,,,,
2022-10-07 01:26:50 MANAGEMENT: >STATE:1665095210,AUTH,,,,,,
2022-10-07 01:26:50 TLS: Initial packet from [AF_INET6]2a05:8280:f:43aa::1:2023, sid=a948f2e3 0afde3a0
2022-10-07 01:26:50 VERIFY OK: depth=1, CN=vps
2022-10-07 01:26:50 VERIFY KU OK
2022-10-07 01:26:50 Validating certificate extended key usage
2022-10-07 01:26:50 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-10-07 01:26:50 VERIFY EKU OK
2022-10-07 01:26:50 VERIFY OK: depth=0, CN=server
2022-10-07 01:26:50 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-10-07 01:26:50 [server] Peer Connection Initiated with [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 01:26:50 PUSH: Received control message: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa::1000/64 2a05:8280:f:43aa::1,ifconfig 192.168.7.10 255.255.255.0,peer-id 0,cipher AES-256-CBC'
2022-10-07 01:26:50 OPTIONS IMPORT: timers and/or timeouts modified
2022-10-07 01:26:50 OPTIONS IMPORT: --ifconfig/up options modified
2022-10-07 01:26:50 OPTIONS IMPORT: route options modified
2022-10-07 01:26:50 OPTIONS IMPORT: route-related options modified
2022-10-07 01:26:50 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-10-07 01:26:50 OPTIONS IMPORT: peer-id set
2022-10-07 01:26:50 OPTIONS IMPORT: adjusting link_mtu to 1626
2022-10-07 01:26:50 OPTIONS IMPORT: data channel crypto options modified
2022-10-07 01:26:50 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2022-10-07 01:26:50 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-07 01:26:50 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2022-10-07 01:26:50 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-07 01:26:50 interactive service msg_channel=716
2022-10-07 01:26:50 GDG6: remote_host_ipv6=2a05:8280:f:43aa::1
2022-10-07 01:26:50 GetBestInterfaceEx() returned if=12
2022-10-07 01:26:50 GDG6: II=12 DP=::/0 NH=fe80::ce2d:e0ff:fe9c:207e
2022-10-07 01:26:50 GDG6: Metric=256, Loopback=0, AA=1, I=0
2022-10-07 01:26:50 ROUTE6: 2000::/4 overlaps IPv6 remote 2a05:8280:f:43aa::1, adding host route to VPN endpoint
2022-10-07 01:26:50 ROUTE6: 2000::/3 overlaps IPv6 remote 2a05:8280:f:43aa::1, adding host route to VPN endpoint
2022-10-07 01:26:50 open_tun
2022-10-07 01:26:50 tap-windows6 device [OpenVPN TAP-Windows6] opened
2022-10-07 01:26:50 TAP-Windows Driver Version 9.24 
2022-10-07 01:26:50 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.7.0/192.168.7.10/255.255.255.0 [SUCCEEDED]
2022-10-07 01:26:50 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.7.10/255.255.255.0 on interface {30DC3ECB-1B9D-443C-8ED2-23BFC8F4E46C} [DHCP-serv: 192.168.7.0, lease-time: 31536000]
2022-10-07 01:26:50 Successful ARP Flush on interface [8] {30DC3ECB-1B9D-443C-8ED2-23BFC8F4E46C}
2022-10-07 01:26:50 MANAGEMENT: >STATE:1665095210,ASSIGN_IP,,192.168.7.10,,,,,2a05:8280:f:43aa::1000
2022-10-07 01:26:50 IPv4 MTU set to 1500 on interface 8 using service
2022-10-07 01:26:50 INET6 address service: add 2a05:8280:f:43aa::1000/128
2022-10-07 01:26:50 add_route_ipv6(2a05:8280:f:43aa::/64 -> 2a05:8280:f:43aa::1000 metric 0) dev OpenVPN TAP-Windows6
2022-10-07 01:26:50 IPv6 route addition via service succeeded
2022-10-07 01:26:51 IPv6 dns servers set using service
2022-10-07 01:26:51 IPv6 MTU set to 1500 on interface 8 using service
2022-10-07 01:26:56 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
2022-10-07 01:26:56 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-07 01:26:56 Route addition via service succeeded
2022-10-07 01:26:56 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-07 01:26:56 Route addition via service succeeded
2022-10-07 01:26:56 add_route_ipv6(2a05:8280:f:43aa::1/128 -> fe80::ce2d:e0ff:fe9c:207e metric 1) dev OpenVPN TAP-Windows6
2022-10-07 01:26:56 IPv6 route addition via service succeeded
2022-10-07 01:26:56 add_route_ipv6(2000::/3 -> 2a05:8280:f:43aa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 01:26:56 IPv6 route addition via service succeeded
2022-10-07 01:26:56 add_route_ipv6(::/3 -> 2a05:8280:f:43aa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 01:26:56 IPv6 route addition via service succeeded
2022-10-07 01:26:56 add_route_ipv6(2000::/4 -> 2a05:8280:f:43aa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 01:26:56 IPv6 route addition via service succeeded
2022-10-07 01:26:56 add_route_ipv6(3000::/4 -> 2a05:8280:f:43aa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 01:26:56 IPv6 route addition via service succeeded
2022-10-07 01:26:56 add_route_ipv6(fc00::/7 -> 2a05:8280:f:43aa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 01:26:56 IPv6 route addition via service succeeded
2022-10-07 01:26:56 Initialization Sequence Completed
2022-10-07 01:26:56 MANAGEMENT: >STATE:1665095216,CONNECTED,SUCCESS,192.168.7.10,2a05:8280:f:43aa::1,2023,2a02:2168:8e8a:5000:b04f:a4e1:228c:745f,60718,2a05:8280:f:43aa::1000

I’m getting IPv4 settings and looks like IPv6 too, but IPv6 doesn’t work. IPv4 works fine.
I’m using Ubuntu 22 for OpenVPN server and I suppose I have to configure Firewall rules in order to make it work. Maybe I should enable masquerading, I’m not sure because I have routable IPv6 block. But I guess I have to setup IPv6 FORWARD rule that I need help with.
I also suppose that the problem maybe that my eth0 and tun0 interfaces have the same IPv6 address: 2a05:8280:f:43aa::1
Maybe I have to specify different IPv6 address for tun0?
I also use the client-config-dir (ccd) option, but in the file itself I only have settings for IPv4. I do not know if it is necessary to specify parameters for IPv6 in ccd file, because apparently I get the correct IPv6 address on the client: 2a05:8280:f:43aa::1000
Could you please help me to troubleshoot : )

User avatar
ordex
OpenVPN Inc.
Posts: 404
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by ordex » Fri Oct 07, 2022 7:56 am

adroman wrote:
Thu Oct 06, 2022 10:58 pm
I’m getting IPv4 settings and looks like IPv6 too, but IPv6 doesn’t work. IPv4 works fine.
I’m using Ubuntu 22 for OpenVPN server and I suppose I have to configure Firewall rules in order to make it work. Maybe I should enable masquerading,
No, no need to use masquerading/NAT. You are routing your IPs, so NAT is not needed.
I’m not sure because I have routable IPv6 block. But I guess I have to setup IPv6 FORWARD rule that I need help with.
Forwarding needs to be enabled for sure. Check that your firewall is not blocking anything in the FORWARD chain and that forwarding is enabled system wide with:

Code: Select all

sysctl net.ipv6.conf.all.forwarding
The command above should return 1.
I also suppose that the problem maybe that my eth0 and tun0 interfaces have the same IPv6 address: 2a05:8280:f:43aa::1
Maybe I have to specify different IPv6 address for tun0?
Yes. The same IP on different interfaces is often a hint of some misconfiguration.
Is eth0 the interface facing your ISP? If so, isn't your ISP already assigning you some other IPv6? Or are they giving you only the /64?
In any case, the subnet you configure on the VPN should be exclusive to the VPN, so that it can be "owned" by the VPN tunnel and assigned to clients.
I also use the client-config-dir (ccd) option, but in the file itself I only have settings for IPv4. I do not know if it is necessary to specify parameters for IPv6 in ccd file, because apparently I get the correct IPv6 address on the client: 2a05:8280:f:43aa::1000
Could you please help me to troubleshoot : )
The VPN configuration looks ok. It is more a matter of properly routing IPs on the server.

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Oct 07, 2022 6:16 pm

The VPN configuration looks ok. It is more a matter of properly routing IPs on the server.
Thank you very much Sir!
Yes an eth0 is the interface facing my ISP. The 2a05:8280:f:43aa::/64 IPv6 routable block has been assigned for my server.
The first usable ip is: 2a05:8280:f:43aa::1 (eth0)
The prefix is: /64
The gateway is: 2a05:8280:f:43aa::f
The DNS nameservers are: 2001:4860:4860::8888 and 2001:4860:4860::8844
So by trials and errors I replaced the row « server-ipv6 2a05:8280:f:43aa::/64» with « server-ipv6 2a05:8280:f:43aa::1/64» and now my OpenVPN server tun0 interface have assigned new IPv6 address: 2a05:8280:f:43aa::2 while eth0 has 2a05:8280:f:43aa::1.
Here’s my new SERVER CONFIG:
Server Config

dev tun0
proto tcp6-server
port 2023
topology subnet
client-to-client
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 192.168.7.0 255.255.255.0
server-ipv6 2a05:8280:f:43aa::1/64
push "route-ipv6 2000::/3"
;push "redirect-gateway-ipv6"
route 192.168.5.0 255.255.255.0 192.168.7.2
route 192.168.50.0 255.255.255.0 192.168.7.2
route 192.168.55.0 255.255.255.0 192.168.7.2
route 192.168.8.0 255.255.255.0 192.168.7.2
route 192.168.9.0 255.255.255.0 192.168.7.2
route 192.168.88.0 255.255.255.0 192.168.7.2
route 192.168.80.0 255.255.255.0 192.168.7.2
route 192.168.150.0 255.255.255.0 192.168.7.2
route 192.168.5.0 255.255.255.0 192.168.7.1
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS6 2620:0:ccc::2"
push "dhcp-option DNS6 2620:0:ccd::2"
client-config-dir /etc/openvpn/ccd
ccd-exclusive
;duplicate-cn
cipher AES-256-CBC
user root
group root
status /etc/openvpn/server/logs/openvpn-status.log
log-append /etc/openvpn/server/logs/openvpn.log
verb 3
mute 20
max-clients 100
management 127.0.0.1 25341
keepalive 10 120
persist-key
persist-tun


Often in OpenVPN server configs I see this row «push "route-ipv6 ::/0"» - I’m not sure if I also have to add it.

My Windows OpenVPN client config is still the same:
Windows CLIENT CONFIG:
client


client
dev tun
proto tcp6-client
remote vps1.linkpc.net 2023
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\laptop2.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\laptop2.key"
remote-cert-tls server
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth SHA1
auth-nocache
redirect-gateway ipv6 def1
verb 3


I don't understand here if I need to use new tun0 IPv6 address or still the IPv6 address of eth0 interface for connection to the OpenVPN server.
And also, I’m not sure if I need to use «redirect-gateway ipv6 def1» or maybe only «redirect-gateway def1» because my IPv6 address block is routable.
Here’s my OpenVPN server log:
SERVER LOG (--verb 3):

Code: Select all

DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
WARNING: file '/etc/openvpn/easy-rsa/pki/private/server.key' is group or others accessible
OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 89.38.135.1 dev eth0
Diffie-Hellman initialized with 2048 bit key
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 89.38.135.1 dev eth0
ROUTE_GATEWAY 89.38.135.1/255.255.255.0 IFACE=eth0 HWADDR=8a:3b:12:dc:de:b0
TUN/TAP device tun0 opened
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v4_add: 192.168.7.1/24 dev tun0
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v6_add: 2a05:8280:f:43aa::2/64 dev tun0
net_route_v4_add: 192.168.5.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.50.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.55.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.8.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.9.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.88.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.80.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.150.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.5.0/24 via 192.168.7.1 dev [NULL] table 0 metric -1
Socket Buffers: R=[87380->87380] S=[65536->65536]
setsockopt(IPV6_V6ONLY=0)
Listening for incoming TCP connection on [AF_INET6][undef]:2023
TCPv6_SERVER link local (bound): [AF_INET6][undef]:2023
TCPv6_SERVER link remote: [AF_UNSPEC]
GID set to root
UID set to root
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL IPv4: base=192.168.7.2 size=253
IFCONFIG POOL IPv6: base=2a05:8280:f:43aa::1001 size=65536 netbits=64
NOTE: IPv4 pool size is 253, IPv6 pool size is 65536. IPv4 pool size limits the number of clients that can be served from the pool
MULTI: TCP INIT maxclients=100 maxevents=104
Initialization Sequence Completed
TCP connection established with [AF_INET6]::ffff:188.32.154.37:48388
188.32.154.37:48388 TLS: Initial packet from [AF_INET6]::ffff:188.32.154.37:48388, sid=d15f4deb c0262db7
188.32.154.37:48388 VERIFY OK: depth=1, CN=vps
188.32.154.37:48388 VERIFY OK: depth=0, CN=mikrotik
188.32.154.37:48388 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
188.32.154.37:48388 [mikrotik] Peer Connection Initiated with [AF_INET6]::ffff:188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI_sva: pool returned IPv4=192.168.7.2, IPv6=2a05:8280:f:43aa::1001
mikrotik/188.32.154.37:48388 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/mikrotik
mikrotik/188.32.154.37:48388 MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work.  Use --ifconfig-ipv6-push for IPv6 then.
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.7.2 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: primary virtual IP for mikrotik/188.32.154.37:48388: 192.168.7.2
mikrotik/188.32.154.37:48388 MULTI: Learn: 2a05:8280:f:43aa::1001 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: primary virtual IPv6 for mikrotik/188.32.154.37:48388: 2a05:8280:f:43aa::1001
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.150.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.150.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.80.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.80.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.88.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.88.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.55.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.55.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.50.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.50.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.9.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.9.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.8.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.8.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.5.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.5.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
mikrotik/188.32.154.37:48388 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
mikrotik/188.32.154.37:48388 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
mikrotik/188.32.154.37:48388 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
mikrotik/188.32.154.37:48388 PUSH: Received control message: 'PUSH_REQUEST'
mikrotik/188.32.154.37:48388 SENT CONTROL [mikrotik]: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa::1001/64 2a05:8280:f:43aa::2,ifconfig 192.168.7.2 255.255.255.0' (status=1)
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.150.1 -> mikrotik/188.32.154.37:48388
TCP connection established with [AF_INET6]2a02:2168:8e8a:5000:88de:b01d:9002:9233:60515
2a02:2168:8e8a:5000:88de:b01d:9002:9233 TLS: Initial packet from [AF_INET6]2a02:2168:8e8a:5000:88de:b01d:9002:9233:60515, sid=4b141ee4 fdc940b7
2a02:2168:8e8a:5000:88de:b01d:9002:9233 VERIFY OK: depth=1, CN=vps
2a02:2168:8e8a:5000:88de:b01d:9002:9233 VERIFY OK: depth=0, CN=laptop2
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_VER=2.5.6
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_PLAT=win
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_PROTO=6
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_CIPHERS=AES-256-CBC
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_LZ4=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_LZ4v2=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_LZO=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_COMP_STUB=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_COMP_STUBv2=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_TCPNL=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_GUI_VER=OpenVPN_GUI_11
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_SSO=openurl,crtext
2a02:2168:8e8a:5000:88de:b01d:9002:9233 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2a02:2168:8e8a:5000:88de:b01d:9002:9233 [laptop2] Peer Connection Initiated with [AF_INET6]2a02:2168:8e8a:5000:88de:b01d:9002:9233:60515
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI_sva: pool returned IPv4=192.168.7.2, IPv6=2a05:8280:f:43aa::1001
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/laptop2
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work.  Use --ifconfig-ipv6-push for IPv6 then.
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: Learn: 192.168.7.10 -> laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: primary virtual IP for laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233: 192.168.7.10
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: Learn: 2a05:8280:f:43aa::1001 -> laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: primary virtual IPv6 for laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233: 2a05:8280:f:43aa::1001
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 SENT CONTROL [laptop2]: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa::1001/64 2a05:8280:f:43aa::2,ifconfig 192.168.7.10 255.255.255.0,peer-id 0,cipher AES-256-CBC' (status=1)

And Windows CLIENT LOG (--verb 3):

Code: Select all

2022-10-07 20:32:21 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 16 2022
2022-10-07 20:32:21 Windows version 10.0 (Windows 10 or greater) 64bit
2022-10-07 20:32:21 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-10-07 20:32:21 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25367
2022-10-07 20:32:21 Need hold release from management interface, waiting...
2022-10-07 20:32:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25367
2022-10-07 20:32:21 MANAGEMENT: CMD 'state on'
2022-10-07 20:32:21 MANAGEMENT: CMD 'log all on'
2022-10-07 20:32:21 MANAGEMENT: CMD 'echo all on'
2022-10-07 20:32:21 MANAGEMENT: CMD 'bytecount 5'
2022-10-07 20:32:21 MANAGEMENT: CMD 'hold off'
2022-10-07 20:32:21 MANAGEMENT: CMD 'hold release'
2022-10-07 20:32:21 MANAGEMENT: >STATE:1665163941,RESOLVE,,,,,,
2022-10-07 20:32:21 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 20:32:21 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-10-07 20:32:21 Attempting to establish TCP connection with [AF_INET6]2a05:8280:f:43aa::1:2023 [nonblock]
2022-10-07 20:32:21 MANAGEMENT: >STATE:1665163941,TCP_CONNECT,,,,,,
2022-10-07 20:32:21 TCP connection established with [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 20:32:21 TCPv6_CLIENT link local: (not bound)
2022-10-07 20:32:21 TCPv6_CLIENT link remote: [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 20:32:21 MANAGEMENT: >STATE:1665163941,WAIT,,,,,,
2022-10-07 20:32:21 MANAGEMENT: >STATE:1665163941,AUTH,,,,,,
2022-10-07 20:32:21 TLS: Initial packet from [AF_INET6]2a05:8280:f:43aa::1:2023, sid=c895fec0 dcb03beb
2022-10-07 20:32:21 VERIFY OK: depth=1, CN=vps
2022-10-07 20:32:21 VERIFY KU OK
2022-10-07 20:32:21 Validating certificate extended key usage
2022-10-07 20:32:21 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-10-07 20:32:21 VERIFY EKU OK
2022-10-07 20:32:21 VERIFY OK: depth=0, CN=server
2022-10-07 20:32:22 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-10-07 20:32:22 [server] Peer Connection Initiated with [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 20:32:22 PUSH: Received control message: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa::1001/64 2a05:8280:f:43aa::2,ifconfig 192.168.7.10 255.255.255.0,peer-id 0,cipher AES-256-CBC'
2022-10-07 20:32:22 OPTIONS IMPORT: timers and/or timeouts modified
2022-10-07 20:32:22 OPTIONS IMPORT: --ifconfig/up options modified
2022-10-07 20:32:22 OPTIONS IMPORT: route options modified
2022-10-07 20:32:22 OPTIONS IMPORT: route-related options modified
2022-10-07 20:32:22 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-10-07 20:32:22 OPTIONS IMPORT: peer-id set
2022-10-07 20:32:22 OPTIONS IMPORT: adjusting link_mtu to 1626
2022-10-07 20:32:22 OPTIONS IMPORT: data channel crypto options modified
2022-10-07 20:32:22 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2022-10-07 20:32:22 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-07 20:32:22 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2022-10-07 20:32:22 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-07 20:32:22 interactive service msg_channel=816
2022-10-07 20:32:22 GDG6: remote_host_ipv6=2a05:8280:f:43aa::1
2022-10-07 20:32:22 GetBestInterfaceEx() returned if=12
2022-10-07 20:32:22 GDG6: II=12 DP=::/0 NH=fe80::ce2d:e0ff:fe9c:207e
2022-10-07 20:32:22 GDG6: Metric=256, Loopback=0, AA=1, I=0
2022-10-07 20:32:22 ROUTE6: 2000::/4 overlaps IPv6 remote 2a05:8280:f:43aa::1, adding host route to VPN endpoint
2022-10-07 20:32:22 ROUTE6: 2000::/3 overlaps IPv6 remote 2a05:8280:f:43aa::1, adding host route to VPN endpoint
2022-10-07 20:32:22 open_tun
2022-10-07 20:32:22 tap-windows6 device [OpenVPN TAP-Windows6] opened
2022-10-07 20:32:22 TAP-Windows Driver Version 9.24 
2022-10-07 20:32:22 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.7.0/192.168.7.10/255.255.255.0 [SUCCEEDED]
2022-10-07 20:32:22 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.7.10/255.255.255.0 on interface {30DC3ECB-1B9D-443C-8ED2-23BFC8F4E46C} [DHCP-serv: 192.168.7.0, lease-time: 31536000]
2022-10-07 20:32:22 Successful ARP Flush on interface [8] {30DC3ECB-1B9D-443C-8ED2-23BFC8F4E46C}
2022-10-07 20:32:22 MANAGEMENT: >STATE:1665163942,ASSIGN_IP,,192.168.7.10,,,,,2a05:8280:f:43aa::1001
2022-10-07 20:32:22 IPv4 MTU set to 1500 on interface 8 using service
2022-10-07 20:32:22 INET6 address service: add 2a05:8280:f:43aa::1001/128
2022-10-07 20:32:22 add_route_ipv6(2a05:8280:f:43aa::/64 -> 2a05:8280:f:43aa::1001 metric 0) dev OpenVPN TAP-Windows6
2022-10-07 20:32:22 IPv6 route addition via service succeeded
2022-10-07 20:32:22 IPv6 dns servers set using service
2022-10-07 20:32:22 IPv6 MTU set to 1500 on interface 8 using service
2022-10-07 20:32:27 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
2022-10-07 20:32:27 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-07 20:32:27 Route addition via service succeeded
2022-10-07 20:32:27 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-07 20:32:27 Route addition via service succeeded
2022-10-07 20:32:27 add_route_ipv6(2a05:8280:f:43aa::1/128 -> fe80::ce2d:e0ff:fe9c:207e metric 1) dev OpenVPN TAP-Windows6
2022-10-07 20:32:27 IPv6 route addition via service succeeded
2022-10-07 20:32:27 add_route_ipv6(2000::/3 -> 2a05:8280:f:43aa::2 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 20:32:27 IPv6 route addition via service succeeded
2022-10-07 20:32:27 add_route_ipv6(::/3 -> 2a05:8280:f:43aa::2 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 20:32:27 IPv6 route addition via service succeeded
2022-10-07 20:32:27 add_route_ipv6(2000::/4 -> 2a05:8280:f:43aa::2 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 20:32:27 IPv6 route addition via service succeeded
2022-10-07 20:32:27 add_route_ipv6(3000::/4 -> 2a05:8280:f:43aa::2 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 20:32:27 IPv6 route addition via service succeeded
2022-10-07 20:32:27 add_route_ipv6(fc00::/7 -> 2a05:8280:f:43aa::2 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 20:32:27 IPv6 route addition via service succeeded
2022-10-07 20:32:27 Initialization Sequence Completed
2022-10-07 20:32:27 MANAGEMENT: >STATE:1665163947,CONNECTED,SUCCESS,192.168.7.10,2a05:8280:f:43aa::1,2023,2a02:2168:8e8a:5000:88de:b01d:9002:9233,60515,2a05:8280:f:43aa::1001
2022-10-07 20:33:29 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-07 20:33:29 Route deletion via service succeeded
2022-10-07 20:33:29 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-07 20:33:29 Route deletion via service succeeded
2022-10-07 20:33:29 delete_route_ipv6(2a05:8280:f:43aa::1/128)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 delete_route_ipv6(2000::/3)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 delete_route_ipv6(::/3)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 delete_route_ipv6(2000::/4)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 delete_route_ipv6(3000::/4)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 delete_route_ipv6(fc00::/7)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 Closing TUN/TAP interface
2022-10-07 20:33:29 IPv6 dns servers deleted using service
2022-10-07 20:33:29 delete_route_ipv6(2a05:8280:f:43aa::/64)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 INET6 address service: remove 2a05:8280:f:43aa::1001/128
2022-10-07 20:33:30 TAP: DHCP address released
2022-10-07 20:33:30 SIGTERM[hard,] received, process exiting
2022-10-07 20:33:30 MANAGEMENT: >STATE:1665164010,EXITING,SIGTERM,,,,,
The situation is the same I’m getting IPv4 and IPv6 settings, but IPv6 doesn’t work. IPv4 works fine.

Here’s my /etc/sysctl.conf file:
sysctl.conf

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

###################################################################
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1

###################################################################
# Magic system request Key
# 0=disable, 1=enable all, >1 bitmask of sysrq functions
# See https://www.kernel.org/doc/html/latest/ ... sysrq.html
# for what other values do
#kernel.sysrq=438


So here «net.ipv6.conf.all.forwarding=1» is active.

And here’s my /etc/ufw/before6.rules file:
before6.rules

#X
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw6-before-input
# ufw6-before-output
# ufw6-before-forward
#

# Don't delete these required lines, otherwise there will be errors


*filter
:ufw6-before-input - [0:0]
:ufw6-before-output - [0:0]
:ufw6-before-forward - [0:0]
# End required lines


# allow all on loopback
-A ufw6-before-input -i lo -j ACCEPT
-A ufw6-before-output -o lo -j ACCEPT

# drop packets with RH0 headers
-A ufw6-before-input -m rt --rt-type 0 -j DROP
-A ufw6-before-forward -m rt --rt-type 0 -j DROP
-A ufw6-before-output -m rt --rt-type 0 -j DROP

# quickly process packets for which we already have a connection
-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# multicast ping replies are part of the ok icmp codes for INPUT (rfc4890,
# 4.4.1 and 4.4.2), but don't have an associated connection and are otherwise
# be marked INVALID, so allow here instead.
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT (rfc4890, 4.4.1 and 4.4.2)
-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# codes 0 and 1
-A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2 (echo-reply needs to be before INVALID, see above)
-A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
# IND solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
# IND advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
# MLD query
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
# MLD report
-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
# MLD done
-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
# MLD report v2
-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
# SEND certificate path solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
# SEND certificate path advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
# MR advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR termination
-A ufw6-before-input -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT

# ok icmp codes for OUTPUT (rfc4890, 4.4.1 and 4.4.2)
-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# codes 0 and 1
-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2
-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
# IND solicitation
-A ufw6-before-output -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
# IND advertisement
-A ufw6-before-output -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
# MLD query
-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
# MLD report
-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
# MLD done
-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
# MLD report v2
-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
# SEND certificate path solicitation
-A ufw6-before-output -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
# SEND certificate path advertisement
-A ufw6-before-output -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
# MR advertisement
-A ufw6-before-output -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR solicitation
-A ufw6-before-output -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR termination
-A ufw6-before-output -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT

# ok icmp codes for FORWARD (rfc4890, 4.3.1)
-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# codes 0 and 1
-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2
-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
# ok icmp codes for FORWARD (rfc4890, 4.3.2)
# Home Agent Address Discovery Reques
-A ufw6-before-input -p icmpv6 --icmpv6-type 144 -j ACCEPT
# Home Agent Address Discovery Reply
-A ufw6-before-input -p icmpv6 --icmpv6-type 145 -j ACCEPT
# Mobile Prefix Solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 146 -j ACCEPT
# Mobile Prefix Advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 147 -j ACCEPT

# allow dhcp client to work
-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT

# allow MULTICAST mDNS for service discovery
-A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery
-A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT

#-A INPUT -i eth0 -p udp --dport 2023 -j ACCEPT
#-A FORWARD -i tun0 -o eth0 -s 2a05:8280:f:43aa::/64 -m state --state NEW -j ACCEPT
#-A FORWARD -i tun0 -o eth0 -s fd00::/64 -m state --state NEW -j ACCEPT
#-A FORWARD -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
#-A INPUT -i lo -j ACCEPT
#-A INPUT -m conntrack — ctstate INVALID -j DROP
#-A INPUT -i tun0 -j ACCEPT
#A FORWARD -i tun0 -o eth0 -s 2a05:8280:f:43aa::/64 -m conntrack --ctstate NEW -j ACCEPT
#-A FORWARD -m conntrack — ctstate RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -p ipv6-icmp -j ACCEPT
#-A FORWARD -p ipv6-icmp -j ACCEPT
#-A FORWARD -s 2a05:8280:f:43aa::/64 -j ACCEPT
#-A FORWARD -i tun0 -o eth0 -m state --state NEW -j ACCEPT
#-A FORWARD -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT


I suppose that somewhere here there must be complicated FORWARD rules for my tun0 interface and/or for IPv6 routable address block.


And here’s my /etc/ufw/after6.rules file:

after6.rules

#
# rules.input-after
#
# Rules that should be run after the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw6-after-input
# ufw6-after-output
# ufw6-after-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw6-after-input - [0:0]
:ufw6-after-output - [0:0]
:ufw6-after-forward - [0:0]
# End required lines

# don't log noisy services by default
-A ufw6-after-input -p udp --dport 137 -j ufw6-skip-to-policy-input
-A ufw6-after-input -p udp --dport 138 -j ufw6-skip-to-policy-input
-A ufw6-after-input -p tcp --dport 139 -j ufw6-skip-to-policy-input
-A ufw6-after-input -p tcp --dport 445 -j ufw6-skip-to-policy-input
-A ufw6-after-input -p udp --dport 546 -j ufw6-skip-to-policy-input
-A ufw6-after-input -p udp --dport 547 -j ufw6-skip-to-policy-input

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT


Maybe the additional difficulty is the Ubuntu has its own firewall (UFW) with unique syntax.

If I enable TCP dump with «tcpdump -i tun0» on OpenVPN server virtual interface I see only IPv4 addresses, so it’s almost obvious that some IPv6 firewall rules must be added. But I don't have enough knowledge to figure them out myself.

User avatar
ordex
OpenVPN Inc.
Posts: 404
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by ordex » Fri Oct 07, 2022 8:17 pm

OK. one thing at a time :)

First of all, if you are getting "a /64 for your server" you cannot use the same /64 on the server *and* on the VPN.
You must use subparts of that network.

For example you could use:
* 2a05:8280:f:43aa::/80 for the server, so assign 2a05:8280:f:43aa::1/60 to eth0
* 2a05:8280:f:43aa:aaaa::/80 for the VPN.

This is not optimal, because it is always better to not split /64 (like in IPv4 you always try to not split a /24 even further). So the best approach is to ask your ISP for a second /64 network or ask to get a /48 instead of your current /64.
In the latter case you will be able to split the /48 in several /64s, each with its own purpose.

If none of this is possible you can still resort to the /80 splitting mentioned above and see if everything works.
For the server configuration: do not add the ::1 at the end. There you specify the base address and it is good to have the :: as base.

Regarding the firewall: I am not fluent with the ubuntu firewall, so it's hard for me to understand what it is doing.

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Oct 07, 2022 9:52 pm

ordex wrote:
Fri Oct 07, 2022 8:17 pm
First of all, if you are getting "a /64 for your server" you cannot use the same /64 on the server *and* on the VPN.
You must use subparts of that network.

For example you could use:
* 2a05:8280:f:43aa::/80 for the server, so assign 2a05:8280:f:43aa::1/60 to eth0
* 2a05:8280:f:43aa:aaaa::/80 for the VPN.
Many thanks for such a valuable explanation!
My ISP refused to split 64-bit block, so I implemented your suggestion to assign 2a05:8280:f:43aa::1/60 to eth0 and 2a05:8280:f:43aa:aaaa::/80 to OpenVPN server config file.

Here’s my OpenVPN server log:
SERVER LOG (--verb 3):

Code: Select all

DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
WARNING: file '/etc/openvpn/easy-rsa/pki/private/server.key' is group or others accessible
OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 89.38.135.1 dev eth0
Diffie-Hellman initialized with 2048 bit key
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 89.38.135.1 dev eth0
ROUTE_GATEWAY 89.38.135.1/255.255.255.0 IFACE=eth0 HWADDR=8a:3b:12:dc:de:b0
TUN/TAP device tun0 opened
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v4_add: 192.168.7.1/24 dev tun0
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v6_add: 2a05:8280:f:43aa:aaaa::1/80 dev tun0
net_route_v4_add: 192.168.5.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.50.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.55.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.8.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.9.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.88.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.80.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.150.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.5.0/24 via 192.168.7.1 dev [NULL] table 0 metric -1
Socket Buffers: R=[87380->87380] S=[65536->65536]
setsockopt(IPV6_V6ONLY=0)
Listening for incoming TCP connection on [AF_INET6][undef]:2023
TCPv6_SERVER link local (bound): [AF_INET6][undef]:2023
TCPv6_SERVER link remote: [AF_UNSPEC]
GID set to root
UID set to root
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL IPv4: base=192.168.7.2 size=253
IFCONFIG POOL IPv6: base=2a05:8280:f:43aa:aaaa::1000 size=65536 netbits=80
NOTE: IPv4 pool size is 253, IPv6 pool size is 65536. IPv4 pool size limits the number of clients that can be served from the pool
MULTI: TCP INIT maxclients=100 maxevents=104
Initialization Sequence Completed
TCP connection established with [AF_INET6]2a02:2168:8e8a:5000:88de:b01d:9002:9233:65052
2a02:2168:8e8a:5000:88de:b01d:9002:9233 TLS: Initial packet from [AF_INET6]2a02:2168:8e8a:5000:88de:b01d:9002:9233:65052, sid=41171474 73c0a6a2
2a02:2168:8e8a:5000:88de:b01d:9002:9233 VERIFY OK: depth=1, CN=vps
2a02:2168:8e8a:5000:88de:b01d:9002:9233 VERIFY OK: depth=0, CN=laptop2
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_VER=2.5.6
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_PLAT=win
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_PROTO=6
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_CIPHERS=AES-256-CBC
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_LZ4=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_LZ4v2=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_LZO=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_COMP_STUB=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_COMP_STUBv2=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_TCPNL=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_GUI_VER=OpenVPN_GUI_11
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_SSO=openurl,crtext
2a02:2168:8e8a:5000:88de:b01d:9002:9233 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2a02:2168:8e8a:5000:88de:b01d:9002:9233 [laptop2] Peer Connection Initiated with [AF_INET6]2a02:2168:8e8a:5000:88de:b01d:9002:9233:65052
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI_sva: pool returned IPv4=192.168.7.2, IPv6=2a05:8280:f:43aa:aaaa::1000
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/laptop2
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work.  Use --ifconfig-ipv6-push for IPv6 then.
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: Learn: 192.168.7.10 -> laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: primary virtual IP for laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233: 192.168.7.10
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: Learn: 2a05:8280:f:43aa:aaaa::1000 -> laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: primary virtual IPv6 for laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233: 2a05:8280:f:43aa:aaaa::1000
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 SENT CONTROL [laptop2]: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa:aaaa::1000/80 2a05:8280:f:43aa:aaaa::1,ifconfig 192.168.7.10 255.255.255.0,peer-id 0,cipher AES-256-CBC' (status=1)

And Windows CLIENT LOG (--verb 3):

Code: Select all

2022-10-08 00:46:03 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 16 2022
2022-10-08 00:46:03 Windows version 10.0 (Windows 10 or greater) 64bit
2022-10-08 00:46:03 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-10-08 00:46:03 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
2022-10-08 00:46:03 Need hold release from management interface, waiting...
2022-10-08 00:46:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
2022-10-08 00:46:04 MANAGEMENT: CMD 'state on'
2022-10-08 00:46:04 MANAGEMENT: CMD 'log all on'
2022-10-08 00:46:04 MANAGEMENT: CMD 'echo all on'
2022-10-08 00:46:04 MANAGEMENT: CMD 'bytecount 5'
2022-10-08 00:46:04 MANAGEMENT: CMD 'hold off'
2022-10-08 00:46:04 MANAGEMENT: CMD 'hold release'
2022-10-08 00:46:04 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-08 00:46:04 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-10-08 00:46:04 Attempting to establish TCP connection with [AF_INET6]2a05:8280:f:43aa::1:2023 [nonblock]
2022-10-08 00:46:04 MANAGEMENT: >STATE:1665179164,TCP_CONNECT,,,,,,
2022-10-08 00:46:04 TCP connection established with [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-08 00:46:04 TCPv6_CLIENT link local: (not bound)
2022-10-08 00:46:04 TCPv6_CLIENT link remote: [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-08 00:46:04 MANAGEMENT: >STATE:1665179164,WAIT,,,,,,
2022-10-08 00:46:04 MANAGEMENT: >STATE:1665179164,AUTH,,,,,,
2022-10-08 00:46:04 TLS: Initial packet from [AF_INET6]2a05:8280:f:43aa::1:2023, sid=3b6ee39c 19b9e9b1
2022-10-08 00:46:04 VERIFY OK: depth=1, CN=vps
2022-10-08 00:46:04 VERIFY KU OK
2022-10-08 00:46:04 Validating certificate extended key usage
2022-10-08 00:46:04 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-10-08 00:46:04 VERIFY EKU OK
2022-10-08 00:46:04 VERIFY OK: depth=0, CN=server
2022-10-08 00:46:04 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-10-08 00:46:04 [server] Peer Connection Initiated with [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-08 00:46:04 PUSH: Received control message: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa:aaaa::1000/80 2a05:8280:f:43aa:aaaa::1,ifconfig 192.168.7.10 255.255.255.0,peer-id 0,cipher AES-256-CBC'
2022-10-08 00:46:04 OPTIONS IMPORT: timers and/or timeouts modified
2022-10-08 00:46:04 OPTIONS IMPORT: --ifconfig/up options modified
2022-10-08 00:46:04 OPTIONS IMPORT: route options modified
2022-10-08 00:46:04 OPTIONS IMPORT: route-related options modified
2022-10-08 00:46:04 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-10-08 00:46:04 OPTIONS IMPORT: peer-id set
2022-10-08 00:46:04 OPTIONS IMPORT: adjusting link_mtu to 1626
2022-10-08 00:46:04 OPTIONS IMPORT: data channel crypto options modified
2022-10-08 00:46:04 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2022-10-08 00:46:04 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-08 00:46:04 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2022-10-08 00:46:04 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-08 00:46:04 interactive service msg_channel=288
2022-10-08 00:46:04 GDG6: remote_host_ipv6=2a05:8280:f:43aa::1
2022-10-08 00:46:04 GetBestInterfaceEx() returned if=12
2022-10-08 00:46:04 GDG6: II=12 DP=::/0 NH=fe80::ce2d:e0ff:fe9c:207e
2022-10-08 00:46:04 GDG6: Metric=256, Loopback=0, AA=1, I=0
2022-10-08 00:46:04 ROUTE6: 2000::/4 overlaps IPv6 remote 2a05:8280:f:43aa::1, adding host route to VPN endpoint
2022-10-08 00:46:04 ROUTE6: 2000::/3 overlaps IPv6 remote 2a05:8280:f:43aa::1, adding host route to VPN endpoint
2022-10-08 00:46:04 open_tun
2022-10-08 00:46:04 tap-windows6 device [OpenVPN TAP-Windows6] opened
2022-10-08 00:46:04 TAP-Windows Driver Version 9.24 
2022-10-08 00:46:04 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.7.0/192.168.7.10/255.255.255.0 [SUCCEEDED]
2022-10-08 00:46:04 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.7.10/255.255.255.0 on interface {30DC3ECB-1B9D-443C-8ED2-23BFC8F4E46C} [DHCP-serv: 192.168.7.0, lease-time: 31536000]
2022-10-08 00:46:04 Successful ARP Flush on interface [8] {30DC3ECB-1B9D-443C-8ED2-23BFC8F4E46C}
2022-10-08 00:46:04 MANAGEMENT: >STATE:1665179164,ASSIGN_IP,,192.168.7.10,,,,,2a05:8280:f:43aa:aaaa::1000
2022-10-08 00:46:04 IPv4 MTU set to 1500 on interface 8 using service
2022-10-08 00:46:04 INET6 address service: add 2a05:8280:f:43aa:aaaa::1000/128
2022-10-08 00:46:04 add_route_ipv6(2a05:8280:f:43aa:aaaa::/80 -> 2a05:8280:f:43aa:aaaa::1000 metric 0) dev OpenVPN TAP-Windows6
2022-10-08 00:46:04 IPv6 route addition via service succeeded
2022-10-08 00:46:05 IPv6 dns servers set using service
2022-10-08 00:46:05 IPv6 MTU set to 1500 on interface 8 using service
2022-10-08 00:46:10 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
2022-10-08 00:46:10 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-08 00:46:10 Route addition via service succeeded
2022-10-08 00:46:10 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-08 00:46:10 Route addition via service succeeded
2022-10-08 00:46:10 add_route_ipv6(2a05:8280:f:43aa::1/128 -> fe80::ce2d:e0ff:fe9c:207e metric 1) dev OpenVPN TAP-Windows6
2022-10-08 00:46:10 IPv6 route addition via service succeeded
2022-10-08 00:46:10 add_route_ipv6(2000::/3 -> 2a05:8280:f:43aa:aaaa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-08 00:46:10 IPv6 route addition via service succeeded
2022-10-08 00:46:10 add_route_ipv6(::/3 -> 2a05:8280:f:43aa:aaaa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-08 00:46:10 IPv6 route addition via service succeeded
2022-10-08 00:46:10 add_route_ipv6(2000::/4 -> 2a05:8280:f:43aa:aaaa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-08 00:46:10 IPv6 route addition via service succeeded
2022-10-08 00:46:10 add_route_ipv6(3000::/4 -> 2a05:8280:f:43aa:aaaa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-08 00:46:10 IPv6 route addition via service succeeded
2022-10-08 00:46:10 add_route_ipv6(fc00::/7 -> 2a05:8280:f:43aa:aaaa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-08 00:46:10 IPv6 route addition via service succeeded
2022-10-08 00:46:10 Initialization Sequence Completed
2022-10-08 00:46:10 MANAGEMENT: >STATE:1665179170,CONNECTED,SUCCESS,192.168.7.10,2a05:8280:f:43aa::1,2023,2a02:2168:8e8a:5000:88de:b01d:9002:9233,65052,2a05:8280:f:43aa:aaaa::1000
And when I enable «tcpdump -i tun0» command on OpenVPN server there’s only IPv4 addresses.

User avatar
ordex
OpenVPN Inc.
Posts: 404
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by ordex » Fri Oct 07, 2022 10:08 pm

There was a typ0 in my message: /60 was wrong. I always meant /80. However, this shouldn't be an issue.
Your logs look correct though.

What happens if on the windows client you try:

ping6 2a05:8280:f:43aa:aaaa::1

(or just "ping" - I don't recall what's the exact name of the tool on windows)

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Oct 07, 2022 10:18 pm

ordex wrote:
Fri Oct 07, 2022 10:08 pm
ping6 2a05:8280:f:43aa:aaaa::1

Thank you so much, I fixed the typo anyway :)
As expected, nothing has changed :)
Address 2a05:8280:f:43aa:aaaa::1 pings without problems :)
And I began to get IPv6 in TCP dump while pinging this address : )

User avatar
ordex
OpenVPN Inc.
Posts: 404
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by ordex » Fri Oct 07, 2022 10:27 pm

what if you ping 2a00:1450:4002:403::2004 ? (google's address)
Do you still the ping going through tun0?

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Oct 07, 2022 10:32 pm

ordex wrote:
Fri Oct 07, 2022 10:27 pm
what if you ping 2a00:1450:4002:403::2004 ? (google's address)
Do you still the ping going through tun0?
Unfortunately this address isn't accessible :o
Image

User avatar
ordex
OpenVPN Inc.
Posts: 404
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by ordex » Fri Oct 07, 2022 10:37 pm

do you see any traffic on tun0 on the server? If you see the ICMP ECHO requests, but you see no reply, then most likely the server is not forwarding the traffic.

Post Reply