IPv6 connectivity on tunnel? - "block-ipv6" client directive being forcefully pushed by server

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
Drift_91
OpenVpn Newbie
Posts: 6
Joined: Sat Dec 17, 2022 6:50 pm

IPv6 connectivity on tunnel? - "block-ipv6" client directive being forcefully pushed by server

Post by Drift_91 » Sat Dec 17, 2022 7:21 pm

So I've just set up a new OpenVPS access server installation on my Ubuntu VPS server. I'm able to connect to the server and send IPv4 traffic to the public internet via NAT. This is my first time ever using OpenVPN, let alone administrating a VPN server. I'm still learning the ropes for Linux administration, but I know the basics of Bash and the CLI.

I spent about 10 hours yesterday trying to get IPv6 NAT working, only to realize that IPv6 wasn't even working at all over the tunnel. Today when I started working on it again, I noticed that the client log shows "block-ipv6" being passed in the PUSH_REPLY and I'm fairly certain that's what the problem is. I'm able to ping my local IPv6 address, but not the server's.

I can't for the life of me figure out how to remove the "block-ipv6" option. After skimming through tons of documentation, I've added "client-config-dir=/etc/openvpn/ccd" to the "/usr/local/openvpn_as/etc/as.conf" file and then "push-remove block-ipv6" to "/etc/openvpn/ccd/Drift_91", "Drift_91" being the username on the OpenVPS client. I've also tried adding "-push block-ipv6", "push -block-ipv6" and "-block-ipv6" to the server config directives on the web admin panel and "-block-ipv6" to the client config directives.

Am I missing some kind of configuration file that contains the "block-ipv6" directive by default? Or do I have to edit the launch arguments the server daemon starts with somehow? I can't seem to find anything relevant in the web panel's UI at all.

Thank you in advance to anyone who can help.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: IPv6 connectivity on tunnel? - "block-ipv6" client directive being forcefully pushed by server

Post by openvpn_inc » Sat Dec 17, 2022 10:23 pm

Hello Drift_91,

Could you give the configuration options here a try, please?
https://openvpn.net/vpn-server-resource ... ss-server/

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Drift_91
OpenVpn Newbie
Posts: 6
Joined: Sat Dec 17, 2022 6:50 pm

Re: IPv6 connectivity on tunnel? - "block-ipv6" client directive being forcefully pushed by server

Post by Drift_91 » Sun Dec 18, 2022 1:04 am

Thanks, I had seen that documentation already but I guess I didn't read it fully. I couldn't get "./confdba" to work because I hadn't done "cd /usr/local/openvpn_as/scripts".

For some reason after running "./confdba -mk "vpn.routing6.enable" -v "true" " and then restarting the server, the web admin interface is completely broken. The page seems to lack any CSS formatting once I log in and has in large red text at the bottom of the page "An error occurred while rendering the response."

All I can think of is maybe my web admin port needs to be changed or something.

Drift_91
OpenVpn Newbie
Posts: 6
Joined: Sat Dec 17, 2022 6:50 pm

Re: IPv6 connectivity on tunnel? - "block-ipv6" client directive being forcefully pushed by server

Post by Drift_91 » Sun Dec 18, 2022 1:34 am

So it seems that "vpn.server.nat6" needs to be false, which is odd since "uname -r" outputs "5.15.0-56-lowlatency".

This is the part of the log that made me realize the above:

Code: Select all

2022-12-17T20:10:48-0500 [stdout#info] Server Agent initialization status:
2022-12-17T20:10:48-0500 [stdout#info] {
2022-12-17T20:10:48-0500 [stdout#info]   "errors": {
2022-12-17T20:10:48-0500 [stdout#info]     "IPTABLES_COMPILE": [
2022-12-17T20:10:48-0500 [stdout#info]       [
2022-12-17T20:10:48-0500 [stdout#info]         "error",
2022-12-17T20:10:48-0500 [stdout#info]         "SNATSources: cannot determine --to-source address for 'eth0' NAT6 rule: sagent/iptvpn:250,sagent/iptvpn:294,net/iptconf:1112,net/ipt:82,python/context:122,python/context:85,internet/asyncioreactor:136,internet/posixbase:227,internet/process:63,internet/process:311,internet/_baseprocess:52,internet/process:948,internet/_baseprocess:64,svc/pp:133,svc/svcnotify:42,internet/defer:460,internet/defer:568,internet/defer:654,util/defer:10,internet/defer:460,internet/defer:568,internet/defer:654,internet/defer:1116,internet/defer:460,internet/defer:568,internet/defer:654,svc/svc:675,sagent/ipts:210,sagent/ipts:153,sagent/ipts:159,sagent/iptvpn:250,sagent/iptvpn:294,net/iptconf:1112,net/ipt:82,util/error:105,util/error:86"
2022-12-17T20:10:48-0500 [stdout#info]       ]
For reference, this is exactly the issue I was experiencing, just with a different cause: viewtopic.php?t=33549


Now I'm getting the following error, which I'm not yet sure the cause of: "pyovpn.util.error.SimpleError: DEFAULT_USER6: IP6 address pool depleted"

Drift_91
OpenVpn Newbie
Posts: 6
Joined: Sat Dec 17, 2022 6:50 pm

Re: IPv6 connectivity on tunnel? - "block-ipv6" client directive being forcefully pushed by server

Post by Drift_91 » Sun Dec 18, 2022 2:25 am

Alright, so I seem to have gotten the tunnel working, after setting the IPv6 IP under the group within the user database.

Now the issue is public internet access, I'm assuming the "vpn.server.nat6" option being set to false means I need to use public IPs? I'm not sure exactly how to get that to work with my current VPS, as I'm not sure if I have an entire netblock assigned to me or a single IP address.

Drift_91
OpenVpn Newbie
Posts: 6
Joined: Sat Dec 17, 2022 6:50 pm

Re: IPv6 connectivity on tunnel? - "block-ipv6" client directive being forcefully pushed by server

Post by Drift_91 » Sun Dec 18, 2022 8:09 am

So I've given the server another IPv6 address, as I can only add individual IPs and not a netblock with my host. For some reason it gives the "IP6 address pool depleted" error again if I set the IP address in the group's config.

I've also run into a strange issue where confdba and sacli seem to be operating on a different database. If I use "./confdba -mk "vpn.server.daemon.vpn_network6.0" -v "2604:bc0:4::17/48" " followed by "./sacli ConfigQuery" the value hasn't been updated and "./confdba -a" outputs completely different information, but includes what I just added.

Drift_91
OpenVpn Newbie
Posts: 6
Joined: Sat Dec 17, 2022 6:50 pm

Re: IPv6 connectivity on tunnel? - "block-ipv6" client directive being forcefully pushed by server

Post by Drift_91 » Sun Dec 18, 2022 9:33 am

Alright, so I got NAT6 working via "vpn.server.nat6.masquerade" being set to true. Found that option here: viewtopic.php?f=24&t=31588

The other issue was that my user got set back to the default group somehow while I was messing with things, so it wasn't getting the IPv6 IPs assigned to it, hence the "IP6 address pool depleted" error.

Somehow I still can't get the ./confdba command to commit to the database correctly, though.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: IPv6 connectivity on tunnel? - "block-ipv6" client directive being forcefully pushed by server

Post by openvpn_inc » Tue Dec 20, 2022 9:49 pm

Hello Drift_91,

I didn't hear of OpenVPS before, so looked into a bit. Looks like this is based on Linux-VServer and that it's one of those "run on the host kernel but jail it a bit" kind of "virtualization/containerization" solutions. Smells a lot like OpenVZ, and we have had a lot of experience with that. This type of environment can cause problems you would normally not see if Access Server were running in an environment where it has full access. For example by default Access Server sets certain flags like ipv6 masquerading by itself but often can't in these types of more restricted environments because of how things are jailed/restricted.

Basically, you may need to do more sleuthing to try and convince this type of system to work, and I'm afraid I don't have any information to give you on what needs to be done in your specific circumstances. Any chance you can instead run something like QEMU or even Docker? There are community supported containers for that and with NET_PCAP_ADMIN granted it can work reasonably 'normal'.

In short, your mileage may vary on the currently chosen solution.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply