No tunnel connection with IPv6

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
SpudHead
OpenVPN User
Posts: 20
Joined: Thu Nov 17, 2016 1:54 pm

No tunnel connection with IPv6

Post by SpudHead » Sat Sep 24, 2022 2:29 pm

I have OpenVPN setup on an Ubuntu 22.04 VPS, it works fine on IPv4 using OpenVPN Connect for Windows. The VPS has IPv6 access, this also works, I can access SSH and other services over IPv6 perfectly fine.

If I modify the server config from

Code: Select all

proto udp
to

Code: Select all

proto udp6
and also the client config to proto udp6 and the remote IPv6 address of the VPS then OpenVPN Connect fails to connect. If I set the server override in the profile to the IPv4 address of the VPS it then connects fine.

When the server is running (it runs on port 5353), issuing this command

Code: Select all

netstat --numeric-ports -lu | grep 5353
yields this

Code: Select all

udp6       0      0 [::]:5353               [::]:*
Which suggests the server is running and listening on udp6 (although it doesn't explain why it still accepts connections on udp4).

The connection attempt in OpenVPN Connect shows an error in the log.

Code: Select all

[Sep 24, 2022, 14:47:32] OpenVPN core 3.git::c2153df1 win x86_64 64-bit built on Oct  6 2021 14:20:53
⏎[Sep 24, 2022, 14:47:32] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Sep 24, 2022, 14:47:32] UNUSED OPTIONS
8 [verb] [2]
9 [mute] [20]
12 [persist-key]
13 [persist-tun]
15 [resolv-retry] [infinite]
16 [nobind]
⏎[Sep 24, 2022, 14:47:32] EVENT: RESOLVE ⏎[Sep 24, 2022, 14:47:32] Contacting [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:5353 via UDP
⏎[Sep 24, 2022, 14:47:32] EVENT: WAIT ⏎[Sep 24, 2022, 14:47:32] WinCommandAgent: transmitting bypass route to xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
{
	"host" : "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx",
	"ipv6" : true
}

⏎[Sep 24, 2022, 14:47:32] Transport Error: socket_protect error (UDP)
⏎[Sep 24, 2022, 14:47:32] Client terminated, restarting in 2000 ms...
Converting the server back to UDP4 I tried to use socat on the VPS to bounce packets from v6 to v4 while still attempting v6 connection from OpenVPN Connect, with the same result and socat reports no incoming traffic is received at all. However, when the server is in UDP6 mode and socat is used to bounce UDP4 to UDP6 (different ports) it then actually works confirming the the OpenVPN server installation is working fine on IPv6 and the problem must lie with OpenVPN connect. This is because
- The VPS is able to receive and process IPv6 traffic with other applications, both TCP and UDP.
- The VPN server is able to process IPv6 traffic being bounced from incoming IPv4 data.
- No traffic is reaching the server from OpenVPN Connect in IPv6 mode.
- The agent service IS running (verified)
- I am using the latest version of OpenVPN Connect 3.3.4 (2600) (at least that's what the update feature downloaded)
- My Windows install is perfectly capable of communicating over IPv6 to my VPS and to other hosts.

Can anyone please explain what is wrong with OpenVPN Connect for windows using IPv6 and how I can resolve the problem?

Thanks
Spud.

EDIT1:
Found multiple posts in this forum with pretty much similar or identical issues with no solutions posted, some of them being quite old. Leads me to believe this is a known issue that is being "overlooked" or ignored. This is unfortunate, but I guess free software ain't going to be perfect. I will attempt to find a work around or fix myself. I have already managed to redirect ipv4 traffic to ipv6 using a windows side application (self-written) which actually works, so I can at least connect to the VPN over IPv6 with an ugly hack. My situation is that IPv4 is not available on some subnets, so IPv6 connection is the only alternative. The local bouncing app solves that problem but it's not ideal at all.

EDIT2:
On initial investigation, the issue would appear to lie with the agent service (OpenVPN Agent agent_ovpnconnect). If I stop this service running, I get EXACTLY the same error with IPv4 as I do with IPv6. With the service running, v4 will then work, but v6 will not, it acts like the service is not running at all. This leads me to believe the agent service is not correctly dealing with IPv6. Next step is to completely remove OpenVPN Connect including all services et all. Then re-install. Maybe the agent service is not being updated correctly? Who knows?

EDIT3:
Well, literally one hour ago, the updater downloaded 3.3.4, I'm now informed that 3.3.6 is the latest version. *sigh* like wth?

EDIT4:
Okay, after uninstalling 3.3.4 (why didn't the updater just download 3.3.6???) restarting, confirming the agent service had been removed, installing 3.3.6, again restarting, confirming the agent service was back and running and importing profile. Exactly the same, "Transport Error: socket_protect error (UDP)". So re-installing fresh wasn't the solution. The hypothesis is that the agent service is bugged with regard to IPv6 and needs fixing. Now investigating further.

EDIT5:
Right. I uninstalled OpenVPN Connect, restarted then installed the regular OpenVPN GUI (which seems to have been made deliberately awkward to find), copied over the IPv6 tunnel profile and VIOLA! Works perfectly, in fact I'm using it while writing this. Thus the issue is 100% OpenVPN Connect having badly bugged IPv6 support. My suggestion is not to use it as it seems somewhat flaky. Not downloading the current latest version for updating, not supporting IPv6 properly, god knows what else is wrong with it. To be brutally frank, these are pretty simple things compared to security components so I definitely would not trust it an inch.

tropicoco
OpenVpn Newbie
Posts: 1
Joined: Wed Mar 22, 2023 2:33 pm

Re: No tunnel connection with IPv6

Post by tropicoco » Wed Mar 22, 2023 2:34 pm

I can confirm that OpenVPN Connect does not work when connected to an IPv6 server.
Loading the same config file in OpenVPN GUI works flawlessly.

Post Reply