Works with one IPv6, tls-crypt error with another

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
acta
OpenVpn Newbie
Posts: 3
Joined: Wed Dec 14, 2022 10:28 pm

Works with one IPv6, tls-crypt error with another

Post by acta » Wed Dec 14, 2022 11:18 pm

server version

Code: Select all

OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 29 2022
library versions: OpenSSL 1.0.2u  20 Dec 2019, LZO 2.08
Debian GNU/Linux 9.13 (stretch)
server network interface

Code: Select all

# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.110  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 2a01:X  prefixlen 64  scopeid 0x0<global>
        inet6 fd00::889e:5bcf:8f79:b3cf  prefixlen 64  scopeid 0x0<global>
        inet6 fd00::d6be:d9ff:fe29:9094  prefixlen 64  scopeid 0x0<global>
        inet6 2a01:Y  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::d6be:d9ff:fe29:9094  prefixlen 64  scopeid 0x20<link>
        ether MAC  txqueuelen 1000  (Ethernet)
        RX packets 52825  bytes 24888534 (23.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 32150  bytes 7386252 (7.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xe2e00000-e2e20000
server.conf
server.conf

port 1194
proto udp6
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 2a01:PREFIX:d6ff::/64
push "redirect-gateway def1 ipv6 bypass-dhcp"
push "route-ipv6 2a01:PREFIX:d600::/64"
push "route-ipv6 2000::/3"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DNS6 2001:4860:4860::8888"
push "dhcp-option DNS6 2001:4860:4860::8844"
push "block-outside-dns"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 4
log-append /var/log/openvpn.log
crl-verify crl.pem
explicit-exit-notify


client version

Code: Select all

OpenVPN Connect 3.4.1 (4522)
macOS 12.5
client.conf
client.conf

client
dev tun-ipv6
proto udp6
remote SERVER_IPV6 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
verb 4
<ca>
-----BEGIN CERTIFICATE-----
CONTENT
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
CONTENT
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
CONTENT
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
CONTENT
-----END OpenVPN Static key V1-----
</tls-crypt>


with SERVER_IPV6 = 2a01:X the connection doesn't work and I get this

failing server log:

Code: Select all

Wed Dec 14 23:44:04 2022 us=767835 Current Parameter Settings:
Wed Dec 14 23:44:04 2022 us=767912   config = '/etc/openvpn/server.conf'
Wed Dec 14 23:44:04 2022 us=767937   mode = 1
Wed Dec 14 23:44:04 2022 us=767958   persist_config = DISABLED
Wed Dec 14 23:44:04 2022 us=767979   persist_mode = 1
Wed Dec 14 23:44:04 2022 us=767999   show_ciphers = DISABLED
Wed Dec 14 23:44:04 2022 us=768018   show_digests = DISABLED
Wed Dec 14 23:44:04 2022 us=768036   show_engines = DISABLED
Wed Dec 14 23:44:04 2022 us=768056   genkey = DISABLED
Wed Dec 14 23:44:04 2022 us=768074   key_pass_file = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=768093   show_tls_ciphers = DISABLED
Wed Dec 14 23:44:04 2022 us=768113   connect_retry_max = 0
Wed Dec 14 23:44:04 2022 us=768131 Connection profiles [0]:
Wed Dec 14 23:44:04 2022 us=768150   proto = udp6
Wed Dec 14 23:44:04 2022 us=768168   local = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=768185   local_port = '1194'
Wed Dec 14 23:44:04 2022 us=768203   remote = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=768220   remote_port = '1194'
Wed Dec 14 23:44:04 2022 us=768237   remote_float = DISABLED
Wed Dec 14 23:44:04 2022 us=768254   bind_defined = DISABLED
Wed Dec 14 23:44:04 2022 us=768271   bind_local = ENABLED
Wed Dec 14 23:44:04 2022 us=768287   bind_ipv6_only = DISABLED
Wed Dec 14 23:44:04 2022 us=768303   connect_retry_seconds = 5
Wed Dec 14 23:44:04 2022 us=768320   connect_timeout = 120
Wed Dec 14 23:44:04 2022 us=768336   socks_proxy_server = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=768353   socks_proxy_port = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=768371   tun_mtu = 1500
Wed Dec 14 23:44:04 2022 us=768388   tun_mtu_defined = ENABLED
Wed Dec 14 23:44:04 2022 us=768405   link_mtu = 1500
Wed Dec 14 23:44:04 2022 us=768422   link_mtu_defined = DISABLED
Wed Dec 14 23:44:04 2022 us=768439   tun_mtu_extra = 0
Wed Dec 14 23:44:04 2022 us=768455   tun_mtu_extra_defined = DISABLED
Wed Dec 14 23:44:04 2022 us=768472   mtu_discover_type = -1
Wed Dec 14 23:44:04 2022 us=768491   fragment = 0
Wed Dec 14 23:44:04 2022 us=768507   mssfix = 1450
Wed Dec 14 23:44:04 2022 us=768525   explicit_exit_notification = 1
Wed Dec 14 23:44:04 2022 us=768544 Connection profiles END
Wed Dec 14 23:44:04 2022 us=768562   remote_random = DISABLED
Wed Dec 14 23:44:04 2022 us=768580   ipchange = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=768598   dev = 'tun'
Wed Dec 14 23:44:04 2022 us=768617   dev_type = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=768634   dev_node = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=768652   lladdr = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=768671   topology = 3
Wed Dec 14 23:44:04 2022 us=768689   ifconfig_local = '10.8.0.1'
Wed Dec 14 23:44:04 2022 us=768708   ifconfig_remote_netmask = '255.255.255.0'
Wed Dec 14 23:44:04 2022 us=768742   ifconfig_noexec = DISABLED
Wed Dec 14 23:44:04 2022 us=768761   ifconfig_nowarn = DISABLED
Wed Dec 14 23:44:04 2022 us=768779   ifconfig_ipv6_local = '2a01:PREFIX:d6ff::1'
Wed Dec 14 23:44:04 2022 us=768797   ifconfig_ipv6_netbits = 64
Wed Dec 14 23:44:04 2022 us=768815   ifconfig_ipv6_remote = '2a01:PREFIX:d6ff::2'
Wed Dec 14 23:44:04 2022 us=768833   shaper = 0
Wed Dec 14 23:44:04 2022 us=768851   mtu_test = 0
Wed Dec 14 23:44:04 2022 us=768868   mlock = DISABLED
Wed Dec 14 23:44:04 2022 us=768887   keepalive_ping = 10
Wed Dec 14 23:44:04 2022 us=768905   keepalive_timeout = 120
Wed Dec 14 23:44:04 2022 us=768923   inactivity_timeout = 0
Wed Dec 14 23:44:04 2022 us=768941   ping_send_timeout = 10
Wed Dec 14 23:44:04 2022 us=768958   ping_rec_timeout = 240
Wed Dec 14 23:44:04 2022 us=768975   ping_rec_timeout_action = 2
Wed Dec 14 23:44:04 2022 us=768992   ping_timer_remote = DISABLED
Wed Dec 14 23:44:04 2022 us=769008   remap_sigusr1 = 0
Wed Dec 14 23:44:04 2022 us=769025   persist_tun = ENABLED
Wed Dec 14 23:44:04 2022 us=769040   persist_local_ip = DISABLED
Wed Dec 14 23:44:04 2022 us=769058   persist_remote_ip = DISABLED
Wed Dec 14 23:44:04 2022 us=769075   persist_key = ENABLED
Wed Dec 14 23:44:04 2022 us=769093   passtos = DISABLED
Wed Dec 14 23:44:04 2022 us=769112   resolve_retry_seconds = 1000000000
Wed Dec 14 23:44:04 2022 us=769130   resolve_in_advance = DISABLED
Wed Dec 14 23:44:04 2022 us=769148   username = 'nobody'
Wed Dec 14 23:44:04 2022 us=769167   groupname = 'nogroup'
Wed Dec 14 23:44:04 2022 us=769185   chroot_dir = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=769202   cd_dir = '/etc/openvpn'
Wed Dec 14 23:44:04 2022 us=769220   writepid = '/run/openvpn/server.pid'
Wed Dec 14 23:44:04 2022 us=769237   up_script = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=769255   down_script = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=769272   down_pre = DISABLED
Wed Dec 14 23:44:04 2022 us=769289   up_restart = DISABLED
Wed Dec 14 23:44:04 2022 us=769305   up_delay = DISABLED
Wed Dec 14 23:44:04 2022 us=769323   daemon = ENABLED
Wed Dec 14 23:44:04 2022 us=769341   inetd = 0
Wed Dec 14 23:44:04 2022 us=769359   log = ENABLED
Wed Dec 14 23:44:04 2022 us=769377   suppress_timestamps = DISABLED
Wed Dec 14 23:44:04 2022 us=769394   machine_readable_output = DISABLED
Wed Dec 14 23:44:04 2022 us=769411   nice = 0
Wed Dec 14 23:44:04 2022 us=769428   verbosity = 4
Wed Dec 14 23:44:04 2022 us=769445   mute = 0
Wed Dec 14 23:44:04 2022 us=769462   gremlin = 0
Wed Dec 14 23:44:04 2022 us=769479   status_file = '/run/openvpn/server.status'
Wed Dec 14 23:44:04 2022 us=769497   status_file_version = 1
Wed Dec 14 23:44:04 2022 us=769515   status_file_update_freq = 10
Wed Dec 14 23:44:04 2022 us=769533   occ = ENABLED
Wed Dec 14 23:44:04 2022 us=769550   rcvbuf = 0
Wed Dec 14 23:44:04 2022 us=769568   sndbuf = 0
Wed Dec 14 23:44:04 2022 us=769585   mark = 0
Wed Dec 14 23:44:04 2022 us=769603   sockflags = 0
Wed Dec 14 23:44:04 2022 us=769620   fast_io = DISABLED
Wed Dec 14 23:44:04 2022 us=769639   comp.alg = 0
Wed Dec 14 23:44:04 2022 us=769657   comp.flags = 0
Wed Dec 14 23:44:04 2022 us=769675   route_script = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=769693   route_default_gateway = '10.8.0.2'
Wed Dec 14 23:44:04 2022 us=769711   route_default_metric = 0
Wed Dec 14 23:44:04 2022 us=769728   route_noexec = DISABLED
Wed Dec 14 23:44:04 2022 us=769744   route_delay = 0
Wed Dec 14 23:44:04 2022 us=769762   route_delay_window = 30
Wed Dec 14 23:44:04 2022 us=769778   route_delay_defined = DISABLED
Wed Dec 14 23:44:04 2022 us=769792   route_nopull = DISABLED
Wed Dec 14 23:44:04 2022 us=769807   route_gateway_via_dhcp = DISABLED
Wed Dec 14 23:44:04 2022 us=769823   allow_pull_fqdn = DISABLED
Wed Dec 14 23:44:04 2022 us=769839   management_addr = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=769855   management_port = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=769871   management_user_pass = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=769887   management_log_history_cache = 250
Wed Dec 14 23:44:04 2022 us=769915   management_echo_buffer_size = 100
Wed Dec 14 23:44:04 2022 us=769934   management_write_peer_info_file = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=769951   management_client_user = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=769966   management_client_group = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=769983   management_flags = 0
Wed Dec 14 23:44:04 2022 us=769999   shared_secret_file = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=770018   key_direction = 0
Wed Dec 14 23:44:04 2022 us=770036   ciphername = 'AES-256-CBC'
Wed Dec 14 23:44:04 2022 us=770052   ncp_enabled = ENABLED
Wed Dec 14 23:44:04 2022 us=770070   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Wed Dec 14 23:44:04 2022 us=770087   authname = 'SHA512'
Wed Dec 14 23:44:04 2022 us=770103   prng_hash = 'SHA1'
Wed Dec 14 23:44:04 2022 us=770120   prng_nonce_secret_len = 16
Wed Dec 14 23:44:04 2022 us=770136   keysize = 0
Wed Dec 14 23:44:04 2022 us=770153   engine = DISABLED
Wed Dec 14 23:44:04 2022 us=770171   replay = ENABLED
Wed Dec 14 23:44:04 2022 us=770189   mute_replay_warnings = DISABLED
Wed Dec 14 23:44:04 2022 us=770206   replay_window = 64
Wed Dec 14 23:44:04 2022 us=770224   replay_time = 15
Wed Dec 14 23:44:04 2022 us=770240   packet_id_file = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=770256   use_iv = ENABLED
Wed Dec 14 23:44:04 2022 us=770273   test_crypto = DISABLED
Wed Dec 14 23:44:04 2022 us=770291   tls_server = ENABLED
Wed Dec 14 23:44:04 2022 us=770309   tls_client = DISABLED
Wed Dec 14 23:44:04 2022 us=770327   key_method = 2
Wed Dec 14 23:44:04 2022 us=770344   ca_file = 'ca.crt'
Wed Dec 14 23:44:04 2022 us=770361   ca_path = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=770377   dh_file = 'dh.pem'
Wed Dec 14 23:44:04 2022 us=770395   cert_file = 'server.crt'
Wed Dec 14 23:44:04 2022 us=770413   extra_certs_file = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=770431   priv_key_file = 'server.key'
Wed Dec 14 23:44:04 2022 us=770449   pkcs12_file = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=770466   cipher_list = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=770482   tls_verify = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=770500   tls_export_cert = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=770518   verify_x509_type = 0
Wed Dec 14 23:44:04 2022 us=770535   verify_x509_name = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=770553   crl_file = 'crl.pem'
Wed Dec 14 23:44:04 2022 us=770571   ns_cert_type = 0
Wed Dec 14 23:44:04 2022 us=770588   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770604   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770621   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770637   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770654   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770670   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770687   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770704   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770721   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770737   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770755   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770788   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770810   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770828   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770846   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770863   remote_cert_ku[i] = 0
Wed Dec 14 23:44:04 2022 us=770880   remote_cert_eku = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=770896   ssl_flags = 0
Wed Dec 14 23:44:04 2022 us=770913   tls_timeout = 2
Wed Dec 14 23:44:04 2022 us=770930   renegotiate_bytes = -1
Wed Dec 14 23:44:04 2022 us=770946   renegotiate_packets = 0
Wed Dec 14 23:44:04 2022 us=770963   renegotiate_seconds = 3600
Wed Dec 14 23:44:04 2022 us=770980   handshake_window = 60
Wed Dec 14 23:44:04 2022 us=770997   transition_window = 3600
Wed Dec 14 23:44:04 2022 us=771012   single_session = DISABLED
Wed Dec 14 23:44:04 2022 us=771029   push_peer_info = DISABLED
Wed Dec 14 23:44:04 2022 us=771045   tls_exit = DISABLED
Wed Dec 14 23:44:04 2022 us=771061   tls_auth_file = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=771078   tls_crypt_file = 'tc.key'
Wed Dec 14 23:44:04 2022 us=771107   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771125   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771141   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771157   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771174   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771190   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771207   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771223   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771241   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771259   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771276   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771293   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771309   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771325   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771341   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771357   pkcs11_protected_authentication = DISABLED
Wed Dec 14 23:44:04 2022 us=771374   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771390   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771407   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771424   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771440   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771457   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771475   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771493   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771512   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771529   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771547   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771564   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771581   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771598   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771615   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771633   pkcs11_private_mode = 00000000
Wed Dec 14 23:44:04 2022 us=771648   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771659   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771670   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771680   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771690   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771700   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771711   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771724   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771741   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771757   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771770   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771788   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771806   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771825   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771842   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771860   pkcs11_cert_private = DISABLED
Wed Dec 14 23:44:04 2022 us=771877   pkcs11_pin_cache_period = -1
Wed Dec 14 23:44:04 2022 us=771895   pkcs11_id = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=771912   pkcs11_id_management = DISABLED
Wed Dec 14 23:44:04 2022 us=771931   server_network = 10.8.0.0
Wed Dec 14 23:44:04 2022 us=771950   server_netmask = 255.255.255.0
Wed Dec 14 23:44:04 2022 us=771977   server_network_ipv6 = 2a01:PREFIX:d6ff::
Wed Dec 14 23:44:04 2022 us=771995   server_netbits_ipv6 = 64
Wed Dec 14 23:44:04 2022 us=772014   server_bridge_ip = 0.0.0.0
Wed Dec 14 23:44:04 2022 us=772033   server_bridge_netmask = 0.0.0.0
Wed Dec 14 23:44:04 2022 us=772052   server_bridge_pool_start = 0.0.0.0
Wed Dec 14 23:44:04 2022 us=772080   server_bridge_pool_end = 0.0.0.0
Wed Dec 14 23:44:04 2022 us=772099   push_entry = 'redirect-gateway def1 ipv6 bypass-dhcp'
Wed Dec 14 23:44:04 2022 us=772116   push_entry = 'route-ipv6 2a01:PREFIX:d600::/64'
Wed Dec 14 23:44:04 2022 us=772133   push_entry = 'route-ipv6 2000::/3'
Wed Dec 14 23:44:04 2022 us=772150   push_entry = 'dhcp-option DNS 192.168.1.1'
Wed Dec 14 23:44:04 2022 us=772168   push_entry = 'dhcp-option DNS6 2001:4860:4860::8888'
Wed Dec 14 23:44:04 2022 us=772185   push_entry = 'dhcp-option DNS6 2001:4860:4860::8844'
Wed Dec 14 23:44:04 2022 us=772202   push_entry = 'block-outside-dns'
Wed Dec 14 23:44:04 2022 us=772219   push_entry = 'tun-ipv6'
Wed Dec 14 23:44:04 2022 us=772237   push_entry = 'route-gateway 10.8.0.1'
Wed Dec 14 23:44:04 2022 us=772254   push_entry = 'topology subnet'
Wed Dec 14 23:44:04 2022 us=772272   push_entry = 'ping 10'
Wed Dec 14 23:44:04 2022 us=772289   push_entry = 'ping-restart 120'
Wed Dec 14 23:44:04 2022 us=772308   ifconfig_pool_defined = ENABLED
Wed Dec 14 23:44:04 2022 us=772327   ifconfig_pool_start = 10.8.0.2
Wed Dec 14 23:44:04 2022 us=772344   ifconfig_pool_end = 10.8.0.253
Wed Dec 14 23:44:04 2022 us=772356   ifconfig_pool_netmask = 255.255.255.0
Wed Dec 14 23:44:04 2022 us=772367   ifconfig_pool_persist_filename = 'ipp.txt'
Wed Dec 14 23:44:04 2022 us=772378   ifconfig_pool_persist_refresh_freq = 600
Wed Dec 14 23:44:04 2022 us=772388   ifconfig_ipv6_pool_defined = ENABLED
Wed Dec 14 23:44:04 2022 us=772401   ifconfig_ipv6_pool_base = 2a01:PREFIX:d6ff::1000
Wed Dec 14 23:44:04 2022 us=772411   ifconfig_ipv6_pool_netbits = 64
Wed Dec 14 23:44:04 2022 us=772422   n_bcast_buf = 256
Wed Dec 14 23:44:04 2022 us=772432   tcp_queue_limit = 64
Wed Dec 14 23:44:04 2022 us=772443   real_hash_size = 256
Wed Dec 14 23:44:04 2022 us=772454   virtual_hash_size = 256
Wed Dec 14 23:44:04 2022 us=772464   client_connect_script = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=772475   learn_address_script = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=772485   client_disconnect_script = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=772495   client_config_dir = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=772506   ccd_exclusive = DISABLED
Wed Dec 14 23:44:04 2022 us=772516   tmp_dir = '/tmp'
Wed Dec 14 23:44:04 2022 us=772527   push_ifconfig_defined = DISABLED
Wed Dec 14 23:44:04 2022 us=772538   push_ifconfig_local = 0.0.0.0
Wed Dec 14 23:44:04 2022 us=772549   push_ifconfig_remote_netmask = 0.0.0.0
Wed Dec 14 23:44:04 2022 us=772560   push_ifconfig_ipv6_defined = DISABLED
Wed Dec 14 23:44:04 2022 us=772571   push_ifconfig_ipv6_local = ::/0
Wed Dec 14 23:44:04 2022 us=772582   push_ifconfig_ipv6_remote = ::
Wed Dec 14 23:44:04 2022 us=772593   enable_c2c = DISABLED
Wed Dec 14 23:44:04 2022 us=772603   duplicate_cn = DISABLED
Wed Dec 14 23:44:04 2022 us=772614   cf_max = 0
Wed Dec 14 23:44:04 2022 us=772624   cf_per = 0
Wed Dec 14 23:44:04 2022 us=772635   max_clients = 1024
Wed Dec 14 23:44:04 2022 us=772646   max_routes_per_client = 256
Wed Dec 14 23:44:04 2022 us=772656   auth_user_pass_verify_script = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=772667   auth_user_pass_verify_script_via_file = DISABLED
Wed Dec 14 23:44:04 2022 us=772683   auth_token_generate = DISABLED
Wed Dec 14 23:44:04 2022 us=772701   auth_token_lifetime = 0
Wed Dec 14 23:44:04 2022 us=772718   port_share_host = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=772731   port_share_port = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=772747   client = DISABLED
Wed Dec 14 23:44:04 2022 us=772763   pull = DISABLED
Wed Dec 14 23:44:04 2022 us=772780   auth_user_pass_file = '[UNDEF]'
Wed Dec 14 23:44:04 2022 us=772800 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 29 2022
Wed Dec 14 23:44:04 2022 us=772826 library versions: OpenSSL 1.0.2u  20 Dec 2019, LZO 2.08
Wed Dec 14 23:44:04 2022 us=775196 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Wed Dec 14 23:44:04 2022 us=775793 Diffie-Hellman initialized with 2048 bit key
Wed Dec 14 23:44:04 2022 us=776361 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Dec 14 23:44:04 2022 us=776409 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Dec 14 23:44:04 2022 us=776433 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Dec 14 23:44:04 2022 us=776455 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Dec 14 23:44:04 2022 us=776478 TLS-Auth MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Wed Dec 14 23:44:04 2022 us=777004 TUN/TAP device tun0 opened
Wed Dec 14 23:44:04 2022 us=777058 TUN/TAP TX queue length set to 100
Wed Dec 14 23:44:04 2022 us=777174 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Wed Dec 14 23:44:04 2022 us=777216 /sbin/ip link set dev tun0 up mtu 1500
Wed Dec 14 23:44:04 2022 us=782655 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Wed Dec 14 23:44:04 2022 us=792733 /sbin/ip -6 addr add 2a01:PREFIX:d6ff::1/64 dev tun0
Wed Dec 14 23:44:04 2022 us=796036 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed Dec 14 23:44:04 2022 us=796697 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Dec 14 23:44:04 2022 us=796732 setsockopt(IPV6_V6ONLY=0)
Wed Dec 14 23:44:04 2022 us=796763 UDPv6 link local (bound): [AF_INET6][undef]:1194
Wed Dec 14 23:44:04 2022 us=796780 UDPv6 link remote: [AF_UNSPEC]
Wed Dec 14 23:44:04 2022 us=796801 GID set to nogroup
Wed Dec 14 23:44:04 2022 us=796825 UID set to nobody
Wed Dec 14 23:44:04 2022 us=796849 MULTI: multi_init called, r=256 v=256
Wed Dec 14 23:44:04 2022 us=796894 IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=2a01:PREFIX:d6ff::1000
Wed Dec 14 23:44:04 2022 us=796922 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1
Wed Dec 14 23:44:04 2022 us=796948 ifconfig_pool_read(), in='client,10.8.0.2,2a01:PREFIX:d6ff::1000', TODO: IPv6
Wed Dec 14 23:44:04 2022 us=796967 succeeded -> ifconfig_pool_set()
Wed Dec 14 23:44:04 2022 us=796984 IFCONFIG POOL LIST
Wed Dec 14 23:44:04 2022 us=797006 client,10.8.0.2,2a01:PREFIX:d6ff::1000
Wed Dec 14 23:44:04 2022 us=797084 Initialization Sequence Completed
Wed Dec 14 23:44:41 2022 us=259986 MULTI: multi_create_instance called
Wed Dec 14 23:44:41 2022 us=260172 2001:CLIENT_IPV6 Re-using SSL/TLS context
Wed Dec 14 23:44:41 2022 us=260394 2001:CLIENT_IPV6 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Wed Dec 14 23:44:41 2022 us=260430 2001:CLIENT_IPV6 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed Dec 14 23:44:41 2022 us=260501 2001:CLIENT_IPV6 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Wed Dec 14 23:44:41 2022 us=260525 2001:CLIENT_IPV6 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Wed Dec 14 23:44:41 2022 us=260590 2001:CLIENT_IPV6 TLS: Initial packet from [AF_INET6]2001:CLIENT_IPV6:64749, sid=ff7559bc 8695b70d
Wed Dec 14 23:44:42 2022 us=218733 2001:CLIENT_IPV6 PID_ERR replay [0] [TLS_WRAP-0] [1] 1671057881:1 1671057881:1 t=1671057882[0] r=[-1,64,15,0,1] sl=[63,1,64,528]
Wed Dec 14 23:44:42 2022 us=218905 2001:CLIENT_IPV6 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1671057881) Wed Dec 14 23:44:41 2022 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Dec 14 23:44:42 2022 us=218931 2001:CLIENT_IPV6 tls-crypt unwrap error: packet replay
Wed Dec 14 23:44:42 2022 us=219009 2001:CLIENT_IPV6 TLS Error: tls-crypt unwrapping failed from [AF_INET6]2001:CLIENT_IPV6:64749
Wed Dec 14 23:44:43 2022 us=218286 2001:CLIENT_IPV6 PID_ERR replay [0] [TLS_WRAP-0] [2] 1671057881:1 1671057881:1 t=1671057883[0] r=[-2,64,15,0,1] sl=[63,1,64,528]
Wed Dec 14 23:44:43 2022 us=218402 2001:CLIENT_IPV6 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1671057881) Wed Dec 14 23:44:41 2022 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Dec 14 23:44:43 2022 us=218423 2001:CLIENT_IPV6 tls-crypt unwrap error: packet replay
Wed Dec 14 23:44:43 2022 us=218463 2001:CLIENT_IPV6 TLS Error: tls-crypt unwrapping failed from [AF_INET6]2001:CLIENT_IPV6:64749
Wed Dec 14 23:44:44 2022 us=217947 2001:CLIENT_IPV6 PID_ERR replay [0] [TLS_WRAP-0] [3] 1671057881:1 1671057881:1 t=1671057884[0] r=[-3,64,15,0,1] sl=[63,1,64,528]
Wed Dec 14 23:44:44 2022 us=218063 2001:CLIENT_IPV6 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1671057881) Wed Dec 14 23:44:41 2022 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Dec 14 23:44:44 2022 us=218085 2001:CLIENT_IPV6 tls-crypt unwrap error: packet replay
Wed Dec 14 23:44:44 2022 us=218126 2001:CLIENT_IPV6 TLS Error: tls-crypt unwrapping failed from [AF_INET6]2001:CLIENT_IPV6:64749
Wed Dec 14 23:44:45 2022 us=218090 2001:CLIENT_IPV6 PID_ERR replay [0] [TLS_WRAP-0] [4] 1671057881:1 1671057881:1 t=1671057885[0] r=[-4,64,15,0,1] sl=[63,1,64,528]
Wed Dec 14 23:44:45 2022 us=218162 2001:CLIENT_IPV6 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1671057881) Wed Dec 14 23:44:41 2022 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Dec 14 23:44:45 2022 us=218182 2001:CLIENT_IPV6 tls-crypt unwrap error: packet replay
Wed Dec 14 23:44:45 2022 us=218217 2001:CLIENT_IPV6 TLS Error: tls-crypt unwrapping failed from [AF_INET6]2001:CLIENT_IPV6:64749
Wed Dec 14 23:45:41 2022 us=132003 2001:CLIENT_IPV6 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Dec 14 23:45:41 2022 us=132143 2001:CLIENT_IPV6 TLS Error: TLS handshake failed
Wed Dec 14 23:45:41 2022 us=132351 2001:CLIENT_IPV6 SIGUSR1[soft,tls-error] received, client-instance restarting
failing client log

Code: Select all

⏎[Dec 14, 2022, 22:44:41] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Dec 14, 2022, 22:44:41] UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
11 [ignore-unknown-option] [block-outside-dns]
12 [verb] [4]
⏎[Dec 14, 2022, 22:44:41] EVENT: RESOLVE ⏎[Dec 14, 2022, 22:44:41] Contacting [2a01:X]:1194 via UDP
⏎[Dec 14, 2022, 22:44:41] EVENT: WAIT ⏎[Dec 14, 2022, 22:44:41] UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock
{
	"host" : "2a01:X",
	"ipv6" : true,
	"pid" : 65825
}

⏎[Dec 14, 2022, 22:44:41] Connecting to [2a01:X]:1194 (2a01:X) via UDPv6
If I set SERVER_IPV6 = 2a01:Y in the client.conf, the connection works.

working server log

Code: Select all

...
Thu Dec 15 00:01:50 2022 us=423900 Initialization Sequence Completed
Thu Dec 15 00:02:02 2022 us=656594 MULTI: multi_create_instance called
Thu Dec 15 00:02:02 2022 us=656765 2001:CLIENT_IPV6 Re-using SSL/TLS context
Thu Dec 15 00:02:02 2022 us=656985 2001:CLIENT_IPV6 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Thu Dec 15 00:02:02 2022 us=657022 2001:CLIENT_IPV6 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Thu Dec 15 00:02:02 2022 us=657096 2001:CLIENT_IPV6 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Thu Dec 15 00:02:02 2022 us=657121 2001:CLIENT_IPV6 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Thu Dec 15 00:02:02 2022 us=657187 2001:CLIENT_IPV6 TLS: Initial packet from [AF_INET6]2001:CLIENT_IPV6:49178, sid=35811557 eb3f4b7d
Thu Dec 15 00:02:02 2022 us=892700 2001:CLIENT_IPV6 VERIFY OK: depth=1, CN=Easy-RSA CA
Thu Dec 15 00:02:02 2022 us=893274 2001:CLIENT_IPV6 VERIFY OK: depth=0, CN=client
Thu Dec 15 00:02:02 2022 us=938376 2001:CLIENT_IPV6 peer info: IV_VER=3.6.7
Thu Dec 15 00:02:02 2022 us=938484 2001:CLIENT_IPV6 peer info: IV_PLAT=mac
Thu Dec 15 00:02:02 2022 us=938513 2001:CLIENT_IPV6 peer info: IV_NCP=2
Thu Dec 15 00:02:02 2022 us=938539 2001:CLIENT_IPV6 peer info: IV_TCPNL=1
Thu Dec 15 00:02:02 2022 us=938564 2001:CLIENT_IPV6 peer info: IV_PROTO=30
Thu Dec 15 00:02:02 2022 us=938590 2001:CLIENT_IPV6 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
Thu Dec 15 00:02:02 2022 us=938616 2001:CLIENT_IPV6 peer info: IV_AUTO_SESS=1
Thu Dec 15 00:02:02 2022 us=938640 2001:CLIENT_IPV6 peer info: IV_GUI_VER=OCmacOS_3.4.1-4522
Thu Dec 15 00:02:02 2022 us=938666 2001:CLIENT_IPV6 peer info: IV_SSO=webauth,openurl,crtext
Thu Dec 15 00:02:02 2022 us=982268 2001:CLIENT_IPV6 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Dec 15 00:02:02 2022 us=982387 2001:CLIENT_IPV6 [client] Peer Connection Initiated with [AF_INET6]2001:CLIENT_IPV6:49178
Thu Dec 15 00:02:02 2022 us=982458 client/2001:CLIENT_IPV6 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=2a01:PREFIX:d6ff::1000
Thu Dec 15 00:02:02 2022 us=982564 client/2001:CLIENT_IPV6 MULTI: Learn: 10.8.0.2 -> client/2001:CLIENT_IPV6
Thu Dec 15 00:02:02 2022 us=982591 client/2001:CLIENT_IPV6 MULTI: primary virtual IP for client/2001:CLIENT_IPV6: 10.8.0.2
Thu Dec 15 00:02:02 2022 us=982649 client/2001:CLIENT_IPV6 MULTI: Learn: 2a01:PREFIX:d6ff::1000 -> client/2001:CLIENT_IPV6
Thu Dec 15 00:02:02 2022 us=982677 client/2001:CLIENT_IPV6 MULTI: primary virtual IPv6 for client/2001:CLIENT_IPV6: 2a01:PREFIX:d6ff::1000
Thu Dec 15 00:02:02 2022 us=982764 client/2001:CLIENT_IPV6 PUSH: Received control message: 'PUSH_REQUEST'
Thu Dec 15 00:02:02 2022 us=982918 client/2001:CLIENT_IPV6 SENT CONTROL [client]: 'PUSH_REPLY,redirect-gateway def1 ipv6 bypass-dhcp,route-ipv6 2a01:PREFIX:d600::/64,route-ipv6 2000::/3,dhcp-option DNS 192.168.1.1,dhcp-option DNS6 2001:4860:4860::8888,dhcp-option DNS6 2001:4860:4860::8844,block-outside-dns,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a01:PREFIX:d6ff::1000/64 2a01:PREFIX:d6ff::1,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Thu Dec 15 00:02:02 2022 us=982963 client/2001:CLIENT_IPV6 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
Thu Dec 15 00:02:02 2022 us=983142 client/2001:CLIENT_IPV6 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 15 00:02:02 2022 us=983170 client/2001:CLIENT_IPV6 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
working client log

Code: Select all

⏎[Dec 14, 2022, 23:02:02] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Dec 14, 2022, 23:02:02] UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
11 [ignore-unknown-option] [block-outside-dns]
12 [verb] [11]
⏎[Dec 14, 2022, 23:02:02] EVENT: RESOLVE ⏎[Dec 14, 2022, 23:02:02] Contacting [2a01:Y]:1194 via UDP
⏎[Dec 14, 2022, 23:02:02] EVENT: WAIT ⏎[Dec 14, 2022, 23:02:02] UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock
{
	"host" : "2a01:Y",
	"ipv6" : true,
	"pid" : 65825
}

⏎[Dec 14, 2022, 23:02:02] Connecting to [2a01:Y]:1194 (2a01:Y) via UDPv6
⏎[Dec 14, 2022, 23:02:02] EVENT: CONNECTING ⏎[Dec 14, 2022, 23:02:02] Tunnel Options:V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client
⏎[Dec 14, 2022, 23:02:02] Creds: UsernameEmpty/PasswordEmpty
⏎[Dec 14, 2022, 23:02:02] Peer Info:
IV_VER=3.6.7
IV_PLAT=mac
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
IV_AUTO_SESS=1
IV_GUI_VER=OCmacOS_3.4.1-4522
IV_SSO=webauth,openurl,crtext

⏎[Dec 14, 2022, 23:02:02] SSL Handshake: peer certificate: CN=server, 2048 bit RSA, cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD

⏎[Dec 14, 2022, 23:02:02] Session is ACTIVE
⏎[Dec 14, 2022, 23:02:02] EVENT: GET_CONFIG ⏎[Dec 14, 2022, 23:02:02] Sending PUSH_REQUEST to server...
⏎[Dec 14, 2022, 23:02:02] OPTIONS:
0 [redirect-gateway] [def1] [ipv6] [bypass-dhcp]
1 [route-ipv6] [2a01:PREFIX:d600::/64]
2 [route-ipv6] [2000::/3]
3 [dhcp-option] [DNS] [192.168.1.1]
4 [dhcp-option] [DNS6] [2001:4860:4860::8888]
5 [dhcp-option] [DNS6] [2001:4860:4860::8844]
6 [block-outside-dns]
7 [tun-ipv6]
8 [route-gateway] [10.8.0.1]
9 [topology] [subnet]
10 [ping] [10]
11 [ping-restart] [120]
12 [ifconfig-ipv6] [2a01:PREFIX:d6ff::1000/64] [2a01:PREFIX:d6ff::1]
13 [ifconfig] [10.8.0.2] [255.255.255.0]
14 [peer-id] [0]
15 [cipher] [AES-256-GCM]

⏎[Dec 14, 2022, 23:02:02] PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  key-derivation: OpenVPN PRF
  compress: NONE
  peer ID: 0
  control channel: tls-crypt enabled
⏎[Dec 14, 2022, 23:02:02] TunPersist: short-term connection scope
⏎[Dec 14, 2022, 23:02:02] TunPersist: new tun context
⏎[Dec 14, 2022, 23:02:02] EVENT: ASSIGN_IP ⏎[Dec 14, 2022, 23:02:02] CAPTURED OPTIONS:
Session Name: 2a01:Y
Layer: OSI_LAYER_3
MTU: 1500
Remote Address: 2a01:Y [IPv6]
Tunnel Addresses:
  10.8.0.2/24 -> 10.8.0.1
  2a01:PREFIX:d6ff::1000/64 -> 2a01:PREFIX:d6ff::1 [IPv6]
Reroute Gateway: IPv4=1 IPv6=1 flags=[ ENABLE REROUTE_GW DEF1 BYPASS_DHCP IPv4 IPv6 ]
Block IPv6: no
Add Routes:
  2a01:PREFIX:d600::/64 [IPv6]
  2000::/3 [IPv6]
Exclude Routes:
DNS Servers:
  192.168.1.1
  2001:4860:4860::8888 [IPv6]
  2001:4860:4860::8844 [IPv6]
Search Domains:

⏎[Dec 14, 2022, 23:02:03] SetupClient: transmitting tun setup list to /var/run/agent_ovpnconnect.sock
{
	"config" : 
	{
		"iface_name" : "",
		"layer" : "OSI_LAYER_3",
		"tun_prefix" : false
	},
	"pid" : 65825,
	"tun" : 
	{
		"adapter_domain_suffix" : "",
		"add_routes" : 
		[
			{
				"address" : "2a01:PREFIX:d600::",
				"gateway" : "",
				"ipv6" : true,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 64
			},
			{
				"address" : "2000::",
				"gateway" : "",
				"ipv6" : true,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 3
			}
		],
		"block_ipv6" : false,
		"dns_servers" : 
		[
			{
				"address" : "192.168.1.1",
				"ipv6" : false
			},
			{
				"address" : "2001:4860:4860::8888",
				"ipv6" : true
			},
			{
				"address" : "2001:4860:4860::8844",
				"ipv6" : true
			}
		],
		"layer" : 3,
		"mtu" : 1500,
		"remote_address" : 
		{
			"address" : "2a01:Y",
			"ipv6" : true
		},
		"reroute_gw" : 
		{
			"flags" : 819,
			"ipv4" : true,
			"ipv6" : true
		},
		"route_metric_default" : -1,
		"session_name" : "2a01:Y",
		"tunnel_address_index_ipv4" : 0,
		"tunnel_address_index_ipv6" : 1,
		"tunnel_addresses" : 
		[
			{
				"address" : "10.8.0.2",
				"gateway" : "10.8.0.1",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 24
			},
			{
				"address" : "2a01:PREFIX:d6ff::1000",
				"gateway" : "2a01:PREFIX:d6ff::1",
				"ipv6" : true,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 64
			}
		]
	}
}
POST unix://[/var/run/agent_ovpnconnect.sock]/tun-setup : 200 OK
{
	"iface_name" : "utun3",
	"layer" : "OSI_LAYER_3",
	"tun_prefix" : true
}
/sbin/ifconfig utun3 down
/sbin/ifconfig utun3 10.8.0.2 10.8.0.1 netmask 255.255.255.0 mtu 1500 up
/sbin/route add -net 10.8.0.0 -netmask 255.255.255.0 10.8.0.2
add net 10.8.0.0: gateway 10.8.0.2
/sbin/ifconfig utun3 inet6 2a01:PREFIX:d6ff::1000/64 up
/sbin/route add -net -inet6 2a01:PREFIX:d6ff:: -prefixlen 64 -iface utun3
route: writing to routing socket: File exists
add net 2a01:PREFIX:d6ff::: gateway utun3: File exists
/sbin/route add -net -inet6 2a01:PREFIX:d600:: -prefixlen 64 -iface utun3
add net 2a01:PREFIX:d600::: gateway utun3
/sbin/route add -net -inet6 2000:: -prefixlen 3 -iface utun3
add net 2000::: gateway utun3
/sbin/route add -net 0.0.0.0 -netmask 128.0.0.0 10.8.0.1
add net 0.0.0.0: gateway 10.8.0.1
/sbin/route add -net 128.0.0.0 -netmask 128.0.0.0 10.8.0.1
add net 128.0.0.0: gateway 10.8.0.1
/sbin/route add -net -inet6 2a01:Y -prefixlen 128 fe80::ce19:a8ff:feb0:a1f%en0
route: writing to routing socket: File exists
add host 2a01:Y: gateway fe80::ce19:a8ff:feb0:a1f%en0: File exists
/sbin/route add -net -inet6 :: -prefixlen 1 -iface utun3
add net ::: gateway utun3
/sbin/route add -net -inet6 8000:: -prefixlen 1 -iface utun3
add net 8000::: gateway utun3
MacDNSAction: FLAGS=ESF RD=1 SO=5000 DNS=192.168.1.1,2001:4860:4860::8888,2001:4860:4860::8844 DOM= ADS=
open utun3 SUCCEEDED
⏎[Dec 14, 2022, 23:02:03] Connected via utun3
⏎[Dec 14, 2022, 23:02:03] EVENT: CONNECTED [2a01:Y]:1194 (2a01:Y) via /UDPv6 on utun3/10.8.0.2/2a01:PREFIX:d6ff::1000 gw=[10.8.0.1/2a01:PREFIX:d6ff::1]
I don't understand why I get the "tls-crypt unwrap error: packet replay" error with one of the server's IPv6, given that the other seems to work fine. I can SSH into the server using both of those. Does anyone have any idea/suggestion?

Thanks
Top
acta
OpenVpn Newbie
Posts: 3
Joined: Wed Dec 14, 2022 10:28 pm

Re: Works with one IPv6, tls-crypt error with another

Post by acta » Thu Dec 15, 2022 9:47 pm

If I use TCP6 both IPv6 work...
Top
acta
OpenVpn Newbie
Posts: 3
Joined: Wed Dec 14, 2022 10:28 pm

Re: Works with one IPv6, tls-crypt error with another

Post by acta » Fri Dec 16, 2022 8:04 pm

I see that the IP that doesn't work has these modifiers:

Code: Select all

scope global mngtmpaddr noprefixroute dynamic
while the one that works has:

Code: Select all

scope global temporary dynamic
Maybe the noprefixroute is the culprit? But I still don't understand how it only affects UDP traffic.
Top
Caligatio
OpenVpn Newbie
Posts: 1
Joined: Sun Apr 02, 2023 11:32 am

Re: Works with one IPv6, tls-crypt error with another

Post by Caligatio » Sun Apr 02, 2023 12:18 pm

I realize this is an old thread but I stumbled onto this same issue and opened https://github.com/OpenVPN/openvpn/issues/304
Top
Post Reply

Return to “Configuration”