If you are using dual-stack ipv4/ipv6, please read this

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
bimmerdriver
OpenVPN Power User
Posts: 54
Joined: Thu Sep 08, 2016 7:56 pm

If you are using dual-stack ipv4/ipv6, please read this

Post by bimmerdriver » Thu Sep 15, 2016 4:17 pm

I posted a question in server administration section but didn't get any response, so I'm trying here. Here is a link to the post viewtopic.php?f=4&t=22420.

My question pertains to browser default protocol and fallback, verified using ipv6-test.com and test-ipv6.com. For some unknown reason, when the openvpn connection is running, browsers (chrome, edge, ie11) will not default to ipv6 and the fallback to the other protocol is unreliable. Over native ipv6 or using a hurricane electric tunnel, browsers default to ipv6 and fallback to ipv4 instantaneously. I've tried connecting to numerous different server locations but the result is always the same.

I'm trying to determine if this problem is caused by the server configuration or alternatively is a problem with openvpn itself. It would be very helpful and much appreciated if any openvpn users who are using dual-stack can check this for me by using ipv6-test.com and test-ipv6.com. If it's happening for other servers, then it might be a problem with openvpn, in which case, I'll report it as a possible bug.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by TinCanTech » Thu Sep 15, 2016 4:53 pm

You are using Mullvad's proprietary vpn product not openvpn and you do not have access to Mullvad's servers so this issue will not be accepted as an openvpn bug.

The only suggestion I can offer you is to setup your own true openvpn server and client and see what results you get. If your problem persists then you could consider reporting your issue as an openvpn bug.

bimmerdriver
OpenVPN Power User
Posts: 54
Joined: Thu Sep 08, 2016 7:56 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by bimmerdriver » Thu Sep 15, 2016 6:16 pm

I've tried connecting to their servers both using their client and also using the openvpn client. It made no difference. The behaviour is the same. I've tried connecting to all of their servers around the world and it also made no difference. That's why I'm asking if anyone else using openvpn with a dual-stack configuration (with a service provider other than Mullvad) is experiencing this issue. I hadn't thought of creating my own server.

bimmerdriver
OpenVPN Power User
Posts: 54
Joined: Thu Sep 08, 2016 7:56 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by bimmerdriver » Tue Oct 25, 2016 8:31 pm

TinCanTech wrote:You are using Mullvad's proprietary vpn product not openvpn and you do not have access to Mullvad's servers so this issue will not be accepted as an openvpn bug.

The only suggestion I can offer you is to setup your own true openvpn server and client and see what results you get. If your problem persists then you could consider reporting your issue as an openvpn bug.
At your suggestion, I tried to get an openvpn client / server configuration operating using the PCs I have available, which are Windows 10 and using the router I have available, which is pfsense. (I have two independent networks with their own internet connection, one is a native dual-stack and the other uses a hurricane electric tunnel for ipv6.) I was able to get the client and server connected but I could not get the server working to the point where I could use the vpn connection to browse the internet from the client. I'm not saying it won't work, but I don't have the expertise to get it working. I looked for a posted example of a windows 10 server supporting dual stack but I did not find one. At this stage, I don't know if it's not working due to the configuration of the openvpn client or server, the windows server, the router or some combination of them.

Also, I followed up with Mullvad with your remark that their product is a "proprietary vpn product not openvpn." Their response was that they are using unmodified openvpn code. For the record, I can connect to their vpn servers using the native openvpn software or their client. It works the exactly the same so the suggestion that this is their problem comes across as a deflection. I opened up "private tunnel account, but it doesn't support ipv6.

All I can say at this stage is that irrespective of which browser I use (IE11, edge or chrome), when I run ipv6-test.com and test-ipv6.com, they all report that the default protocol is ipv4. Also, failback from ipv4 to ipv6 is "unreliable".

I'm would be willing to test this further if I could, but I've hit a wall. If anyone reading this has a working dual-stack client and server set up, please take a moment to run ipv6-test.com and test-ipv6.com to see what the test results are WRT the default browser protocol and fallback.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by TinCanTech » Tue Oct 25, 2016 10:47 pm

Mullvads download is proprietary .. You are at the mercy of their servers.

There is a --pull-filter in openvpn 2.4 .. if you want to go there !

bimmerdriver
OpenVPN Power User
Posts: 54
Joined: Thu Sep 08, 2016 7:56 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by bimmerdriver » Wed Oct 26, 2016 12:49 am

TinCanTech wrote:Mullvads download is proprietary .. You are at the mercy of their servers.

There is a --pull-filter in openvpn 2.4 .. if you want to go there !
Mullvad told me they are using unmodified openvpn code. They provide excellent support and I have no reason to not believe them. Are you claiming they are lying? If so, on what basis?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by TinCanTech » Sun Oct 30, 2016 11:33 am

Mullvad's download for Windows is an executable installer, for which, it is difficult to verify if openvpn.exe has been modified. I am not saying they have tampered with openvpn but I am not saying they have not.

The real problems you are facing are three fold:
  • Number one is Mullvad's server configuration and what they intend to support.
    You will have to take issues with their service up with them.
  • Number two is the software you want to use once connected is not doing what you expect or prefer.
    As above.
  • Number three is that currently, Openvpn support of IPv6 is still in an incomplete state.
    Openvpn devs are confident that openvpn IPv6 code (so far) is good, solid code but it is still missing some functionality. Example: Openvpn cannot set an IPv6 DNS server on windows at this time.
    This is because Openvpn is Free Open Source Software created and maintained by volunteers and they have only so much time to offer.
You are in a testing phase and it is not going so well so I would recommend you try this:
  • Setup your server and client on Linux; Using either a real system or a Virtual Machine, either are suitable, I run half a dozen Openvpn servers and clients on Linux VMs. Personally, I found Debian and Ubuntu to be the simplest.
  • Use the Latest openvpn version (2.4) because it has the most to offer.
  • Consider subscribing to the mailing list as another source of help.
  • Experiment: We welcome quality feedback.
I highly recommend you read the entire HOWTO: For OpenVPN Community Edition more than once. I refer back to it all the time.

There is also an abundance of documentation found here:
https://community.openvpn.net/openvpn/wiki/TitleIndex

And as a last resort, try using google and their site: feature (another tool I rely upon).

I hope that helps you find some direction.

bimmerdriver
OpenVPN Power User
Posts: 54
Joined: Thu Sep 08, 2016 7:56 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by bimmerdriver » Tue Nov 08, 2016 5:04 am

TinCanTech wrote:Mullvad's download for Windows is an executable installer, for which, it is difficult to verify if openvpn.exe has been modified. I am not saying they have tampered with openvpn but I am not saying they have not.

The real problems you are facing are three fold:
  • Number one is Mullvad's server configuration and what they intend to support.
    You will have to take issues with their service up with them.
  • Number two is the software you want to use once connected is not doing what you expect or prefer.
    As above.
  • Number three is that currently, Openvpn support of IPv6 is still in an incomplete state.
    Openvpn devs are confident that openvpn IPv6 code (so far) is good, solid code but it is still missing some functionality. Example: Openvpn cannot set an IPv6 DNS server on windows at this time.
    This is because Openvpn is Free Open Source Software created and maintained by volunteers and they have only so much time to offer.
You are in a testing phase and it is not going so well so I would recommend you try this:
  • Setup your server and client on Linux; Using either a real system or a Virtual Machine, either are suitable, I run half a dozen Openvpn servers and clients on Linux VMs. Personally, I found Debian and Ubuntu to be the simplest.
  • Use the Latest openvpn version (2.4) because it has the most to offer.
  • Consider subscribing to the mailing list as another source of help.
  • Experiment: We welcome quality feedback.
I highly recommend you read the entire HOWTO: For OpenVPN Community Edition more than once. I refer back to it all the time.

There is also an abundance of documentation found here:
https://community.openvpn.net/openvpn/wiki/TitleIndex

And as a last resort, try using google and their site: feature (another tool I rely upon).

I hope that helps you find some direction.
Thank you for the reply. I have to say it begs the question why you're casting doubt about Mullvad and making allegations about their product rather than simply proving that the problem of the browser not defaulting to ipv6 and not reliably falling back to the default protocol doesn't exist in a "true" openvpn client / server. Talk is cheap. If they are at fault as opposed to "true" openvpn, why not post some results that show the browser defaulting to ipv6 and fallback working in a dual-stack client / server configuration and put this to rest. (While you're at it, post the configurations so they can be independently replicated.)

The only reason I'm trying to get a dual-stack openvpn server running is to prove or disprove whether the issues I'm experiencing with the browser default protocol and fallback are exhibited when running a "true" dual-stack openvpn server, since you're saying it won't be considered a problem unless I do that. The lack of documented examples makes this a lot more difficult than it should be to get openvpn servers running. So far, I've been able to get an ipv4 configuration working (although not very reliably), but I'm still trying to get a dual-stack configuration working. (I'm currently using windows but setting up a ubuntu server to try on linux.) Since openvpn supposedly supports dual-stack on windows and linux, you would think there would be information about setting up windows and linux servers somewhere on the openvpn website, but I haven't found anything so far. If you know of a reference, please post it. (Again, I'm not talking about the pki and the client-server connection. I have the client / server working, but the traffic from the vpn server is not routing to the gateway.)

With all due respect, the complete information required to get an ipv4-only server working isn't in the how-to for either linix or windows, let alone for a dual-stack server. The how-to and man pages cover the pki and the connection between the client and server very thoroughly, but neither address the configuration of the server to route the traffic from the vpn through the gateway. This information is what you'd expect to find the how-to section called "Routing all client traffic (including web-traffic) through the VPN", but it's not there. There's a one-line reference to iptables for linix, but nothing whatsoever about windows. I don't think anyone can reasonably claim this is well documented.

WRT windows, I found this thread viewtopic.php?f=7&t=20765 called "[Solved] Windows 10 OpenVPN Server NAT with redirect-gateway". It mentions internet connection sharing, regedit and the Routing and Remote Access Service (RRAS), but I found that information is not accurate. I found that regedit and RRAS were not required on my system for an ipv4 server. There is another recommendation to use the advanced adapter settings to set the gateway. I tried that as well, but it didn't work at all. It would be helpful and would save users a lot of time and frustration if there was an official tutorial on this in the how-to.

WRT linux, I found this thread viewtopic.php?f=5&t=22303&p=63931&hilit ... com#p63931 called "Help a total noob trying to set up OpenVPN on ubuntu". The OP found the digital ocean tutorial and was attempting to get it working. Your remark was, "That is a crappy tutorial. Try arch-linux wiki for openvpn." I found the same digital ocean tutorial and I was going to use it until I found that thread. How is someone supposed to know the digital ocean tutorial is "crappy" unless they stumble over this thread? It would be helpful if there was an official tutorial on this in the how-to.

I'm really amazed that there aren't any official tutorials or examples on the openvpn website. Normally for any given software package, the official website is where you would expect to find accurate and up to date information that helps users get a system working properly and saves them from wasting their time looking elsewhere for potentially dubious information and/or reinventing the wheel.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by TinCanTech » Tue Nov 08, 2016 12:55 pm

You have not even proven that Mullvad intend to support IPv6 ...

bimmerdriver
OpenVPN Power User
Posts: 54
Joined: Thu Sep 08, 2016 7:56 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by bimmerdriver » Tue Nov 08, 2016 5:21 pm

TinCanTech wrote:You have not even proven that Mullvad intend to support IPv6 ...
Are you serious?!? Instead of focusing on Mullvad, why not simply answer the question. It should be a very straight-forward question for someone with a dual-stack client/server to answer. Either the browser defaults to ipv6 (which it should if ipv6 is working properly) and falls back to ipv4 properly or not.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by TinCanTech » Tue Nov 08, 2016 9:54 pm

To make a few points clear:
bimmerdriver wrote:I'd really appreciate if anyone using openvpn with ipv6 enabled is experiencing the same issues that I described in the original post,
bimmerdriver wrote:which are ^browsers defaulting to ipv4 rather than ipv6 and having intermittently slow fallback to the alternate protocol.
  • You are having problems with your browser protocol fallback ..
bimmerdriver wrote:Unless there is a problem with all of Mullvad's server configurations,
  • Which we do not support.
bimmerdriver wrote:this seems like a problem with openvpn.
  • No .. it is a problem as detailed above.
bimmerdriver wrote:why not simply answer the question. It should be a very straight-forward question for someone with a dual-stack client/server to answer. Either the browser defaults to ipv6 (which it should if ipv6 is working properly) and falls back to ipv4 properly or not.
There is no simple answer and we don't support browsers.

And by the way, your analytical skills need improvement.

As a starter, please read this:
HOWTO: Request Help !

bimmerdriver
OpenVPN Power User
Posts: 54
Joined: Thu Sep 08, 2016 7:56 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by bimmerdriver » Thu Nov 10, 2016 4:09 am

TinCanTech wrote:To make a few points clear:
bimmerdriver wrote:I'd really appreciate if anyone using openvpn with ipv6 enabled is experiencing the same issues that I described in the original post,
bimmerdriver wrote:which are ^browsers defaulting to ipv4 rather than ipv6 and having intermittently slow fallback to the alternate protocol.
  • You are having problems with your browser protocol fallback ..
bimmerdriver wrote:Unless there is a problem with all of Mullvad's server configurations,
  • Which we do not support.
bimmerdriver wrote:this seems like a problem with openvpn.
  • No .. it is a problem as detailed above.
bimmerdriver wrote:why not simply answer the question. It should be a very straight-forward question for someone with a dual-stack client/server to answer. Either the browser defaults to ipv6 (which it should if ipv6 is working properly) and falls back to ipv4 properly or not.
There is no simple answer and we don't support browsers.

And by the way, your analytical skills need improvement.

As a starter, please read this:
HOWTO: Request Help !
For someone who purports to be providing help, you have a pathetic attitude and you are apparently incapable of reading and comprehending basic english. I won't bother to respond to your ridiculous attempts to be funny.

bimmerdriver
OpenVPN Power User
Posts: 54
Joined: Thu Sep 08, 2016 7:56 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by bimmerdriver » Thu Nov 10, 2016 4:27 am

If anyone has an intelligent response, please send me a PM. Otherwise, I would appreciate if one of the mods would lock this thread.

dreadfull
OpenVpn Newbie
Posts: 1
Joined: Thu Mar 16, 2017 12:02 am

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by dreadfull » Thu Mar 16, 2017 12:04 am

Hi, I am experiencing slow speeds when IPV6 tunnelling is enabled alongside with ipv4. Something like 10% of speed when only ipv4 is enabled.

That's a late response :)

User avatar
disqualified
OpenVPN User
Posts: 40
Joined: Fri Jun 03, 2016 7:13 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by disqualified » Thu Mar 16, 2017 12:43 am

dreadfull wrote:That's a late response
did i miss the boat ?

Clodo
OpenVPN User
Posts: 37
Joined: Mon Oct 10, 2011 11:25 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by Clodo » Mon Jan 29, 2018 10:39 pm

bimmerdriver wrote:
Thu Sep 15, 2016 4:17 pm
My question pertains to browser default protocol and fallback, verified using ipv6-test.com and test-ipv6.com. For some unknown reason, when the openvpn connection is running, browsers (chrome, edge, ie11) will not default to ipv6 and the fallback to the other protocol is unreliable.
Sorry for up this old thread, but i have the exactly same issue. I want only to know if someone have an idea about this issue.

Not only occur on all browsers (chrome, edge, ie11), but also in all OS (i tested Windows 10, macOS High Sierra, and various Linux distro)

I have a server (debian 9) and clients (Windows, macOS, Linux) with a full-working IPv6 OpenVPN configuration (also with DNS6), but without ipv6 default in browser and fallback. I already open another topic that contain my ovpn-configs and logs.

I try with a specific yes/no question:
Are there any people that have an IPv6 tunnel with OpenVPN, and "Fallback = Yes" on http://ipv6-test.com/ ? Thx for any reply.

regger
OpenVpn Newbie
Posts: 14
Joined: Tue Sep 04, 2018 6:52 pm

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by regger » Tue Sep 04, 2018 7:03 pm

One possible reason is that your VPN assigns IPv6 ULA addresses, not global ones. Most systems will prefer IPv4 address over IPv6 ULA when selecting source address and protocol. They do this under the assumption that most ULA setups are broken in a way that they don't offer global connectivity via NAT.

glibc uses /etc/gai.conf to set those preferences. Maybe there's a way to force IPv6 but I don't quite understand the rules in there. Windows doesn't seem to have any configuration options, it will always prefer IPv4 over IPv6 ULA.

enterista
OpenVpn Newbie
Posts: 1
Joined: Sat Feb 23, 2019 7:11 am

Re: If you are using dual-stack ipv4/ipv6, please read this

Post by enterista » Sat Feb 23, 2019 7:16 am

I have found the solution to this problem. Just as the above poster said, VPN assigns ULA and Linux default config is to not use ULA to talk to GUA.

So we make the following changes to `/etc/gai.conf`

There will be a commented out block like this:

Code: Select all

#label ::1/128       0
#label ::/0          1
#label 2002::/16     2
#label ::/96         3
#label ::ffff:0:0/96 4
#label fec0::/10     5
#label fc00::/7      6
#label 2001:0::/32   7
uncomment that entire block and change

Code: Select all

label fc00::/7     6
to

Code: Select all

label fc00::/7      1
this will make linux use ULA even to communicate with GUA

I now get full score in ipv6 test without any warnings and all sites connect over v6 now

Post Reply