OpenVPN different routes when using GUI or Service on MS Windows

[Syping]

Hi, i configured a OpenVPN Server with IPv6 and it's working fine mostly, just my problem is that i can't ping and reach the Server itself with IPv6 when i use the OpenVPNService and/or OpenVPN Legacy Service configuration under MS Windows. But it works fine when i use the GUI.

Routes from GUI

Code: Select all

===========================================================================
Interface List
  5...00 ff e8 b4 88 e5 ......TAP-Windows Adapter V9
  3...08 00 27 62 68 34 ......Red Hat VirtIO Ethernet Adapter
  1...........................Software Loopback Interface 1
  4...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  6...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  3    266 ::/0                     fe80::3681:c4ff:fe3a:c875
  5    276 ::/3                     fe80::8
  1    306 ::1/128                  On-link
  5    276 2000::/3                 fe80::8
  5    276 2000::/4                 fe80::8
  5     20 2001:db8:0:88::/64       fe80::8
  5    276 2001:db8:0:88::30/128    On-link
  3    266 2001:16b8:4067:8600::/56 fe80::3681:c4ff:fe3a:c875
  3    266 2001:16b8:4067:8600::/64 On-link
  3    266 2001:16b8:4067:8600:207e:8a7f:b195:b34/128
                                    On-link
  3    266 2001:16b8:4067:8600:5992:e915:4dc8:a100/128
                                    On-link
  3     11 2a01:4f8:212:2f1d::2/128 fe80::3681:c4ff:fe3a:c875
  5    276 3000::/4                 fe80::8
  5    276 fc00::/7                 fe80::8
  3    266 fe80::/64                On-link
  5    276 fe80::/64                On-link
  3    266 fe80::5992:e915:4dc8:a100/128
                                    On-link
  5    276 fe80::d024:f037:4824:f353/128
                                    On-link
  1    306 ff00::/8                 On-link
  3    266 ff00::/8                 On-link
  5    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Routes from Service

Code: Select all

===========================================================================
Interface List
  5...00 ff e8 b4 88 e5 ......TAP-Windows Adapter V9
  3...08 00 27 62 68 34 ......Red Hat VirtIO Ethernet Adapter
  1...........................Software Loopback Interface 1
  4...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  6...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  3    266 ::/0                     fe80::3681:c4ff:fe3a:c875
  5    276 ::/3                     fe80::8
  1    306 ::1/128                  On-link
  5    276 2000::/3                 fe80::8
  5    276 2000::/4                 fe80::8
  5    276 2001:db8:0:88::/64       On-link
  5    276 2001:db8:0:88::/64       fe80::8
  5    276 2001:db8:0:88::30/128    On-link
  3    266 2001:16b8:4067:8600::/56 fe80::3681:c4ff:fe3a:c875
  3    266 2001:16b8:4067:8600::/64 On-link
  3    266 2001:16b8:4067:8600:207e:8a7f:b195:b34/128
                                    On-link
  3    266 2001:16b8:4067:8600:5992:e915:4dc8:a100/128
                                    On-link
  3    266 2a01:4f8:212:2f1d::2/128 fe80::3681:c4ff:fe3a:c875
  5    276 3000::/4                 fe80::8
  5    276 fc00::/7                 fe80::8
  3    266 fe80::/64                On-link
  5    276 fe80::/64                On-link
  3    266 fe80::5992:e915:4dc8:a100/128
                                    On-link
  5    276 fe80::d024:f037:4824:f353/128
                                    On-link
  1    306 ff00::/8                 On-link
  3    266 ff00::/8                 On-link
  5    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

The obvious difference is there, at the GUI it's not there as On-link like on Service

Code: Select all

  5    276 2001:db8:0:88::/64       On-link

Edit:

View Originalserver.conf

port 1194
proto udp6
dev tun0
iproute /usr/local/sbin/unpriv-ip
tun-ipv6
push tun-ipv6
ca *
cert *
key *
dh *
server 192.168.88.0 255.255.255.0
server-ipv6 2001:db8:0:88::/64
ifconfig-ipv6 2001:db8:0:88::1 2001:db8:0:88::2
push "route-ipv6 2000::/3 2001:db8:0:88::1 1"
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.88.1"
push "dhcp-option DNS 213.133.99.99"
push "dhcp-option DNS6 2001:db8:0:88::1"
push "dhcp-option DNS6 2a01:4f8:0:a0a1::add:1010"
client-to-client
keepalive 5 60
user vpn
group vpn
persist-key
persist-tun
status openvpn-status.log
verb 3
sndbuf 0
rcvbuf 0

Can i prevent it with any kind of server configuration? Or it's a possible bug in the Windows Service of OpenVPN or a possible mistake in my Server configuration which the GUI ignores?

[TinCanTech]

The GUI uses files in \user home directory\openvpn
The Service uses files in \Program Files\openvpn

[Syping]

the Gui uses \Program Files\openvpn aswell in my case, when the GUI is starting at startup then it's adding

Code: Select all

  5    276 2001:db8:0:88::/64       On-link

aswell, but not after time a certain time after login, in 1 of 10 cases the Service don't add the On-link route and allow me as Client to communicate to 2001:db8:0:88::1, it's probably kinda sort of bug which add the dead route, could be Windows only issue, i got a workaround for that.

Edit: Service and GUI are same OS just for be clear.

My workaround is to route the Server IP through the Server IP

Code: Select all

push "route-ipv6 2001:db8:0:88::1/128 2001:db8:0:88::1 1"

So i can ping and reach 2001:db8:0:88::1 always even when the dead route got added at the OpenVPN connect step.

View Originalserver.conf

port 1194
proto udp6
dev tun0
iproute /usr/local/sbin/unpriv-ip
tun-ipv6
push tun-ipv6
ca *
cert *
key *
dh *
server 192.168.88.0 255.255.255.0
server-ipv6 2001:db8:0:88::/64
push "route-ipv6 2000::/3 2001:db8:0:88::1 1"
push "route-ipv6 2001:db8:0:88::1/128 2001:db8:0:88::1 1"
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
script-security 2
client-connect "/etc/openvpn/server-clientconnect.sh"
client-disconnect "/etc/openvpn/server-clientdisconnect.sh"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.88.1"
push "dhcp-option DNS6 2001:db8:0:88::1"
push "block-outside-dns"
client-to-client
keepalive 5 60
user vpn
group vpn
persist-key
persist-tun
status openvpn-status.log
verb 3
sndbuf 0
rcvbuf 0

So this config is working for me fine 100%, but it's kinda weird that some times the On-link route is getting added or not from the Client.

[TinCanTech]

If you check your logs (at verb 4) you will probably be able to see what is changing ..