iOS 8: IPv6 routing seems broken

[baslho]

Using a server (OpenVPN 2.3.2) configured for dual-stack client routing, I'm having trouble getting iOS 8 clients using OpenVPN Connect 1.0.5 to use their assigned IPv6 address.
The IPv6 address is assigned and pingable, yet no routes seem to be enabled on the client side.

Using a Mac with OpenVPN and the same client configuration, results in a routed & working IPv6 address.
Using OpenVPN Connect 1.0.5 on iOS 6.1.6 also results in a routed & working IPv6 address.

As far as I know, this (or a similar) configuration also worked with iOS 7 clients, but I do not have any iOS 7 devices lying around anymore to test it on.

As it silently fails, it could be a security issue: when connected to an IPv6-enabled network on iOS8, and connected to an OpenVPN server with this type of configuration, the client leaks IPv6 connections.

The OpenVPN Connect iOS FAQ has an entry on IPv6 routing on iOS7, but the suggested config change (push "redirect-gateway ipv6" on server or redirect-gateway ipv6 on client) does not seem to have impact.

Am I missing something? Is this perhaps a bug in iOS, or a bug in OpenVPN Connect?

My server configuration:

Code: Select all

port        443
proto       udp
dev         tun

user        nobody
group       nogroup

ca          ca.crt
cert        server.crt
key         server.key
dh          dh2048.pem

topology    subnet
server      10.8.0.0 255.255.255.0

server-ipv6 ####:####:##:##:a1::/112

ifconfig-pool-persist ipp.txt

client-to-client
push        "redirect-gateway def1 bypass-dhcp"
push        "route-ipv6 2000::/3"
push        "dhcp-option DNS 8.8.8.8"
push        "dhcp-option DNS 8.8.4.4"

keepalive   10 120

tls-auth    ta.key 0 # This file is secret

cipher      AES-256-CBC
auth        SHA256

comp-lzo
persist-key
persist-tun

status      openvpn-status.log
verb        0

Client configuration:

Code: Select all

client
remote ##.##.##.## 443

dev tun
proto udp
cipher AES-256-CBC
auth SHA256
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
key-direction 1
verb 3

Client log (iOS 8) - not using the FAQ suggestion:

Code: Select all

2015-03-31 17:50:55 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2015-03-31 17:50:55 Session is ACTIVE
2015-03-31 17:50:55 EVENT: GET_CONFIG
2015-03-31 17:50:55 Sending PUSH_REQUEST to server...
2015-03-31 17:50:55 OPTIONS:
0 [ifconfig-ipv6] [####:####:##:##:a1::1001/112] [####:####:##:##:a1::1] 
1 [redirect-gateway] [def1] [bypass-dhcp] 
2 [route-ipv6] [2000::/3] 
3 [dhcp-option] [DNS] [8.8.8.8] 
4 [dhcp-option] [DNS] [8.8.4.4] 
5 [tun-ipv6] 
6 [route-gateway] [10.8.0.1] 
7 [topology] [subnet] 
8 [ping] [10] 
9 [ping-restart] [120] 
10 [ifconfig] [10.8.0.3] [255.255.255.0] 

2015-03-31 17:50:55 LZO-ASYM init swap=0 asym=0
2015-03-31 17:50:55 EVENT: ASSIGN_IP
2015-03-31 17:50:55 TunPersist: saving tun context:
Session Name: ##.##.##.##
Remote Address: ##.##.##.##
Tunnel Addresses:
 10.8.0.3/24 -> 10.8.0.1
 ####:####:##:##:a1::1001/112 -> ####:####:##:##:a1::1 [IPv6]
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 BYPASS_DHCP IPv4 ]
Block IPv6: no
Add Routes:
 2000::/3 [IPv6]
Exclude Routes:
DNS Servers:
 8.8.8.8
 8.8.4.4
Search Domains:

2015-03-31 17:50:55 Connected via tun
2015-03-31 17:50:55 EVENT: CONNECTED @##.##.##.##:443 (##.##.##.##) via /UDPv4 on tun/10.8.0.3/####:####:##:##:a1::1001
2015-03-31 17:50:55 SetStatus Connected
2015-03-31 17:50:55 NET Internet:ReachableViaWiFi/-R t----l-

Client log (iOS 8) - using the FAQ suggestion:

Code: Select all

2015-03-31 19:26:00 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2015-03-31 19:26:00 Session is ACTIVE
2015-03-31 19:26:00 EVENT: GET_CONFIG
2015-03-31 19:26:00 Sending PUSH_REQUEST to server...
2015-03-31 19:26:00 OPTIONS:
0 [ifconfig-ipv6] [####:####:##:##:a1::1001/112] [####:####:##:##:a1::1] 
1 [redirect-gateway] [def1] [bypass-dhcp] [ipv6] 
2 [route-ipv6] [2000::/3] 
3 [dhcp-option] [DNS] [8.8.8.8] 
4 [dhcp-option] [DNS] [8.8.4.4] 
5 [tun-ipv6] 
6 [route-gateway] [10.8.0.1] 
7 [topology] [subnet] 
8 [ping] [10] 
9 [ping-restart] [120] 
10 [ifconfig] [10.8.0.3] [255.255.255.0] 

2015-03-31 19:26:00 LZO-ASYM init swap=0 asym=0
2015-03-31 19:26:00 EVENT: ASSIGN_IP
2015-03-31 19:26:00 TunPersist: saving tun context:
Session Name: ##.##.##.##
Remote Address: ##.##.##.##
Tunnel Addresses:
 10.8.0.3/24 -> 10.8.0.1
 ####:####:##:##:a1::1001/112 -> ####:####:##:##:a1::1 [IPv6]
Reroute Gateway: IPv4=1 IPv6=1 flags=[ ENABLE REROUTE_GW DEF1 BYPASS_DHCP IPv4 IPv6 ]
Block IPv6: no
Add Routes:
Exclude Routes:
DNS Servers:
 8.8.8.8
 8.8.4.4
Search Domains:

2015-03-31 19:26:00 Connected via tun
2015-03-31 19:26:00 EVENT: CONNECTED @##.##.##.##:443 (##.##.##.##) via /UDPv4 on tun/10.8.0.3/####:####:##:##:a1::1001
2015-03-31 19:26:00 SetStatus Connected
2015-03-31 19:26:00 NET Internet:ReachableViaWiFi/-R t----l-

[baslho]

Is it worth submitting a bug report about this to the tracker? Or perhaps writing on the mailing list?

[hmolina]

Hi,

since iOS 8.0 re configure IPv6 routing is broken in OpenVPN Connect.

Several people had reported this problem (included me), but nobody say anything from OpenVPN Connect.

Sorry, and we hope in the next release could be fixed.

Best regards.



Sent from my iPad using Tapatalk

[baslho]

This will only be useful in the future, but early testing shows IPv6 routing works in iOS 9.

[baslho]

Heads up, with the iOS 9 GM out yesterday: OpenVPN IPv6 routing works well with this config, but IPv4 routing (!) seems broken with the latest OpenVPN Connect version.

[hmolina]

Hi All,
Now IPv6 and IPv4 routing are working with the latest iOS 9 (Public Beta 1) published yesterday (2015/09/10).
We have 2 configurations: Full routing through the VPN and Partial routing (just to connect to our internal resources), and both are working!!

Now, We just are waiting for a new OpenVPN connect with the latest PolarSSL to work with 8192 bits CA keys and more safety ciphers .