OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

iOS 9.3.2 and IPv6 routing issue

https://forums.openvpn.net/viewtopic.php?t=21833

Page 1 of 1

iOS 9.3.2 and IPv6 routing issue

Posted: Sun Jun 05, 2016 9:05 pm
by MadEgg
I'm using a OpenVPN server on my AsusWRT router at home where I have a dual stack setup with a /48 subnet. According to the FAQ, I have the following additional configuration for the IPv6 connectivity:

server-ipv6 xxxx:xxxx:xxxx:xxxx::/64
push "redirect-gateway ipv6"

When I connect to the server using OpenVPN connect it connects just fine, and receives a IPv4 and IPv6 address. IPv4 works completely through the tunnel. IPv6 however is only pingable from outside, but does not provide the iPhone with IPv6 connectivity.

When I visit sites like ipv6-test.com or v6.de, I only get IPv4 results. The exact same connection profile works on Linux and Windows, by the way, providing full IPv4 and IPv6 connectivity.

What's even more weird, to investigate this, I installed a network diagnostics app (Net Analyzer). This app does not list the assigned IPv6 address under VPN connection, but it does list it under 'Connection'. When I use ping or traceroute within this app to a IPv6-server, it works. According to the traceroute, traffic is routed through the OpenVPN tunnel. However, in normal use it's not working at all (my cell provider does not provide IPv6 connectivity).

Any clue what is going on here and what I could try in order to resolve this issue?

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Sun Jun 05, 2016 11:00 pm
by TinCanTech
That is quite a mixed bag .. and openvpn is in constant development .. especially where IPv6 is concerned.

Could you provide some version information (server & client) thanks

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Sun Jun 05, 2016 11:03 pm
by MadEgg
Sure.

The server is installed using opkg (entware-ng), and lists the following version information:

OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 24 2015

The client is the latest OpenVPN Connect client for iOS:

OpenVPN 1.0.7 build 199 (iOS 64-bit)

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Sun Jun 05, 2016 11:22 pm
by hmolina
Hi,

Nop, redirect the ipv6 gateway using redirect gateway does not work.
We uses the command in the client
route-ipv6 2000::/3
Or in the server
push "route-ipv6 2000::/3"

This route all th GLA throw your VPN.

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Sun Jun 05, 2016 11:38 pm
by MadEgg
Unfortunately, that also doesn't help. Same situation. In 'Net Analyzer' it seems to work, Safari and Firefox aren't able to use IPv6. When I'm connected directly to my home network using WiFi Safari and Firefox do use IPv6 connectivity on these websites.

Full log of OpenVPN Connect on iOS connecting:

Code: Select all

2016-06-06 01:27:34 EVENT: RESOLVE
2016-06-06 01:27:34 Contacting xx.yy.zz.aa:1194 via UDP
2016-06-06 01:27:34 EVENT: WAIT
2016-06-06 01:27:34 SetTunnelSocket returned 1
2016-06-06 01:27:34 Connecting to [host.no-ip.com]:1194 (xx.y.zz.aa) via UDPv4
2016-06-06 01:27:34 EVENT: CONNECTING
2016-06-06 01:27:34 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2016-06-06 01:27:34 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.7-199
IV_VER=3.0.11
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1

2016-06-06 01:27:35 VERIFY OK: depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC87U, emailAddress=me@myhost.mydomain
subject name      : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC87U, emailAddress=me@myhost.mydomain
issued  on        : 2016-02-11 09:26:22
expires on        : 2026-02-08 09:26:22
signed using      : RSA with SHA1
RSA key size      : 1024 bits
basic constraints : CA=false
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication

2016-06-06 01:27:36 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
2016-06-06 01:27:36 Session is ACTIVE
2016-06-06 01:27:36 EVENT: GET_CONFIG
2016-06-06 01:27:36 Sending PUSH_REQUEST to server...
2016-06-06 01:27:36 OPTIONS:
0 [ifconfig-ipv6] [2001:aa:bb:cc::1000/64] [2001:aa:bb:cc::1] 
1 [route] [192.168.0.0] [255.255.255.0] 
2 [dhcp-option] [DNS] [192.168.0.1] 
3 [redirect-gateway] [def1] 
4 [redirect-gateway] [ipv6] 
5 [route-ipv6] [2000::/3] 
6 [tun-ipv6] 
7 [route-gateway] [192.168.100.1] 
8 [topology] [subnet] 
9 [ping] [15] 
10 [ping-restart] [60] 
11 [ifconfig] [192.168.100.2] [255.255.255.0] 

2016-06-06 01:27:36 PROTOCOL OPTIONS:
  cipher: BF-CBC
  digest: SHA1
  compress: LZO
  peer ID: -1
2016-06-06 01:27:36 EVENT: ASSIGN_IP
2016-06-06 01:27:36 TunPersist: saving tun context:
Session Name: host.no-ip.com
Layer: OSI_LAYER_3
Remote Address: xx.yy.zz.aa
Tunnel Addresses:
  192.168.100.2/24 -> 192.168.100.1
  2001:aa:bb:cc::1000/64 -> 2001:aa:bb:cc::1 [IPv6]
Reroute Gateway: IPv4=1 IPv6=1 flags=[ ENABLE REROUTE_GW DEF1 IPv4 IPv6 ]
Block IPv6: no
Add Routes:
Exclude Routes:
DNS Servers:
  192.168.0.1
Search Domains:

2016-06-06 01:27:36 Connected via tun
2016-06-06 01:27:36 EVENT: CONNECTED @host.no-ip.com:1194 (xx.yy.zz.aa) via /UDPv4 on tun/192.168.100.2/2001:aa:bb:cc::1000
2016-06-06 01:27:36 LZO-ASYM init swap=0 asym=0
2016-06-06 01:27:36 SetStatus Connected

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Mon Jun 06, 2016 1:29 am
by TinCanTech
MadEgg wrote:0 [ifconfig-ipv6] [2001:aa:bb:cc::1000/64] [2001:aa:bb:cc::1]
1 [route] [192.168.0.0] [255.255.255.0]
2 [dhcp-option] [DNS] [192.168.0.1]
3 [redirect-gateway] [def1]
4 [redirect-gateway] [ipv6]
5 [route-ipv6] [2000::/3]
6 [tun-ipv6]
7 [route-gateway] [192.168.100.1]
8 [topology] [subnet]
9 [ping] [15]
10 [ping-restart] [60]
11 [ifconfig] [192.168.100.2] [255.255.255.0]
This all looks dodgy ..

Best post your OpenVPN config files.

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Mon Jun 06, 2016 8:22 am
by MadEgg
Why dodgy, exactly? The VPN provides access to my LAN using a TUN VPN. The subnet of the tunnel is 192.168.100.0/24 and the subnet of the LAN is 192.168.0.0/24 so it seems reasonable to me.

Anyway, the full server configuration as generated by AsusWRT-Merlin firmware is:

Code: Select all

# Automatically generated configuration
daemon
topology subnet
server 192.168.100.0 255.255.255.0
proto udp
rcvbuf 0
sndbuf 0
port 1194
dev tun21
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.0.0 255.255.255.0"
duplicate-cn
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status 10

# Custom Configuration
server-ipv6 2001:aa:bb:cc::/64^M
push "redirect-gateway ipv6"^M
push "route-ipv6 2000::/3"
Those last three lines are the custom configuration I added in the webinterface.

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Mon Jun 06, 2016 9:45 am
by TinCanTech
Using 192.168.0.0/24 for your server subnet is very likely to cause you routing problems eventually.

IPv6 & iOS:
https://community.openvpn.net/openvpn/wiki/IPv6

(see the end of that page)

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Mon Jun 06, 2016 10:20 am
by MadEgg
I read that page, and based on that page:
iOS 9 broke redirect-gateway if used with IPv6 tunnels and no IPv4 traffic goes inside the tunnel. To workaround this issue, use:

redirect-gateway ipv6

combined with usual redirect-gateway. This option works only on Android and iOS OpenVPN Connect clients (OpenVPN 3) and OpenVPN 2.4 (development version) and has no effect for OpenVPN 2.3.
I added:

Code: Select all

push "redirect-gateway ipv6"
to the server configuration. And isn't the issue that's being referred to there about IPv4 traffic not being routed through the tunnel? IPv4 is working just fine in my situation, it's IPv6 that's giving me issues.

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Mon Jun 06, 2016 1:43 pm
by TinCanTech
MadEgg wrote:the full server configuration as generated by AsusWRT-Merlin firmware
Perhaps there is some problem with the firmware and IPv6 ?

Please set --verb 4 in your server config and post your server log (remove your private data)

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Mon Jun 06, 2016 2:25 pm
by MadEgg
Sure. Here's the output, the first part is the server startup, the second part is connecting to the server using my iPhone:

Code: Select all

Jun  6 16:02:49 kernel: [truncated] pch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch ==NULL/npch 
Jun  6 16:02:50 openvpn[13189]: Current Parameter Settings:
Jun  6 16:02:50 openvpn[13189]:   config = 'config.ovpn'
Jun  6 16:02:50 openvpn[13189]:   mode = 1
Jun  6 16:02:50 openvpn[13189]:   persist_config = DISABLED
Jun  6 16:02:50 openvpn[13189]:   persist_mode = 1
Jun  6 16:02:50 openvpn[13189]:   show_ciphers = DISABLED
Jun  6 16:02:50 openvpn[13189]:   show_digests = DISABLED
Jun  6 16:02:50 openvpn[13189]:   show_engines = DISABLED
Jun  6 16:02:50 openvpn[13189]:   genkey = DISABLED
Jun  6 16:02:50 openvpn[13189]:   key_pass_file = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   show_tls_ciphers = DISABLED
Jun  6 16:02:50 openvpn[13189]: Connection profiles [default]:
Jun  6 16:02:50 openvpn[13189]:   proto = udp
Jun  6 16:02:50 openvpn[13189]:   local = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   local_port = 1194
Jun  6 16:02:50 openvpn[13189]:   remote = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   remote_port = 1194
Jun  6 16:02:50 openvpn[13189]:   remote_float = DISABLED
Jun  6 16:02:50 openvpn[13189]:   bind_defined = DISABLED
Jun  6 16:02:50 openvpn[13189]:   bind_local = ENABLED
Jun  6 16:02:50 openvpn[13189]:   connect_retry_seconds = 5
Jun  6 16:02:50 openvpn[13189]:   connect_timeout = 10
Jun  6 16:02:50 openvpn[13189]:   connect_retry_max = 0
Jun  6 16:02:50 openvpn[13189]:   tun_mtu = 1500
Jun  6 16:02:50 openvpn[13189]:   tun_mtu_defined = ENABLED
Jun  6 16:02:50 openvpn[13189]:   link_mtu = 1500
Jun  6 16:02:50 openvpn[13189]:   link_mtu_defined = DISABLED
Jun  6 16:02:50 openvpn[13189]:   tun_mtu_extra = 0
Jun  6 16:02:50 openvpn[13189]:   tun_mtu_extra_defined = DISABLED
Jun  6 16:02:50 openvpn[13189]:   mtu_discover_type = -1
Jun  6 16:02:50 openvpn[13189]:   fragment = 0
Jun  6 16:02:50 openvpn[13189]:   mssfix = 1450
Jun  6 16:02:50 openvpn[13189]:   explicit_exit_notification = 0
Jun  6 16:02:50 openvpn[13189]: Connection profiles END
Jun  6 16:02:50 openvpn[13189]:   remote_random = DISABLED
Jun  6 16:02:50 openvpn[13189]:   ipchange = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   dev = 'tun21'
Jun  6 16:02:50 openvpn[13189]:   dev_type = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   dev_node = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   lladdr = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   topology = 3
Jun  6 16:02:50 openvpn[13189]:   tun_ipv6 = ENABLED
Jun  6 16:02:50 openvpn[13189]:   ifconfig_local = '192.168.100.1'
Jun  6 16:02:50 openvpn[13189]:   ifconfig_remote_netmask = '255.255.255.0'
Jun  6 16:02:50 openvpn[13189]:   ifconfig_noexec = DISABLED
Jun  6 16:02:50 openvpn[13189]:   ifconfig_nowarn = DISABLED
Jun  6 16:02:50 openvpn[13189]:   ifconfig_ipv6_local = '2001:aa:bb:cc::1'
Jun  6 16:02:50 openvpn[13189]:   ifconfig_ipv6_netbits = 64
Jun  6 16:02:50 openvpn[13189]:   ifconfig_ipv6_remote = '2001:aa:bb:cc::2'
Jun  6 16:02:50 openvpn[13189]:   shaper = 0
Jun  6 16:02:50 openvpn[13189]:   mtu_test = 0
Jun  6 16:02:50 openvpn[13189]:   mlock = DISABLED
Jun  6 16:02:50 openvpn[13189]:   keepalive_ping = 15
Jun  6 16:02:50 openvpn[13189]:   keepalive_timeout = 60
Jun  6 16:02:50 openvpn[13189]:   inactivity_timeout = 0
Jun  6 16:02:50 openvpn[13189]:   ping_send_timeout = 15
Jun  6 16:02:50 openvpn[13189]:   ping_rec_timeout = 120
Jun  6 16:02:50 openvpn[13189]:   ping_rec_timeout_action = 2
Jun  6 16:02:50 openvpn[13189]:   ping_timer_remote = DISABLED
Jun  6 16:02:50 openvpn[13189]:   remap_sigusr1 = 0
Jun  6 16:02:50 openvpn[13189]:   persist_tun = DISABLED
Jun  6 16:02:50 openvpn[13189]:   persist_local_ip = DISABLED
Jun  6 16:02:50 openvpn[13189]:   persist_remote_ip = DISABLED
Jun  6 16:02:50 openvpn[13189]:   persist_key = DISABLED
Jun  6 16:02:50 openvpn[13189]:   passtos = DISABLED
Jun  6 16:02:50 openvpn[13189]:   resolve_retry_seconds = 1000000000
Jun  6 16:02:50 openvpn[13189]:   username = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   groupname = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   chroot_dir = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   cd_dir = '/etc/openvpn/server1'
Jun  6 16:02:50 openvpn[13189]:   writepid = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   up_script = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   down_script = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   down_pre = DISABLED
Jun  6 16:02:50 openvpn[13189]:   up_restart = DISABLED
Jun  6 16:02:50 openvpn[13189]:   up_delay = DISABLED
Jun  6 16:02:50 openvpn[13189]:   daemon = ENABLED
Jun  6 16:02:50 openvpn[13189]:   inetd = 0
Jun  6 16:02:50 openvpn[13189]:   log = DISABLED
Jun  6 16:02:50 openvpn[13189]:   suppress_timestamps = DISABLED
Jun  6 16:02:50 openvpn[13189]:   nice = 0
Jun  6 16:02:50 openvpn[13189]:   verbosity = 4
Jun  6 16:02:50 openvpn[13189]:   mute = 0
Jun  6 16:02:50 openvpn[13189]:   status_file = 'status'
Jun  6 16:02:50 openvpn[13189]:   status_file_version = 2
Jun  6 16:02:50 openvpn[13189]:   status_file_update_freq = 10
Jun  6 16:02:50 openvpn[13189]:   occ = ENABLED
Jun  6 16:02:50 openvpn[13189]:   rcvbuf = 0
Jun  6 16:02:50 openvpn[13189]:   sndbuf = 0
Jun  6 16:02:50 openvpn[13189]:   mark = 0
Jun  6 16:02:50 openvpn[13189]:   sockflags = 0
Jun  6 16:02:50 openvpn[13189]:   fast_io = DISABLED
Jun  6 16:02:50 openvpn[13189]:   lzo = 7
Jun  6 16:02:50 openvpn[13189]:   route_script = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   route_default_gateway = '192.168.100.2'
Jun  6 16:02:50 openvpn[13189]:   route_default_metric = 0
Jun  6 16:02:50 openvpn[13189]:   route_noexec = DISABLED
Jun  6 16:02:50 openvpn[13189]:   route_delay = 0
Jun  6 16:02:50 openvpn[13189]:   route_delay_window = 30
Jun  6 16:02:50 openvpn[13189]:   route_delay_defined = DISABLED
Jun  6 16:02:50 openvpn[13189]:   route_nopull = DISABLED
Jun  6 16:02:50 openvpn[13189]:   route_gateway_via_dhcp = DISABLED
Jun  6 16:02:50 openvpn[13189]:   max_routes = 100
Jun  6 16:02:50 openvpn[13189]:   allow_pull_fqdn = DISABLED
Jun  6 16:02:50 openvpn[13189]:   management_addr = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   management_port = 0
Jun  6 16:02:50 openvpn[13189]:   management_user_pass = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   management_log_history_cache = 250
Jun  6 16:02:50 openvpn[13189]:   management_echo_buffer_size = 100
Jun  6 16:02:50 openvpn[13189]:   management_write_peer_info_file = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   management_client_user = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   management_client_group = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   management_flags = 0
Jun  6 16:02:50 openvpn[13189]:   shared_secret_file = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   key_direction = 0
Jun  6 16:02:50 openvpn[13189]:   ciphername_defined = ENABLED
Jun  6 16:02:50 openvpn[13189]:   ciphername = 'BF-CBC'
Jun  6 16:02:50 openvpn[13189]:   authname_defined = ENABLED
Jun  6 16:02:50 openvpn[13189]:   authname = 'SHA1'
Jun  6 16:02:50 openvpn[13189]:   prng_hash = 'SHA1'
Jun  6 16:02:50 openvpn[13189]:   prng_nonce_secret_len = 16
Jun  6 16:02:50 openvpn[13189]:   keysize = 0
Jun  6 16:02:50 openvpn[13189]:   engine = DISABLED
Jun  6 16:02:50 openvpn[13189]:   replay = ENABLED
Jun  6 16:02:50 openvpn[13189]:   mute_replay_warnings = DISABLED
Jun  6 16:02:50 openvpn[13189]:   replay_window = 64
Jun  6 16:02:50 openvpn[13189]:   replay_time = 15
Jun  6 16:02:50 openvpn[13189]:   packet_id_file = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   use_iv = ENABLED
Jun  6 16:02:50 openvpn[13189]:   test_crypto = DISABLED
Jun  6 16:02:50 openvpn[13189]:   tls_server = ENABLED
Jun  6 16:02:50 openvpn[13189]:   tls_client = DISABLED
Jun  6 16:02:50 openvpn[13189]:   key_method = 2
Jun  6 16:02:50 openvpn[13189]:   ca_file = 'ca.crt'
Jun  6 16:02:50 openvpn[13189]:   ca_path = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   dh_file = 'dh.pem'
Jun  6 16:02:50 openvpn[13189]:   cert_file = 'server.crt'
Jun  6 16:02:50 openvpn[13189]:   priv_key_file = 'server.key'
Jun  6 16:02:50 openvpn[13189]:   pkcs12_file = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   cipher_list = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   tls_verify = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   tls_export_cert = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   verify_x509_type = 0
Jun  6 16:02:50 openvpn[13189]:   verify_x509_name = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   crl_file = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   ns_cert_type = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_ku[i] = 0
Jun  6 16:02:50 openvpn[13189]:   remote_cert_eku = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   ssl_flags = 0
Jun  6 16:02:50 openvpn[13189]:   tls_timeout = 2
Jun  6 16:02:50 openvpn[13189]:   renegotiate_bytes = 0
Jun  6 16:02:50 openvpn[13189]:   renegotiate_packets = 0
Jun  6 16:02:50 openvpn[13189]:   renegotiate_seconds = 3600
Jun  6 16:02:50 openvpn[13189]:   handshake_window = 60
Jun  6 16:02:50 openvpn[13189]:   transition_window = 3600
Jun  6 16:02:50 openvpn[13189]:   single_session = DISABLED
Jun  6 16:02:50 openvpn[13189]:   push_peer_info = DISABLED
Jun  6 16:02:50 openvpn[13189]:   tls_exit = DISABLED
Jun  6 16:02:50 openvpn[13189]:   tls_auth_file = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   server_network = 192.168.100.0
Jun  6 16:02:50 openvpn[13189]:   server_netmask = 255.255.255.0
Jun  6 16:02:50 openvpn[13189]:   server_network_ipv6 = 2001:aa:bb:cc::
Jun  6 16:02:50 openvpn[13189]:   server_netbits_ipv6 = 64
Jun  6 16:02:50 openvpn[13189]:   server_bridge_ip = 0.0.0.0
Jun  6 16:02:50 openvpn[13189]:   server_bridge_netmask = 0.0.0.0
Jun  6 16:02:50 openvpn[13189]:   server_bridge_pool_start = 0.0.0.0
Jun  6 16:02:50 openvpn[13189]:   server_bridge_pool_end = 0.0.0.0
Jun  6 16:02:50 openvpn[13189]:   push_entry = 'route 192.168.0.0 255.255.255.0'
Jun  6 16:02:50 openvpn[13189]:   push_entry = 'dhcp-option DNS 192.168.0.1'
Jun  6 16:02:50 openvpn[13189]:   push_entry = 'redirect-gateway def1'
Jun  6 16:02:50 openvpn[13189]:   push_entry = 'redirect-gateway ipv6'
Jun  6 16:02:50 openvpn[13189]:   push_entry = 'route-ipv6 2000::/3'
Jun  6 16:02:50 openvpn[13189]:   push_entry = 'tun-ipv6'
Jun  6 16:02:50 openvpn[13189]:   push_entry = 'route-gateway 192.168.100.1'
Jun  6 16:02:50 openvpn[13189]:   push_entry = 'topology subnet'
Jun  6 16:02:50 openvpn[13189]:   push_entry = 'ping 15'
Jun  6 16:02:50 openvpn[13189]:   push_entry = 'ping-restart 60'
Jun  6 16:02:50 openvpn[13189]:   ifconfig_pool_defined = ENABLED
Jun  6 16:02:50 openvpn[13189]:   ifconfig_pool_start = 192.168.100.2
Jun  6 16:02:50 openvpn[13189]:   ifconfig_pool_end = 192.168.100.253
Jun  6 16:02:50 openvpn[13189]:   ifconfig_pool_netmask = 255.255.255.0
Jun  6 16:02:50 openvpn[13189]:   ifconfig_pool_persist_filename = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   ifconfig_pool_persist_refresh_freq = 600
Jun  6 16:02:50 openvpn[13189]:   ifconfig_ipv6_pool_defined = ENABLED
Jun  6 16:02:50 openvpn[13189]:   ifconfig_ipv6_pool_base = 2001:aa:bb:cc::1000
Jun  6 16:02:50 openvpn[13189]:   ifconfig_ipv6_pool_netbits = 64
Jun  6 16:02:50 openvpn[13189]:   n_bcast_buf = 256
Jun  6 16:02:50 openvpn[13189]:   tcp_queue_limit = 64
Jun  6 16:02:50 openvpn[13189]:   real_hash_size = 256
Jun  6 16:02:50 openvpn[13189]:   virtual_hash_size = 256
Jun  6 16:02:50 openvpn[13189]:   client_connect_script = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   learn_address_script = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   client_disconnect_script = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   client_config_dir = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   ccd_exclusive = DISABLED
Jun  6 16:02:50 openvpn[13189]:   tmp_dir = '/tmp'
Jun  6 16:02:50 openvpn[13189]:   push_ifconfig_defined = DISABLED
Jun  6 16:02:50 openvpn[13189]:   push_ifconfig_local = 0.0.0.0
Jun  6 16:02:50 openvpn[13189]:   push_ifconfig_remote_netmask = 0.0.0.0
Jun  6 16:02:50 openvpn[13189]:   push_ifconfig_ipv6_defined = DISABLED
Jun  6 16:02:50 openvpn[13189]:   push_ifconfig_ipv6_local = ::/0
Jun  6 16:02:50 openvpn[13189]:   push_ifconfig_ipv6_remote = ::
Jun  6 16:02:50 openvpn[13189]:   enable_c2c = DISABLED
Jun  6 16:02:50 openvpn[13189]:   duplicate_cn = ENABLED
Jun  6 16:02:50 openvpn[13189]:   cf_max = 0
Jun  6 16:02:50 openvpn[13189]:   cf_per = 0
Jun  6 16:02:50 openvpn[13189]:   max_clients = 1024
Jun  6 16:02:50 openvpn[13189]:   max_routes_per_client = 256
Jun  6 16:02:50 openvpn[13189]:   auth_user_pass_verify_script = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   auth_user_pass_verify_script_via_file = DISABLED
Jun  6 16:02:50 openvpn[13189]:   port_share_host = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]:   port_share_port = 0
Jun  6 16:02:50 openvpn[13189]:   client = DISABLED
Jun  6 16:02:50 openvpn[13189]:   pull = DISABLED
Jun  6 16:02:50 openvpn[13189]:   auth_user_pass_file = '[UNDEF]'
Jun  6 16:02:50 openvpn[13189]: OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 24 2015
Jun  6 16:02:50 openvpn[13189]: library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.08
Jun  6 16:02:50 openvpn[13190]: Diffie-Hellman initialized with 2048 bit key
Jun  6 16:02:50 openvpn[13190]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
Jun  6 16:02:50 openvpn[13190]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Jun  6 16:02:50 openvpn[13190]: TUN/TAP device tun21 opened
Jun  6 16:02:50 openvpn[13190]: TUN/TAP TX queue length set to 100
Jun  6 16:02:50 openvpn[13190]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
Jun  6 16:02:50 openvpn[13190]: /usr/sbin/ip link set dev tun21 up mtu 1500
Jun  6 16:02:50 openvpn[13190]: /usr/sbin/ip addr add dev tun21 192.168.100.1/24 broadcast 192.168.100.255
Jun  6 16:02:50 openvpn[13190]: /usr/sbin/ip -6 addr add 2001:aa:bb:cc::1/64 dev tun21
Jun  6 16:02:50 openvpn[13190]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Jun  6 16:02:50 openvpn[13190]: UDPv4 link local (bound): [undef]
Jun  6 16:02:50 openvpn[13190]: UDPv4 link remote: [undef]
Jun  6 16:02:50 openvpn[13190]: MULTI: multi_init called, r=256 v=256
Jun  6 16:02:50 openvpn[13190]: IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=2001:aa:bb:cc::1000
Jun  6 16:02:50 openvpn[13190]: IFCONFIG POOL: base=192.168.100.2 size=252, ipv6=1
Jun  6 16:02:50 openvpn[13190]: Initialization Sequence Completed

Code: Select all

Jun  6 16:14:32 openvpn[13190]: MULTI: multi_create_instance called
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 Re-using SSL/TLS context
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 LZO compression initialized
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 Local Options hash (VER=V4): '530fdded'
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 Expected Remote Options hash (VER=V4): '41690919'
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 TLS: Initial packet from [AF_INET]11.22.33.44:50439, sid=ceb0911e fd6a23b8
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC87U, emailAddress=me@myhost.mydomain
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Jun  6 16:14:32 openvpn[13190]: 11.22.33.44:50439 [client] Peer Connection Initiated with [AF_INET]11.22.33.44:50439
Jun  6 16:14:32 openvpn[13190]: client/11.22.33.44:50439 MULTI_sva: pool returned IPv4=192.168.100.2, IPv6=2001:aa:bb:cc::1000
Jun  6 16:14:32 openvpn[13190]: client/11.22.33.44:50439 MULTI: Learn: 192.168.100.2 -> client/11.22.33.44:50439
Jun  6 16:14:32 openvpn[13190]: client/11.22.33.44:50439 MULTI: primary virtual IP for client/11.22.33.44:50439: 192.168.100.2
Jun  6 16:14:32 openvpn[13190]: client/11.22.33.44:50439 MULTI: Learn: 2001:aa:bb:cc::1000 -> client/11.22.33.44:50439
Jun  6 16:14:32 openvpn[13190]: client/11.22.33.44:50439 MULTI: primary virtual IPv6 for client/11.22.33.44:50439: 2001:aa:bb:cc::1000
Jun  6 16:14:32 openvpn[13190]: client/11.22.33.44:50439 PUSH: Received control message: 'PUSH_REQUEST'
Jun  6 16:14:32 openvpn[13190]: client/11.22.33.44:50439 send_push_reply(): safe_cap=940
Jun  6 16:14:32 openvpn[13190]: client/11.22.33.44:50439 SENT CONTROL [client]: 'PUSH_REPLY,ifconfig-ipv6 2001:aa:bb:cc::1000/64 2001:aa:bb:cc::1,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,redirect-gateway def1,redirect-gateway ipv6,route-ipv6 2000::/3,tun-ipv6,route-gateway 192.168.100.1,topology subnet,ping 15,ping-restart 60,ifconfig 192.168.100.2 255.255.255.0' (status=1)
Jun  6 16:14:33 openvpn[13190]: client/11.22.33.44:50439 MULTI: bad source address from client [::], packet dropped
Jun  6 16:14:33 openvpn[13190]: client/11.22.33.44:50439 MULTI: bad source address from client [::], packet dropped

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Mon Jun 06, 2016 6:50 pm
by TinCanTech
MadEgg wrote:Jun 6 16:14:32 openvpn[13190]: client/11.22.33.44:50439 SENT CONTROL [client]: 'PUSH_REPLY,ifconfig-ipv6 2001:aa:bb:cc::1000/64 2001:aa:bb:cc::1,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,redirect-gateway def1,redirect-gateway ipv6,route-ipv6 2000::/3,tun-ipv6,route-gateway 192.168.100.1,topology subnet,ping 15,ping-restart 60,ifconfig 192.168.100.2 255.255.255.0' (status=1)
MadEgg wrote:0 [ifconfig-ipv6] [2001:aa:bb:cc::1000/64] [2001:aa:bb:cc::1]
<..>
4 [redirect-gateway] [ipv6]
5 [route-ipv6] [2000::/3]
Looks like it is working .. I'll have to double check my setup.

FYI:

Code: Select all

redirect-gateway ipv6,route-ipv6 2000::/3
these do the same thing .. so maybe remove the second item ..

Final test: Can the client ping(IPv6) 2001:aa:bb:cc::1 (the server IPv6) ?

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Mon Jun 06, 2016 9:17 pm
by MadEgg
Yes. Like I said before, when I use the 'Net Analyzer' app to test IPv6 connectivity, it seems to work. I can ping the VPN-server and I can ping / traceroute to any IPv6 server on the internet, which according to the results is routed through the tunnel.

However, as soon as I use any other app (DAAP server, Safari, VLC) it seems that there is no IPv6 connectivity available as all connections fail, while they do work when the iPhone is connected directly to the WiFi providing IPv6.

I already tried this without the route-ipv6 2000::/3 part but that doesn't make a difference unfortunately.

It keeps baffling me that the Net Analyzer app indicates everything works and the log files indicate everything works, but yet not everything works...

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Mon Jun 06, 2016 9:51 pm
by TinCanTech
MadEgg wrote:I'm using a OpenVPN server on my AsusWRT router at home where I have a dual stack setup with a /48 subnet
I presume your ISP provides this IPv6 netblock ?

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Mon Jun 06, 2016 10:52 pm
by MadEgg
TinCanTech wrote:
MadEgg wrote:I'm using a OpenVPN server on my AsusWRT router at home where I have a dual stack setup with a /48 subnet
I presume your ISP provides this IPv6 netblock ?
Depends on what you call my ISP. My "local" ISP provides me with a IPv4 address. My "remote" ISP, Hurricane Electric, provides me with a /48 tunneled IPv6 /48 block.

Re: iOS 9.3.2 and IPv6 routing issue

Posted: Mon Jun 06, 2016 11:15 pm
by disqualified
Clearly, your problem is not with OpenVPN ..
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/