OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Openvpn (IPv4) over IPv6 connection Site to Site

https://forums.openvpn.net/viewtopic.php?t=24442

Page 1 of 1

Openvpn (IPv4) over IPv6 connection Site to Site

Posted: Sat Jul 08, 2017 8:51 am
by dkruempe
Hello together,

i have successfully created a OpenVPN connection. My Client can reach all subnets from the server. But my server cannot reach the subnet from the client.

OpenVPN Server Config

Code: Select all

port 1194
proto udp6
dev tun0
sndbuf 0
rcvbuf 0
client-to-client
ca /etc/openvpn/main-keys/ca.crt
cert /etc/openvpn/main-keys/server.crt
key /etc/openvpn/main-keys/server.key
dh /etc/openvpn/main-keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.0.1.0 255.255.255.0"
route 10.0.0.0 255.255.255.0 10.8.0.4 #(Client Network)
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
status main-status.log
ifconfig-pool-persist /etc/openvpn/main-ipp.txt
iptables Configuration Server

Code: Select all

iptables -A INPUT -i br0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
They are also some other forwarding for the other subnets which are reachable for the client

OpenVPN Client configuration

Code: Select all

client
dev tun
proto udp6
auth-nocache
topology subnet
remote <IPv6 ADDRESS OF SERVER> 1194
route 192.168.2.0 255.255.255.0 # all reachable subnets
route 10.242.2.0 255.255.255.0
route 10.9.0.0 255.255.255.0
#resolv-retry infinite
#nobind
cipher AES-128-CBC
comp-lzo
tls-client

persist-key
persist-tun
verb 3
Client iptables

Code: Select all

# Generated by iptables-save v1.4.21 on Sat Jul  8 08:48:41 2017
*filter
:INPUT ACCEPT [8588:4494440]
:FORWARD ACCEPT [25:3068]
:OUTPUT ACCEPT [4606:472037]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
COMMIT
# Completed on Sat Jul  8 08:48:41 2017
# Generated by iptables-save v1.4.21 on Sat Jul  8 08:48:41 2017
*nat
:PREROUTING ACCEPT [816:104716]
:INPUT ACCEPT [721:85047]
:OUTPUT ACCEPT [285:21638]
:POSTROUTING ACCEPT [1:60]
-A POSTROUTING -o tun0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Jul  8 08:48:41 2017
# Generated by ip6tables-save v1.4.21 on Sat Jul  8 08:49:19 2017
*nat
:PREROUTING ACCEPT [4:1004]
:INPUT ACCEPT [4:1004]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Sat Jul  8 08:49:19 2017
# Generated by ip6tables-save v1.4.21 on Sat Jul  8 08:49:19 2017
*filter
:INPUT ACCEPT [3143:2333463]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10873:1377069]
-A INPUT -p udp -m udp --dport 1194 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Jul  8 08:49:19 2017
Help me. I have no plan why my server cannot reach the client subnet.

Re: Openvpn (IPv4) over IPv6 connection Site to Site

Posted: Sat Jul 08, 2017 11:30 am
by TinCanTech
dkruempe wrote:I have no plan why my server cannot reach the client subnet
It is because you did not read the howto ..

Re: Openvpn (IPv4) over IPv6 connection Site to Site

Posted: Sat Jul 08, 2017 12:00 pm
by dkruempe
Thanks for the information. I have updated my post but that still does not help for openvpn problem man ;-), because I cannot edit my first post. Here the updated one.
dkruempe wrote:Hello together,

i have successfully created a OpenVPN connection. My Client can reach all subnets from the server. But my server cannot reach the subnet from the client.
OpenVPN Server Config
port 1194
proto udp6
dev tun0
sndbuf 0
rcvbuf 0
client-to-client
ca /etc/openvpn/main-keys/ca.crt
cert /etc/openvpn/main-keys/server.crt
key /etc/openvpn/main-keys/server.key
dh /etc/openvpn/main-keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.0.1.0 255.255.255.0"
route 10.0.0.0 255.255.255.0 10.8.0.4 #(Client Network)
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
status main-status.log
ifconfig-pool-persist /etc/openvpn/main-ipp.txt
iptables Configuration Server
iptables -A INPUT -i br0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
They are also some other forwarding for the other subnets which are reachable for the client

OpenVPN Client configuration
client
dev tun
proto udp6
auth-nocache
topology subnet
remote <IPv6 ADDRESS OF SERVER> 1194
route 192.168.2.0 255.255.255.0 # all reachable subnets
route 10.242.2.0 255.255.255.0
route 10.9.0.0 255.255.255.0
#resolv-retry infinite
#nobind
cipher AES-128-CBC
comp-lzo
tls-client

persist-key
persist-tun
verb 3
Client iptables
Client iptables
# Generated by iptables-save v1.4.21 on Sat Jul 8 08:48:41 2017
*filter
:INPUT ACCEPT [8588:4494440]
:FORWARD ACCEPT [25:3068]
:OUTPUT ACCEPT [4606:472037]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
COMMIT
# Completed on Sat Jul 8 08:48:41 2017
# Generated by iptables-save v1.4.21 on Sat Jul 8 08:48:41 2017
*nat
:PREROUTING ACCEPT [816:104716]
:INPUT ACCEPT [721:85047]
:OUTPUT ACCEPT [285:21638]
:POSTROUTING ACCEPT [1:60]
-A POSTROUTING -o tun0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Jul 8 08:48:41 2017
# Generated by ip6tables-save v1.4.21 on Sat Jul 8 08:49:19 2017
*nat
:PREROUTING ACCEPT [4:1004]
:INPUT ACCEPT [4:1004]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Sat Jul 8 08:49:19 2017
# Generated by ip6tables-save v1.4.21 on Sat Jul 8 08:49:19 2017
*filter
:INPUT ACCEPT [3143:2333463]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10873:1377069]
-A INPUT -p udp -m udp --dport 1194 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Jul 8 08:49:19 2017
Help me. I have no plan why my server cannot reach the client subnet.

Re: Openvpn (IPv4) over IPv6 connection Site to Site

Posted: Sat Jul 08, 2017 12:11 pm
by TinCanTech
You still have not read the howto ..

Re: Openvpn (IPv4) over IPv6 connection Site to Site

Posted: Sat Jul 08, 2017 12:29 pm
by dkruempe
Which part of the how do you mean. First i have read the how to in this forum and corrected the post.
Now I read the OpenVPN how to but which part of the how to do you mean man?

Re: Openvpn (IPv4) over IPv6 connection Site to Site

Posted: Sat Jul 08, 2017 1:15 pm
by dkruempe
Thanks for the great help. I have solved it by my self. Just have to add an iroute command.
Topic can be closed.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/