Force OpenVPN Connect to connect via UDPv4
Posted: Thu Aug 23, 2018 4:51 pm
I have a working OpenVPN server on my router. I can use it via my laptop. I have disabled IPv6 on the router, although my internet provider does not stop assigning an IPv6 address to my modem.
The problem is that OpenVPN Connect still connects via UDPv6. Since I do not have OpenVPN configured for IPv6, I lose internet access when connected to the VPN.
I tried putting:
in my ovpn config, but it ignores the options. If it matters, when I go to http://whatismyip.host, my phone has an IPv4 address (although "what is my ip?" on Google returns an IPv6 address). I originally had IPv6 enabled on my router and followed the OpenWRT directions for setting up OpenVPN, but OpenVPN Connect failed to connect with that setup. I would rather not wrangle with the settings to get IPv6 working.
The ovpn client config:
The server config:
The log from OpenVPN Connect:
The problem is that OpenVPN Connect still connects via UDPv6. Since I do not have OpenVPN configured for IPv6, I lose internet access when connected to the VPN.
I tried putting:
Code: Select all
proto udp4
remote x.x.x.x 1194 udp4
The ovpn client config:
Code: Select all
client
dev tun
proto udp4
fast-io
remote x.x.x.x 1194 udp4
remote-cert-tls server
nobind
persist-key
persist-tun
compress lzo
verb 3
key-direction 1
...[certificates]
Code: Select all
config openvpn 'vpnserver'
enabled '1'
dev_type 'tun'
dev 'ovpns0'
proto 'udp4'
port '1194'
topology 'subnet'
tls_server '1'
mode 'server'
server '192.168.200.0 255.255.255.0'
route_gateway 'dhcp'
compress 'lzo'
keepalive '10 120'
persist_key '1'
persist_tun '1'
ca '/etc/openvpn/ca.crt'
cert '/etc/openvpn/my-server.crt'
key '/etc/openvpn/my-server.key'
dh '/etc/openvpn/dh2048.pem'
tls_auth '/etc/openvpn/tls-auth.key 0'
client_to_client '1'
log '/tmp/openvpn.log'
push 'topology subnet'
push 'redirect-gateway def1'
push 'route-gateway dhcp'
push 'route 192.168.200.0 255.255.255.0'
push 'dhcp-option DNS 192.168.1.1'
push 'compress lzo'
push 'persist-key'
push 'persist-tun'
push 'DOMAIN lan'
Code: Select all
2018-08-23 02:21:23 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit built on Feb 22 2018 12:39:28
2018-08-23 02:21:23 Frame=512/2048/512 mssfix-ctrl=1250
2018-08-23 02:21:23 UNUSED OPTIONS
3 [fast-io]
6 [nobind]
7 [persist-key]
8 [persist-tun]
10 [verb] [3]
2018-08-23 02:21:23 EVENT: RESOLVE
2018-08-23 02:21:23 Contacting [IPv6 removed]:1194/UDP via UDP
2018-08-23 02:21:23 EVENT: WAIT
2018-08-23 02:21:23 Connecting to [IPv4 removed]:1194 (IPv6 removed) via UDPv6
2018-08-23 02:21:23 EVENT: CONNECTING
2018-08-23 02:21:23 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
2018-08-23 02:21:23 Creds: UsernameEmpty/PasswordEmpty
2018-08-23 02:21:23 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.2.9-0
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_AUTO_SESS=1
IV_BS64DL=1
2018-08-23 02:21:23 VERIFY OK : depth=1
cert. version : 3
serial number : removed
issuer name : C=GB, ST=London, O=WWW Ltd.
subject name : C=GB, ST=London, O=WWW Ltd.
issued on : 2018-08-23 05:58:43
expires on : 2028-08-20 05:58:43
signed using : RSA with SHA-256
RSA key size : 4096 bits
basic constraints : CA=true
2018-08-23 02:21:23 VERIFY OK : depth=0
cert. version : 3
serial number : 10:00
issuer name : C=GB, ST=London, O=WWW Ltd.
subject name : CN=my-server
issued on : 2018-08-23 05:58:59
expires on : 2028-08-20 05:58:59
signed using : RSA with SHA-256
RSA key size : 4096 bits
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
2018-08-23 02:21:24 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2018-08-23 02:21:24 Session is ACTIVE
2018-08-23 02:21:24 EVENT: GET_CONFIG
2018-08-23 02:21:24 Sending PUSH_REQUEST to server...
2018-08-23 02:21:24 OPTIONS:
0 [topology] [subnet]
1 [redirect-gateway] [def1]
2 [route-gateway] [dhcp]
3 [route] [192.168.200.0] [255.255.255.0]
4 [dhcp-option] [DNS] [192.168.1.1]
5 [compress] [lzo]
6 [persist-key]
7 [persist-tun]
8 [DOMAIN] [lan]
9 [route-gateway] [192.168.200.1]
10 [topology] [subnet]
11 [ping] [10]
12 [ping-restart] [120]
13 [ifconfig] [192.168.200.2] [255.255.255.0]
14 [peer-id] [1]
15 [cipher] [AES-256-GCM]
2018-08-23 02:21:24 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA1
compress: LZO
peer ID: 1
2018-08-23 02:21:24 EVENT: ASSIGN_IP
2018-08-23 02:21:24 NIP: preparing TUN network settings
2018-08-23 02:21:24 NIP: init TUN network settings with endpoint: IPv6 removed
2018-08-23 02:21:24 NIP: adding IPv4 address to network settings 192.168.200.2/255.255.255.0
2018-08-23 02:21:24 NIP: adding (included) IPv4 route 192.168.200.0/24
2018-08-23 02:21:24 NIP: adding (included) IPv4 route 192.168.200.0/24
2018-08-23 02:21:24 NIP: redirecting all IPv4 traffic to TUN interface
2018-08-23 02:21:24 NIP: adding DNS 192.168.1.1
2018-08-23 02:21:24 Connected via NetworkExtensionTUN
2018-08-23 02:21:24 LZO-ASYM init swap=0 asym=0
2018-08-23 02:21:24 EVENT: CONNECTED @IPv4 removed:1194 (IPv6 removed) via /UDPv6 on NetworkExtensionTUN/192.168.200.2/ gw=[/]
2018-08-23 02:26:48 EVENT: DISCONNECTED
2018-08-23 02:26:48 Raw stats on disconnect:
BYTES_IN : 5847
BYTES_OUT : 14546
PACKETS_IN : 43
PACKETS_OUT : 146
TUN_BYTES_IN : 7881
TUN_PACKETS_IN : 125
2018-08-23 02:26:48 Performance stats on disconnect:
CPU usage (microseconds): 291098
Tunnel compression ratio (downlink): inf
Network bytes per CPU second: 70055
Tunnel bytes per CPU second: 27073
Once you point it out it makes complete sense. The UDPv6 was a red herring. I changed my LAN to be 192.168.1.1/24 and now it works.