Blocking ipv6 traffic through tunnel, LAN still accessible

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Blocking ipv6 traffic through tunnel, LAN still accessible

Post by Letalis » Fri Mar 18, 2022 4:16 pm

Hi, I have an OpenVPN server setup on my LAN, and for the sake of testing I am connecting from another machine that is also on my LAN (I don't currently have hold of a public IPv6 address so I am using my local network for testing IPv6).
I have read this old forum post viewtopic.php?t=22057 which details how I can filter out IPv6 traffic by directing it all through the tunnel and dropping it with a route serverside. Theoretically this would mean I could connect to this server from another device on my network, and I would be unable to ping any IPv6 address on my local network, but that isn't what happens. I push the route of address range "::/0" to the client meaning I should not be able to access anything in the IPv6 range, but I can still access any of my IPv6 addresses.

This is my server config:

Code: Select all

local 192.168.0.27
port 69
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.254.0
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
push "redirect-gateway def1 ipv6 bypass-dhcp"
push "route 192.168.0.0 255.255.0.0 net_gateway"
server-ipv6 2001:db8:0:123::/64
;tun-ipv6
;push tun-ipv6
;push "route-ipv6 2000::/3"
push "route-ipv6 ::/0"
push "explicit-exit-notify 2"
cipher AES-256-CBC
persist-key
persist-tun
ping-exit 30
status openvpn-status.log
verb 4
crl-verify crl.pem
management localhost 7505
script-security 3
learn-address "/etc/openvpn/server/learn-address.sh"
client-disconnect "/etc/openvpn/server/client-disconnect.sh"
max-clients 100
auth-user-pass-verify /etc/openvpn/server/clientCheck.sh via-env
verify-client-cert none
This is my client config:

Code: Select all

client
dev tun
proto udp
remote 192.168.0.27 69
resolv-retry infinite
nobind
persist-key
persist-tun
remote-random
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
explicit-exit-notify 2
verb 4
auth-user-pass
pull
ping 30
<ca>

</ca>
<cert>

</cert>
<key>

</key>
<tls-crypt>

</tls-crypt>
And this is my server log upon connection:

Code: Select all

>LOG:1647619548,,MULTI: multi_create_instance called
>LOG:1647619548,,192.168.0.33:57199 Re-using SSL/TLS context
>LOG:1647619548,,192.168.0.33:57199 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
>LOG:1647619548,,192.168.0.33:57199 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
>LOG:1647619548,,192.168.0.33:57199 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
>LOG:1647619548,,192.168.0.33:57199 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
>LOG:1647619548,,192.168.0.33:57199 TLS: Initial packet from [AF_INET]192.168.0.33:57199, sid=167d9bf9 77168916
>LOG:1647619548,I,192.168.0.33:57199 peer info: IV_VER=2.5.1
>LOG:1647619548,I,192.168.0.33:57199 peer info: IV_PLAT=linux
>LOG:1647619548,I,192.168.0.33:57199 peer info: IV_PROTO=6
>LOG:1647619548,I,192.168.0.33:57199 peer info: IV_NCP=2
>LOG:1647619548,I,192.168.0.33:57199 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
>LOG:1647619548,I,192.168.0.33:57199 peer info: IV_LZ4=1
>LOG:1647619548,I,192.168.0.33:57199 peer info: IV_LZ4v2=1
>LOG:1647619548,I,192.168.0.33:57199 peer info: IV_LZO=1
>LOG:1647619548,I,192.168.0.33:57199 peer info: IV_COMP_STUB=1
>LOG:1647619548,I,192.168.0.33:57199 peer info: IV_COMP_STUBv2=1
>LOG:1647619548,I,192.168.0.33:57199 peer info: IV_TCPNL=1
>LOG:1647619551,,192.168.0.33:57199 TLS: Username/Password authentication succeeded for username 'user'
>LOG:1647619551,,192.168.0.33:57199 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
>LOG:1647619551,I,192.168.0.33:57199 [] Peer Connection Initiated with [AF_INET]192.168.0.33:57199
>LOG:1647619551,I,192.168.0.33:57199 MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=2001:db8:0:123::1002
>LOG:1647619551,,192.168.0.33:57199 MULTI: Learn: 10.8.0.4 -> 192.168.0.33:57199
>LOG:1647619551,,192.168.0.33:57199 MULTI: primary virtual IP for 192.168.0.33:57199: 10.8.0.4
>LOG:1647619551,,192.168.0.33:57199 MULTI: Learn: 2001:db8:0:123::1002 -> 192.168.0.33:57199
>LOG:1647619551,,192.168.0.33:57199 MULTI: primary virtual IPv6 for 192.168.0.33:57199: 2001:db8:0:123::1002
>CLIENT:ESTABLISHED,2
>CLIENT:ENV,n_clients=1
>CLIENT:ENV,script_type=learn-address
>CLIENT:ENV,time_unix=1647619548
>CLIENT:ENV,time_ascii=Fri Mar 18 16:05:48 2022
>CLIENT:ENV,ifconfig_pool_ip6_netbits=64
>CLIENT:ENV,ifconfig_pool_local_ip6=2001:db8:0:123::1
>CLIENT:ENV,ifconfig_pool_remote_ip6=2001:db8:0:123::1002
>CLIENT:ENV,ifconfig_pool_netmask=255.255.254.0
>CLIENT:ENV,ifconfig_pool_remote_ip=10.8.0.4
>CLIENT:ENV,trusted_port=57199
>CLIENT:ENV,trusted_ip=192.168.0.33
>CLIENT:ENV,untrusted_port=57199
>CLIENT:ENV,untrusted_ip=192.168.0.33
>CLIENT:ENV,username=user
>CLIENT:ENV,IV_TCPNL=1
>CLIENT:ENV,IV_COMP_STUBv2=1
>CLIENT:ENV,IV_COMP_STUB=1
>CLIENT:ENV,IV_LZO=1
>CLIENT:ENV,IV_LZ4v2=1
>CLIENT:ENV,IV_LZ4=1
>CLIENT:ENV,IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
>CLIENT:ENV,IV_NCP=2
>CLIENT:ENV,IV_PROTO=6
>CLIENT:ENV,IV_PLAT=linux
>CLIENT:ENV,IV_VER=2.5.1
>CLIENT:ENV,remote_port_1=69
>CLIENT:ENV,local_port_1=69
>CLIENT:ENV,local_1=192.168.0.27
>CLIENT:ENV,proto_1=udp
>CLIENT:ENV,daemon_pid=2519
>CLIENT:ENV,daemon_start_time=1647618626
>CLIENT:ENV,daemon_log_redirect=0
>CLIENT:ENV,daemon=0
>CLIENT:ENV,verb=0
>CLIENT:ENV,config=server.conf
>CLIENT:ENV,ifconfig_local=10.8.0.1
>CLIENT:ENV,ifconfig_netmask=255.255.254.0
>CLIENT:ENV,ifconfig_broadcast=10.8.1.255
>CLIENT:ENV,ifconfig_ipv6_local=2001:db8:0:123::1
>CLIENT:ENV,ifconfig_ipv6_netbits=64
>CLIENT:ENV,ifconfig_ipv6_remote=2001:db8:0:123::2
>CLIENT:ENV,script_context=init
>CLIENT:ENV,tun_mtu=1500
>CLIENT:ENV,link_mtu=1621
>CLIENT:ENV,dev=tun0
>CLIENT:ENV,dev_type=tun
>CLIENT:ENV,redirect_gateway=0
>CLIENT:ENV,END
>LOG:1647619552,,192.168.0.33:57199 PUSH: Received control message: 'PUSH_REQUEST'
>LOG:1647619552,,192.168.0.33:57199 SENT CONTROL [UNDEF]: 'PUSH_REPLY,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,redirect-gateway def1 ipv6 bypass-dhcp,route 192.168.0.0 255.255.0.0 net_gateway,route-ipv6 ::/0,explicit-exit-notify 2,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ifconfig-ipv6 2001:db8:0:123::1002/64 2001:db8:0:123::1,ifconfig 10.8.0.4 255.255.254.0,peer-id 0,cipher AES-256-GCM' (status=1)
>LOG:1647619552,,192.168.0.33:57199 Data Channel: using negotiated cipher 'AES-256-GCM'
>LOG:1647619552,,192.168.0.33:57199 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
>LOG:1647619552,,192.168.0.33:57199 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
>LOG:1647619552,,192.168.0.33:57199 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Finally, this is the ip6tables rules on the server, which I've setup to drop 'FORWARD' and 'OUTPUT' traffic:

Code: Select all

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
If I change the 'INPUT' rule to '-P INPUT DROP' then I can no longer ping my server's IPv6 (all others still accessible), although that counts for outside the tunnel as well so it doesn't really solve anything. Is there anything that stands out in my configuration that I'm doing wrong? Thanks.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Blocking ipv6 traffic through tunnel (no public ipv6 address)

Post by TinCanTech » Fri Mar 18, 2022 4:24 pm

Letalis wrote:
Fri Mar 18, 2022 4:16 pm
 Is there anything that stands out in my configuration that I'm doing wrong?
Letalis wrote:
Fri Mar 18, 2022 4:16 pm
 I am connecting from another machine that is also on my LAN
That does not work the way you expect ..

Use the 'block-local' and 'ipv6' flags for --redirect-gateway def1 .. it may take a while to figure it out.

https://community.openvpn.net/openvpn/w ... nPage#lbAR
Top
Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by Letalis » Fri Mar 18, 2022 4:45 pm

I've just added block-local (I already had ipv6 flag), and I'm still able to ping other machines on my network, so no change there. Is there anything else I could try?

Also, why do I need "block-local"? Does pushing a route of "::/0" not include my LAN without the option? I would have figured that having the "ipv6" option in "redirect-gateway" and my pushed route of "::/0" would cover all traffic. Is this not the case?
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by TinCanTech » Fri Mar 18, 2022 5:29 pm

Letalis wrote:
Fri Mar 18, 2022 4:45 pm
 I've just added block-local (I already had ipv6 flag), and I'm still able to ping other machines on my network
Can you post your client log at --verb 4
Top
Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by Letalis » Fri Mar 18, 2022 5:38 pm

Client log:

Code: Select all

2022-03-18 17:32:46 us=772997 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-03-18 17:32:46 us=774513 WARNING: file 'user.centri' is group or others accessible
2022-03-18 17:32:46 us=774630 Current Parameter Settings:
2022-03-18 17:32:46 us=774701   config = 'client.ovpn'
2022-03-18 17:32:46 us=774771   mode = 0
2022-03-18 17:32:46 us=774837   persist_config = DISABLED
2022-03-18 17:32:46 us=775299   persist_mode = 1
2022-03-18 17:32:46 us=775369   show_ciphers = DISABLED
2022-03-18 17:32:46 us=775437   show_digests = DISABLED
2022-03-18 17:32:46 us=775503   show_engines = DISABLED
2022-03-18 17:32:46 us=775569   genkey = DISABLED
2022-03-18 17:32:46 us=775635   genkey_filename = '[UNDEF]'
2022-03-18 17:32:46 us=775701   key_pass_file = '[UNDEF]'
2022-03-18 17:32:46 us=775767   show_tls_ciphers = DISABLED
2022-03-18 17:32:46 us=775833   connect_retry_max = 0
2022-03-18 17:32:46 us=775901 Connection profiles [0]:
2022-03-18 17:32:46 us=775967   proto = udp
2022-03-18 17:32:46 us=776033   local = '[UNDEF]'
2022-03-18 17:32:46 us=776098   local_port = '[UNDEF]'
2022-03-18 17:32:46 us=776163   remote = '192.168.0.27'
2022-03-18 17:32:46 us=776229   remote_port = '69'
2022-03-18 17:32:46 us=776294   remote_float = DISABLED
2022-03-18 17:32:46 us=776360   bind_defined = DISABLED
2022-03-18 17:32:46 us=776426   bind_local = DISABLED
2022-03-18 17:32:46 us=776492   bind_ipv6_only = DISABLED
2022-03-18 17:32:46 us=776558   connect_retry_seconds = 5
2022-03-18 17:32:46 us=776624   connect_timeout = 120
2022-03-18 17:32:46 us=776690   socks_proxy_server = '[UNDEF]'
2022-03-18 17:32:46 us=776756   socks_proxy_port = '[UNDEF]'
2022-03-18 17:32:46 us=776822   tun_mtu = 1500
2022-03-18 17:32:46 us=776888   tun_mtu_defined = ENABLED
2022-03-18 17:32:46 us=776953   link_mtu = 1500
2022-03-18 17:32:46 us=777018   link_mtu_defined = DISABLED
2022-03-18 17:32:46 us=777085   tun_mtu_extra = 0
2022-03-18 17:32:46 us=777150   tun_mtu_extra_defined = DISABLED
2022-03-18 17:32:46 us=777217   mtu_discover_type = -1
2022-03-18 17:32:46 us=777283   fragment = 0
2022-03-18 17:32:46 us=777347   mssfix = 1450
2022-03-18 17:32:46 us=777413   explicit_exit_notification = 2
2022-03-18 17:32:46 us=777479   tls_auth_file = '[UNDEF]'
2022-03-18 17:32:46 us=777545   key_direction = not set
2022-03-18 17:32:46 us=777611   tls_crypt_file = '[INLINE]'
2022-03-18 17:32:46 us=777678   tls_crypt_v2_file = '[UNDEF]'
2022-03-18 17:32:46 us=777744 Connection profiles END
2022-03-18 17:32:46 us=777810   remote_random = ENABLED
2022-03-18 17:32:46 us=777875   ipchange = '[UNDEF]'
2022-03-18 17:32:46 us=777940   dev = 'tun'
2022-03-18 17:32:46 us=778005   dev_type = '[UNDEF]'
2022-03-18 17:32:46 us=778071   dev_node = '[UNDEF]'
2022-03-18 17:32:46 us=778137   lladdr = '[UNDEF]'
2022-03-18 17:32:46 us=778202   topology = 1
2022-03-18 17:32:46 us=778267   ifconfig_local = '[UNDEF]'
2022-03-18 17:32:46 us=778365   ifconfig_remote_netmask = '[UNDEF]'
2022-03-18 17:32:46 us=778451   ifconfig_noexec = DISABLED
2022-03-18 17:32:46 us=778519   ifconfig_nowarn = DISABLED
2022-03-18 17:32:46 us=778586   ifconfig_ipv6_local = '[UNDEF]'
2022-03-18 17:32:46 us=778653   ifconfig_ipv6_netbits = 0
2022-03-18 17:32:46 us=778719   ifconfig_ipv6_remote = '[UNDEF]'
2022-03-18 17:32:46 us=778786   shaper = 0
2022-03-18 17:32:46 us=778853   mtu_test = 0
2022-03-18 17:32:46 us=778917   mlock = DISABLED
2022-03-18 17:32:46 us=778983   keepalive_ping = 0
2022-03-18 17:32:46 us=779049   keepalive_timeout = 0
2022-03-18 17:32:46 us=779115   inactivity_timeout = 0
2022-03-18 17:32:46 us=779182   ping_send_timeout = 30
2022-03-18 17:32:46 us=779248   ping_rec_timeout = 0
2022-03-18 17:32:46 us=779314   ping_rec_timeout_action = 0
2022-03-18 17:32:46 us=779380   ping_timer_remote = DISABLED
2022-03-18 17:32:46 us=779445   remap_sigusr1 = 0
2022-03-18 17:32:46 us=779511   persist_tun = ENABLED
2022-03-18 17:32:46 us=779577   persist_local_ip = DISABLED
2022-03-18 17:32:46 us=779642   persist_remote_ip = DISABLED
2022-03-18 17:32:46 us=779708   persist_key = ENABLED
2022-03-18 17:32:46 us=779773   passtos = DISABLED
2022-03-18 17:32:46 us=779839   resolve_retry_seconds = 1000000000
2022-03-18 17:32:46 us=779904   resolve_in_advance = DISABLED
2022-03-18 17:32:46 us=779971   username = '[UNDEF]'
2022-03-18 17:32:46 us=780036   groupname = '[UNDEF]'
2022-03-18 17:32:46 us=780101   chroot_dir = '[UNDEF]'
2022-03-18 17:32:46 us=780167   cd_dir = '[UNDEF]'
2022-03-18 17:32:46 us=780232   writepid = '[UNDEF]'
2022-03-18 17:32:46 us=780297   up_script = '[UNDEF]'
2022-03-18 17:32:46 us=780362   down_script = '[UNDEF]'
2022-03-18 17:32:46 us=780427   down_pre = DISABLED
2022-03-18 17:32:46 us=780492   up_restart = DISABLED
2022-03-18 17:32:46 us=780557   up_delay = DISABLED
2022-03-18 17:32:46 us=780623   daemon = DISABLED
2022-03-18 17:32:46 us=780688   inetd = 0
2022-03-18 17:32:46 us=780752   log = DISABLED
2022-03-18 17:32:46 us=780818   suppress_timestamps = DISABLED
2022-03-18 17:32:46 us=780883   machine_readable_output = DISABLED
2022-03-18 17:32:46 us=780949   nice = 0
2022-03-18 17:32:46 us=781014   verbosity = 4
2022-03-18 17:32:46 us=781142   mute = 0
2022-03-18 17:32:46 us=781208   gremlin = 0
2022-03-18 17:32:46 us=781273   status_file = '[UNDEF]'
2022-03-18 17:32:46 us=781339   status_file_version = 1
2022-03-18 17:32:46 us=782117   status_file_update_freq = 60
2022-03-18 17:32:46 us=782192   occ = ENABLED
2022-03-18 17:32:46 us=782259   rcvbuf = 0
2022-03-18 17:32:46 us=782458   sndbuf = 0
2022-03-18 17:32:46 us=782527   mark = 0
2022-03-18 17:32:46 us=782594   sockflags = 0
2022-03-18 17:32:46 us=782660   fast_io = DISABLED
2022-03-18 17:32:46 us=782727   comp.alg = 0
2022-03-18 17:32:46 us=782793   comp.flags = 0
2022-03-18 17:32:46 us=782859   route_script = '[UNDEF]'
2022-03-18 17:32:46 us=782926   route_default_gateway = '[UNDEF]'
2022-03-18 17:32:46 us=783495   route_default_metric = 0
2022-03-18 17:32:46 us=783696   route_noexec = DISABLED
2022-03-18 17:32:46 us=783766   route_delay = 0
2022-03-18 17:32:46 us=783834   route_delay_window = 30
2022-03-18 17:32:46 us=783901   route_delay_defined = DISABLED
2022-03-18 17:32:46 us=783968   route_nopull = DISABLED
2022-03-18 17:32:46 us=784034   route_gateway_via_dhcp = DISABLED
2022-03-18 17:32:46 us=784101   allow_pull_fqdn = DISABLED
2022-03-18 17:32:46 us=784169   management_addr = '[UNDEF]'
2022-03-18 17:32:46 us=784235   management_port = '[UNDEF]'
2022-03-18 17:32:46 us=784302   management_user_pass = '[UNDEF]'
2022-03-18 17:32:46 us=784371   management_log_history_cache = 250
2022-03-18 17:32:46 us=784438   management_echo_buffer_size = 100
2022-03-18 17:32:46 us=784506   management_write_peer_info_file = '[UNDEF]'
2022-03-18 17:32:46 us=784574   management_client_user = '[UNDEF]'
2022-03-18 17:32:46 us=784642   management_client_group = '[UNDEF]'
2022-03-18 17:32:46 us=784709   management_flags = 0
2022-03-18 17:32:46 us=784776   shared_secret_file = '[UNDEF]'
2022-03-18 17:32:46 us=784845   key_direction = not set
2022-03-18 17:32:46 us=784910   ciphername = 'AES-256-CBC'
2022-03-18 17:32:46 us=784976   ncp_enabled = ENABLED
2022-03-18 17:32:46 us=785043   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
2022-03-18 17:32:46 us=785111   authname = 'SHA512'
2022-03-18 17:32:46 us=785177   prng_hash = 'SHA1'
2022-03-18 17:32:46 us=785245   prng_nonce_secret_len = 16
2022-03-18 17:32:46 us=785310   keysize = 0
2022-03-18 17:32:46 us=785376   engine = DISABLED
2022-03-18 17:32:46 us=785442   replay = ENABLED
2022-03-18 17:32:46 us=785509   mute_replay_warnings = DISABLED
2022-03-18 17:32:46 us=785576   replay_window = 64
2022-03-18 17:32:46 us=785642   replay_time = 15
2022-03-18 17:32:46 us=785708   packet_id_file = '[UNDEF]'
2022-03-18 17:32:46 us=785774   test_crypto = DISABLED
2022-03-18 17:32:46 us=785841   tls_server = DISABLED
2022-03-18 17:32:46 us=785907   tls_client = ENABLED
2022-03-18 17:32:46 us=785974   ca_file = '[INLINE]'
2022-03-18 17:32:46 us=786040   ca_path = '[UNDEF]'
2022-03-18 17:32:46 us=786106   dh_file = '[UNDEF]'
2022-03-18 17:32:46 us=786173   cert_file = '[INLINE]'
2022-03-18 17:32:46 us=786241   extra_certs_file = '[UNDEF]'
2022-03-18 17:32:46 us=786335   priv_key_file = '[INLINE]'
2022-03-18 17:32:46 us=786403   pkcs12_file = '[UNDEF]'
2022-03-18 17:32:46 us=786486   cipher_list = '[UNDEF]'
2022-03-18 17:32:46 us=786553   cipher_list_tls13 = '[UNDEF]'
2022-03-18 17:32:46 us=786620   tls_cert_profile = '[UNDEF]'
2022-03-18 17:32:46 us=786686   tls_verify = '[UNDEF]'
2022-03-18 17:32:46 us=786752   tls_export_cert = '[UNDEF]'
2022-03-18 17:32:46 us=786819   verify_x509_type = 0
2022-03-18 17:32:46 us=786885   verify_x509_name = '[UNDEF]'
2022-03-18 17:32:46 us=786952   crl_file = '[UNDEF]'
2022-03-18 17:32:46 us=787018   ns_cert_type = 0
2022-03-18 17:32:46 us=787086   remote_cert_ku[i] = 65535
2022-03-18 17:32:46 us=787153   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=787221   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=787287   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=787353   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=787419   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=787485   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=787551   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=787618   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=787684   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=787750   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=787816   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=787883   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=787949   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=788015   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=788081   remote_cert_ku[i] = 0
2022-03-18 17:32:46 us=788149   remote_cert_eku = 'TLS Web Server Authentication'
2022-03-18 17:32:46 us=788217   ssl_flags = 0
2022-03-18 17:32:46 us=788283   tls_timeout = 2
2022-03-18 17:32:46 us=788350   renegotiate_bytes = -1
2022-03-18 17:32:46 us=788416   renegotiate_packets = 0
2022-03-18 17:32:46 us=788483   renegotiate_seconds = 3600
2022-03-18 17:32:46 us=788549   handshake_window = 60
2022-03-18 17:32:46 us=788616   transition_window = 3600
2022-03-18 17:32:46 us=788682   single_session = DISABLED
2022-03-18 17:32:46 us=788748   push_peer_info = DISABLED
2022-03-18 17:32:46 us=788815   tls_exit = DISABLED
2022-03-18 17:32:46 us=788880   tls_crypt_v2_metadata = '[UNDEF]'
2022-03-18 17:32:46 us=788948   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789015   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789084   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789151   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789218   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789284   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789351   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789417   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789485   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789552   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789619   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789686   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789752   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789819   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789886   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=789953   pkcs11_protected_authentication = DISABLED
2022-03-18 17:32:46 us=790022   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790089   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790157   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790224   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790290   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790357   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790425   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790492   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790560   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790627   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790694   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790762   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790829   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790895   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=790962   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=791053   pkcs11_private_mode = 00000000
2022-03-18 17:32:46 us=791123   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=791189   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=791256   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=791321   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=791388   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=791454   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=791521   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=791587   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=792223   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=792297   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=792997   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=793071   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=793236   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=793306   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=793375   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=793442   pkcs11_cert_private = DISABLED
2022-03-18 17:32:46 us=793510   pkcs11_pin_cache_period = -1
2022-03-18 17:32:46 us=793577   pkcs11_id = '[UNDEF]'
2022-03-18 17:32:46 us=793644   pkcs11_id_management = DISABLED
2022-03-18 17:32:46 us=793718   server_network = 0.0.0.0
2022-03-18 17:32:46 us=793791   server_netmask = 0.0.0.0
2022-03-18 17:32:46 us=793961   server_network_ipv6 = ::
2022-03-18 17:32:46 us=794032   server_netbits_ipv6 = 0
2022-03-18 17:32:46 us=794105   server_bridge_ip = 0.0.0.0
2022-03-18 17:32:46 us=794177   server_bridge_netmask = 0.0.0.0
2022-03-18 17:32:46 us=794249   server_bridge_pool_start = 0.0.0.0
2022-03-18 17:32:46 us=794347   server_bridge_pool_end = 0.0.0.0
2022-03-18 17:32:46 us=794415   ifconfig_pool_defined = DISABLED
2022-03-18 17:32:46 us=794505   ifconfig_pool_start = 0.0.0.0
2022-03-18 17:32:46 us=794588   ifconfig_pool_end = 0.0.0.0
2022-03-18 17:32:46 us=794662   ifconfig_pool_netmask = 0.0.0.0
2022-03-18 17:32:46 us=794730   ifconfig_pool_persist_filename = '[UNDEF]'
2022-03-18 17:32:46 us=794798   ifconfig_pool_persist_refresh_freq = 600
2022-03-18 17:32:46 us=794866   ifconfig_ipv6_pool_defined = DISABLED
2022-03-18 17:32:46 us=794938   ifconfig_ipv6_pool_base = ::
2022-03-18 17:32:46 us=795005   ifconfig_ipv6_pool_netbits = 0
2022-03-18 17:32:46 us=795072   n_bcast_buf = 256
2022-03-18 17:32:46 us=795139   tcp_queue_limit = 64
2022-03-18 17:32:46 us=795205   real_hash_size = 256
2022-03-18 17:32:46 us=795271   virtual_hash_size = 256
2022-03-18 17:32:46 us=795337   client_connect_script = '[UNDEF]'
2022-03-18 17:32:46 us=795404   learn_address_script = '[UNDEF]'
2022-03-18 17:32:46 us=795470   client_disconnect_script = '[UNDEF]'
2022-03-18 17:32:46 us=795537   client_config_dir = '[UNDEF]'
2022-03-18 17:32:46 us=795603   ccd_exclusive = DISABLED
2022-03-18 17:32:46 us=795669   tmp_dir = '/tmp'
2022-03-18 17:32:46 us=795737   push_ifconfig_defined = DISABLED
2022-03-18 17:32:46 us=795809   push_ifconfig_local = 0.0.0.0
2022-03-18 17:32:46 us=795882   push_ifconfig_remote_netmask = 0.0.0.0
2022-03-18 17:32:46 us=795950   push_ifconfig_ipv6_defined = DISABLED
2022-03-18 17:32:46 us=796023   push_ifconfig_ipv6_local = ::/0
2022-03-18 17:32:46 us=796093   push_ifconfig_ipv6_remote = ::
2022-03-18 17:32:46 us=796160   enable_c2c = DISABLED
2022-03-18 17:32:46 us=796226   duplicate_cn = DISABLED
2022-03-18 17:32:46 us=796293   cf_max = 0
2022-03-18 17:32:46 us=796360   cf_per = 0
2022-03-18 17:32:46 us=796425   max_clients = 1024
2022-03-18 17:32:46 us=796491   max_routes_per_client = 256
2022-03-18 17:32:46 us=796558   auth_user_pass_verify_script = '[UNDEF]'
2022-03-18 17:32:46 us=796626   auth_user_pass_verify_script_via_file = DISABLED
2022-03-18 17:32:46 us=796694   auth_token_generate = DISABLED
2022-03-18 17:32:46 us=796761   auth_token_lifetime = 0
2022-03-18 17:32:46 us=796827   auth_token_secret_file = '[UNDEF]'
2022-03-18 17:32:46 us=796894   port_share_host = '[UNDEF]'
2022-03-18 17:32:46 us=796961   port_share_port = '[UNDEF]'
2022-03-18 17:32:46 us=797027   vlan_tagging = DISABLED
2022-03-18 17:32:46 us=797094   vlan_accept = all
2022-03-18 17:32:46 us=797160   vlan_pvid = 1
2022-03-18 17:32:46 us=797226   client = ENABLED
2022-03-18 17:32:46 us=797292   pull = ENABLED
2022-03-18 17:32:46 us=797359   auth_user_pass_file = 'user.centri'
2022-03-18 17:32:46 us=797434 OpenVPN 2.5.1 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2022-03-18 17:32:46 us=797540 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2022-03-18 17:32:46 us=805571 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-03-18 17:32:46 us=805776 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-03-18 17:32:46 us=805865 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-03-18 17:32:46 us=805959 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-03-18 17:32:46 us=806405 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2022-03-18 17:32:46 us=806601 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2022-03-18 17:32:46 us=806782 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
2022-03-18 17:32:46 us=806854 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
2022-03-18 17:32:46 us=806947 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.27:69
2022-03-18 17:32:46 us=807073 Socket Buffers: R=[180224->180224] S=[180224->180224]
2022-03-18 17:32:46 us=807142 UDP link local: (not bound)
2022-03-18 17:32:46 us=807215 UDP link remote: [AF_INET]192.168.0.27:69
2022-03-18 17:32:46 us=822689 TLS: Initial packet from [AF_INET]192.168.0.27:69, sid=4198bbc5 7fbd2bd4
2022-03-18 17:32:46 us=840177 VERIFY OK: depth=1, CN=ChangeMe
2022-03-18 17:32:46 us=841764 VERIFY KU OK
2022-03-18 17:32:46 us=841847 Validating certificate extended key usage
2022-03-18 17:32:46 us=841894 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-03-18 17:32:46 us=841935 VERIFY EKU OK
2022-03-18 17:32:46 us=841973 VERIFY OK: depth=0, CN=server
2022-03-18 17:32:49 us=306557 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2022-03-18 17:32:49 us=306823 [server] Peer Connection Initiated with [AF_INET]192.168.0.27:69
2022-03-18 17:32:50 us=448349 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2022-03-18 17:32:50 us=459124 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,redirect-gateway block-local def1 ipv6 bypass-dhcp,route 192.168.0.0 255.255.0.0 net_gateway,route-ipv6 ::/0,explicit-exit-notify 2,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ifconfig-ipv6 2001:db8:0:123::1001/64 2001:db8:0:123::1,ifconfig 10.8.0.3 255.255.254.0,peer-id 0,cipher AES-256-GCM'
2022-03-18 17:32:50 us=460003 OPTIONS IMPORT: explicit notify parm(s) modified
2022-03-18 17:32:50 us=460123 OPTIONS IMPORT: --ifconfig/up options modified
2022-03-18 17:32:50 us=460199 OPTIONS IMPORT: route options modified
2022-03-18 17:32:50 us=460272 OPTIONS IMPORT: route-related options modified
2022-03-18 17:32:50 us=460345 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-03-18 17:32:50 us=460419 OPTIONS IMPORT: peer-id set
2022-03-18 17:32:50 us=461013 OPTIONS IMPORT: adjusting link_mtu to 1624
2022-03-18 17:32:50 us=461760 OPTIONS IMPORT: data channel crypto options modified
2022-03-18 17:32:50 us=461975 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-03-18 17:32:50 us=462360 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
2022-03-18 17:32:50 us=463658 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-03-18 17:32:50 us=463766 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-03-18 17:32:50 us=464013 net_route_v4_best_gw query: dst 0.0.0.0
2022-03-18 17:32:50 us=464658 net_route_v4_best_gw result: via 192.168.0.1 dev wlan0
2022-03-18 17:32:50 us=464902 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlan0 HWADDR=b8:27:eb:f6:86:e6
2022-03-18 17:32:50 us=465105 GDG6: remote_host_ipv6=n/a
2022-03-18 17:32:50 us=465184 net_route_v6_best_gw query: dst ::
2022-03-18 17:32:50 us=465400 sitnl_send: rtnl: generic error (-101): Network is unreachable
2022-03-18 17:32:50 us=465535 ROUTE6: default_gateway=UNDEF
2022-03-18 17:32:50 us=468248 TUN/TAP device tun0 opened
2022-03-18 17:32:50 us=469119 do_ifconfig, ipv4=1, ipv6=1
2022-03-18 17:32:50 us=469398 net_iface_mtu_set: mtu 1500 for tun0
2022-03-18 17:32:50 us=469849 net_iface_up: set tun0 up
2022-03-18 17:32:50 us=471150 net_addr_v4_add: 10.8.0.3/23 dev tun0
2022-03-18 17:32:50 us=472019 net_iface_mtu_set: mtu 1500 for tun0
2022-03-18 17:32:50 us=472438 net_iface_up: set tun0 up
2022-03-18 17:32:50 us=472774 net_addr_v6_add: 2001:db8:0:123::1001/64 dev tun0
2022-03-18 17:32:50 us=474138 net_route_v4_add: 192.168.0.27/32 via 192.168.0.1 dev wlan0 table 0 metric -1
2022-03-18 17:32:50 us=474849 net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2022-03-18 17:32:50 us=475303 net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2022-03-18 17:32:50 us=475685 net_route_v4_add: 192.168.0.0/16 via 192.168.0.1 dev [NULL] table 0 metric -1
2022-03-18 17:32:50 us=476053 add_route_ipv6(::/0 -> 2001:db8:0:123::1 metric -1) dev tun0
2022-03-18 17:32:50 us=476151 net_route_v6_add: ::/0 via :: dev tun0 table 0 metric -1
2022-03-18 17:32:50 us=476644 add_route_ipv6(::/3 -> 2001:db8:0:123::1 metric -1) dev tun0
2022-03-18 17:32:50 us=476760 net_route_v6_add: ::/3 via :: dev tun0 table 0 metric -1
2022-03-18 17:32:50 us=477321 add_route_ipv6(2000::/4 -> 2001:db8:0:123::1 metric -1) dev tun0
2022-03-18 17:32:50 us=477445 net_route_v6_add: 2000::/4 via :: dev tun0 table 0 metric -1
2022-03-18 17:32:50 us=477976 add_route_ipv6(3000::/4 -> 2001:db8:0:123::1 metric -1) dev tun0
2022-03-18 17:32:50 us=478097 net_route_v6_add: 3000::/4 via :: dev tun0 table 0 metric -1
2022-03-18 17:32:50 us=478659 add_route_ipv6(fc00::/7 -> 2001:db8:0:123::1 metric -1) dev tun0
2022-03-18 17:32:50 us=478780 net_route_v6_add: fc00::/7 via :: dev tun0 table 0 metric -1
2022-03-18 17:32:50 us=479277 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-03-18 17:32:50 us=479397 Initialization Sequence Completed
The line '2022-03-18 17:32:50 us=465400 sitnl_send: rtnl: generic error (-101): Network is unreachable' stands out. When I remove the 'push "route-ipv6"' line, and take the 'ipv6' option out of the 'redirect-gateway' line, the error disappears. The only IPv6 related option I can keep without throwing this error is the one that gives the pool: 'server-ipv6'. IPv6 is enabled on both server and client.

By the looks of it it wants an IPv6 default gateway. Are no routes able to be taken if I don't have an IPv6 gateway for the internet?
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by TinCanTech » Fri Mar 18, 2022 9:13 pm

Your version is:
  • OpenVPN 2.5.1 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
I'm not actually sure if that version can do ipv6 and block-local correctly.

You can test it thoroughly and let us know the results, you are now part of the solution. :mrgreen:
Top
Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by Letalis » Sat Mar 19, 2022 2:21 pm

Ah I see. I've just realised my server was running 2.4.7 too, so I've updated the client and server openvpn versions both to 2.5.6 as I don't see the point in trying to troubleshoot very outdated versions. Now I get a new message upon connection with my server log at verb 4:

Code: Select all

MULTI: multi_create_instance called
192.168.0.14:56730 Re-using SSL/TLS context
192.168.0.14:56730 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
192.168.0.14:56730 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
192.168.0.14:56730 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
192.168.0.14:56730 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
192.168.0.14:56730 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
192.168.0.14:56730 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
192.168.0.14:56730 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
192.168.0.14:56730 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
192.168.0.14:56730 TLS: Initial packet from [AF_INET]192.168.0.14:56730, sid=0b357cb5 2e5036cb
192.168.0.14:56730 peer info: IV_VER=2.5.6
192.168.0.14:56730 peer info: IV_PLAT=win
192.168.0.14:56730 peer info: IV_PROTO=6
192.168.0.14:56730 peer info: IV_NCP=2
192.168.0.14:56730 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
192.168.0.14:56730 peer info: IV_LZ4=1
192.168.0.14:56730 peer info: IV_LZ4v2=1
192.168.0.14:56730 peer info: IV_LZO=1
192.168.0.14:56730 peer info: IV_COMP_STUB=1
192.168.0.14:56730 peer info: IV_COMP_STUBv2=1
192.168.0.14:56730 peer info: IV_TCPNL=1
192.168.0.14:56730 TLS: Username/Password authentication succeeded for username 'user'
192.168.0.14:56730 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
192.168.0.14:56730 [] Peer Connection Initiated with [AF_INET]192.168.0.14:56730
192.168.0.14:56730 MULTI_sva: pool returned IPv4=10.8.0.3, IPv6=2001:db8:0:123::1001
192.168.0.14:56730 MULTI: Learn: 10.8.0.3 -> 192.168.0.14:56730
192.168.0.14:56730 MULTI: primary virtual IP for 192.168.0.14:56730: 10.8.0.3
Illegal "match"
Illegal "match"
192.168.0.14:56730 MULTI: Learn: 2001:db8:0:123::1001 -> 192.168.0.14:56730
192.168.0.14:56730 MULTI: primary virtual IPv6 for 192.168.0.14:56730: 2001:db8:0:123::1001
192.168.0.14:56730 Data Channel: using negotiated cipher 'AES-256-GCM'
192.168.0.14:56730 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
192.168.0.14:56730 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
192.168.0.14:56730 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
192.168.0.14:56730 SENT CONTROL [UNDEF]: 'PUSH_REPLY,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,redirect-gateway def1 ipv6 bypass-dhcp,route 192.168.0.0 255.255.0.0 net_gateway,route-ipv6 ::/0,explicit-exit-notify 2,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ifconfig-ipv6 2001:db8:0:123::1001/64 2001:db8:0:123::1,ifconfig 10.8.0.3 255.255.254.0,peer-id 0,cipher AES-256-GCM' (status=1)
192.168.0.14:56730 MULTI: bad source address from client [::], packet dropped
192.168.0.14:56730 MULTI: bad source address from client [::], packet dropped
Illegal "match"
Illegal "match"
I've read that the 'bad source address from client [::]' message happens as OpenVPN doesn't know how to route my IPv6 traffic. But what is incorrect in my server configuration that's causing this? As far as I'm aware the ipv6 server pool is valid. Do I need to add some extra routing for the pool subnet? As for the 'illegal "match"' error I've got no idea...
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by TinCanTech » Sat Mar 19, 2022 2:56 pm

Letalis wrote:
Sat Mar 19, 2022 2:21 pm
 MULTI: bad source address from client [::], packet dropped
You can safely ignore this.
Letalis wrote:
Sat Mar 19, 2022 2:21 pm
 Illegal "match"
I have never seen that before.

Try removing

Code: Select all

push "route-ipv6 ::/0"
Top
User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by openvpn_inc » Sat Mar 19, 2022 2:58 pm

Hi Let,

A default route (::/0 or 0.0.0.0/0 for ipv4) is the last route used. It is not used if a more specific route exists which tells the kernel what to do with packets to a certain address. So I think your understanding of routing is wrong.

Blocking those more specific routes is what the --redirect-gateway option's block-local flag does. Read about all the flags for this option in the openvpn(8) manual.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Top
Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by Letalis » Sat Mar 19, 2022 3:42 pm

TinCanTech wrote:
Sat Mar 19, 2022 2:56 pm
 Try removing

Code: Select all

push "route-ipv6 ::/0"
Removing the "::/0" has the same error messages. However after some digging I've found the illegal match error actually comes from tc in a traffic shaping script I have which isn't handling the IPv6 well, but removing the script doesn't change anything and I can still ping the addresses and I still get the other packet dropped message.
openvpn_inc wrote:
Sat Mar 19, 2022 2:58 pm
 A default route (::/0 or 0.0.0.0/0 for ipv4) is the last route used. It is not used if a more specific route exists which tells the kernel what to do with packets to a certain address. So I think your understanding of routing is wrong.
As for my understanding of routing I'm aware that more specific routes are prioritised, but as far as I'm aware I don't have any more specific routes for IPv6 so shouldn't this route the entire ipv6 range through the vpn? The only thing I can think of that could make more specific routes is the ipv6 option in redirect-gateway but taking that away doesn't change anything.

If not, I've tried using a route for filtering out my LAN subnet with 'push "route-ipv6 fe80::/16"', but I can still ping addresses beginning with fe80 despite my ip6tables rules dropping FORWARD AND OUTPUT meaning I shouldn't be getting any response if the traffic is successfully going through the tunnel. Any ideas?
Top
Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by Letalis » Sat Mar 19, 2022 7:16 pm

It turns out that my client machines actually have other routes for fe80 which probably explains why they aren't going through the tunnel.

In that case, I just have one more issue. When trying to ping google.co.uk from a client connected to the server I get the following message as it's trying to contact the server's local IP in the IPv6 pool:

Code: Select all

From 2001:db8:0:123::1 (2001:db8:0:123::1) icmp_seq=1 Destination unreachable: No route
How do I ensure that internet traffic can get out via IPv4 whilst preventing IPv6 traffic like I have done?
Top
User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by openvpn_inc » Sat Mar 19, 2022 8:36 pm

Hi,

Removing the "/0" from "::/0" means you get "::/128", just the single address, which also happens to be the network address for ipv6 loopback. I cannot guess what would be sending to or from "::/128".

From the logs it looks like your client was given this address:

Code: Select all

192.168.0.14:56730 MULTI: primary virtual IPv6 for 192.168.0.14:56730: 2001:db8:0:123::1001
2001:db8:0:123::1001. Your icmpv6 destination-unreachable (type 1, code 0) error message was from :1, and it says simply that the server has no route to that destination.

Oh, how to get ipv4 out? You used --redirect-gateway, so the VPN server is going to have to do something with those packets. In a real-life openvpn server setup, the server usually does NAT for those packets. (Please see the HOWTO.) And you might have to do things to force ipv4, such as "ping -4 hostname".

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Top
Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by Letalis » Sat Mar 19, 2022 8:51 pm

I think I've got it figured out. I've changed the push route to just push only the public range 2000::/3 and I changed the server-ipv6 line to use a private range in fc00. The combination of those two things seem to have sorted it and I can still access the internet fine. However, I'll have to test if it properly filters out IPv6 internet traffic when I get a public address. Thanks for all your help.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by TinCanTech » Sat Mar 19, 2022 10:08 pm

There is also --block-ipv6 .. in case you need that.
Top
Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by Letalis » Sun Mar 20, 2022 12:39 pm

I can't seem to find a reference for block-ipv6 in the man page, does that stop IPv6 traffic from being sent to the server? If so that's not what I need as I'm wanting to direct it through the tunnel in order to drop it.
Top
Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by Letalis » Sun Mar 20, 2022 12:43 pm

Actually wait I've found it in the 2.5 man and it seems to make the server reply with no route which seems like what I'd be looking for. Does that option apply for the route that I've pushed or just all IPv6 traffic? Eg: using block-ipv6 will make it so my server will reply to anything in the 2000::/3 range with a no route or will it block more?
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by TinCanTech » Sun Mar 20, 2022 2:59 pm

In fact, what happens when you use --block-ipv6 (Client only) is, openvpn on the client side answers no route host.

IPv6 from the client never passes over the tunnel.
Top
Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: Blocking ipv6 traffic through tunnel, LAN still accessible

Post by Letalis » Sun Mar 20, 2022 6:37 pm

So if I use block-ipv6 then there is no need for routing a specific ipv6 subnet like 2000::/3?

In that case would it be best recommended to use block-ipv6 server-side, and then push block-ipv6 to the client, just so I've covered both sides?

Like explained in the manual I've currently put this in my server config, along with a push for block-ipv6 incase it isn't in any of my client configs:

Code: Select all

push "ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1"
push "redirect-gateway def1 ipv6 bypass-dhcp"
push "block-ipv6"
block-ipv6
Top
Post Reply

Return to “Server Administration”