server doesn't bind to IPv6 and IPv4 address when using proto udp6

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
JanZorz
OpenVpn Newbie
Posts: 6
Joined: Wed Aug 10, 2022 3:01 pm

server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by JanZorz » Wed Aug 10, 2022 3:05 pm

Hi,

Should server bind to IPv6 and IPv4 address if I use proto udp6 ?

If I use proto udp then it says that it can't determine which protocol I would like to use and binds to IPv4 address. If I use proto udp6 then it binds just to IPv6.

OpenVPN 2.5.7 amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 25 2022

FreeBSD fw1-test.6clabs.com 13.1-RELEASE FreeBSD 13.1-RELEASE stable/22.7-n250212-a26d6065f1f SMP amd64

root@fw1-test:/usr/ports # sockstat -l | grep open
root openvpn 75619 4 stream /tmp/php-fastcgi.socket-1
root openvpn 75619 6 stream /var/etc/openvpn/server2.sock
root openvpn 75619 9 udp6 2607:fae0:a000:5::78:1194 *:*

root@fw1-test:~ # sysctl -a | grep v6only
net.inet6.ip6.v6only: 0

Any idea?

Cheers, Jan Zorz

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by TinCanTech » Wed Aug 10, 2022 5:57 pm

Your config file will have the answer ..

JanZorz
OpenVpn Newbie
Posts: 6
Joined: Wed Aug 10, 2022 3:01 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by JanZorz » Thu Aug 11, 2022 9:43 am

TinCanTech wrote:
Wed Aug 10, 2022 5:57 pm
Your config file will have the answer ..
Server config
dev ovpns2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp6
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 2607:fae0:a000:5::78
ifconfig 10.16.16.1 10.16.16.2
ifconfig-ipv6 2607:fae0:a000:e16::1 2607:fae0:a000:e16::2
lport 1194
management /var/etc/openvpn/server2.sock unix
push "route 67.221.246.248 255.255.255.248"
push "route-ipv6 2607:fae0:a000:11::/64"
route 67.221.250.224 255.255.255.224
route 67.221.250.160 255.255.255.224
route-ipv6 2607:fae0:b000:6000::/64
route-ipv6 2607:fae0:b000:2000::/64
secret /var/etc/openvpn/server2.secret
comp-lzo adaptive
persist-remote-ip
float


This is running on opnsense firewall. Local directive is automatically generated from WAN interface address... I can add directives to "Advanced" window if needed.

If we make this one work I can take this to opnsense community and make improvement suggestions there so their config tool would spit out correct configuration.

Cheers and thnx, Jan

JanZorz
OpenVpn Newbie
Posts: 6
Joined: Wed Aug 10, 2022 3:01 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by JanZorz » Thu Aug 11, 2022 10:06 am

Hmm... seems that adding "local ::" to advanced tab (and to the end of config) makes things a bit better:

root@fw1-test:~ # sockstat -l | grep open | grep udp
root openvpn 93620 9 udp46 *:1194 *:*

But now it's listening on all interfaces... how to limit it to just listening on WAN?

Cheers, Jan

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by TinCanTech » Thu Aug 11, 2022 11:45 am

That is how Openvpn works.

If you do not specify --local then it listens on all interfaces/addresses.
If you do not specify --local and do specify --proto udp6 then it listens on IPv6 and IPv4 UDP.

If you do specify --local then pick your --proto, default is udp4, I believe.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by TinCanTech » Thu Aug 11, 2022 11:47 am

JanZorz wrote:
Thu Aug 11, 2022 10:06 am
seems that adding "local ::" to advanced tab (and to the end of config) makes things a bit better:
That is the same as not specifying --local.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by TinCanTech » Thu Aug 11, 2022 11:47 am

JanZorz wrote:
Thu Aug 11, 2022 10:06 am
how to limit it to just listening on WAN?
Use --local.

JanZorz
OpenVpn Newbie
Posts: 6
Joined: Wed Aug 10, 2022 3:01 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by JanZorz » Thu Aug 11, 2022 12:07 pm

TinCanTech wrote:
Thu Aug 11, 2022 11:47 am
JanZorz wrote:
Thu Aug 11, 2022 10:06 am
how to limit it to just listening on WAN?
Use --local.
Yes, if I don't specify "local ::" then it's listening on all interfaces on both protocols. I still did not find a proper combination that it would listen on both protocols but just on one interface.

Is there a way to say something like:

proto udp
local IPv6_addr, IPv4_addr

so it would bind only to two addresses on specified interface? Or even better:

proto udp
local vtnet0

and it would bind to all addresses (IPv6 and IPv4) on that interface?

Cheers, Jan

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by TinCanTech » Thu Aug 11, 2022 1:02 pm

The short answer is No.

If you do not specify --local then Openvpn binds to all interfaces/addresses.

It is not possible to bind to a specific interface, only address is supported by --local.

If you do specify --local then Openvpn only uses one --proto.

JanZorz
OpenVpn Newbie
Posts: 6
Joined: Wed Aug 10, 2022 3:01 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by JanZorz » Thu Aug 11, 2022 2:02 pm

TinCanTech wrote:
Thu Aug 11, 2022 1:02 pm
If you do specify --local then Openvpn only uses one --proto.
Ok, thnx for your answer. However, we have udp, udp4 and udp6. Shouldn't udp be dual-stack? In FreeBSD it's called udp46 :)

root openvpn 93620 9 udp46 *:1194 *:*

Something to consider in development?

Cheers, Jan

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by TinCanTech » Thu Aug 11, 2022 2:40 pm

It has been and is being considered in development.

If you prefer then you can ask the developers yourself.

There is the openvpn developers mailing list openvpn-devel at lists.sourceforge.net
or IRC channel #openvpn-devel on libera.chat

JanZorz
OpenVpn Newbie
Posts: 6
Joined: Wed Aug 10, 2022 3:01 pm

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Post by JanZorz » Thu Aug 11, 2022 3:24 pm

Thnx, appreciated!

Post Reply