OpenVPN Support Forum

Posted: **Wed Aug 10, 2022 3:05 pm**

Hi,

Should server bind to IPv6 and IPv4 address if I use proto udp6 ?

If I use proto udp then it says that it can't determine which protocol I would like to use and binds to IPv4 address. If I use proto udp6 then it binds just to IPv6.

OpenVPN 2.5.7 amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 25 2022

FreeBSD fw1-test.6clabs.com 13.1-RELEASE FreeBSD 13.1-RELEASE stable/22.7-n250212-a26d6065f1f SMP amd64

root@fw1-test:/usr/ports # sockstat -l | grep open
root openvpn 75619 4 stream /tmp/php-fastcgi.socket-1
root openvpn 75619 6 stream /var/etc/openvpn/server2.sock
root openvpn 75619 9 udp6 2607:fae0:a000:5::78:1194 *:*

root@fw1-test:~ # sysctl -a | grep v6only
net.inet6.ip6.v6only: 0

Any idea?

Cheers, Jan Zorz

Posted: **Wed Aug 10, 2022 5:57 pm**

Your config file will have the answer ..

Posted: **Thu Aug 11, 2022 9:43 am**

TinCanTech wrote: ↑
Wed Aug 10, 2022 5:57 pm
Your config file will have the answer ..

Server config

dev ovpns2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp6
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 2607:fae0:a000:5::78
ifconfig 10.16.16.1 10.16.16.2
ifconfig-ipv6 2607:fae0:a000:e16::1 2607:fae0:a000:e16::2
lport 1194
management /var/etc/openvpn/server2.sock unix
push "route 67.221.246.248 255.255.255.248"
push "route-ipv6 2607:fae0:a000:11::/64"
route 67.221.250.224 255.255.255.224
route 67.221.250.160 255.255.255.224
route-ipv6 2607:fae0:b000:6000::/64
route-ipv6 2607:fae0:b000

:/64
secret /var/etc/openvpn/server2.secret
comp-lzo adaptive
persist-remote-ip
float

This is running on opnsense firewall. Local directive is automatically generated from WAN interface address... I can add directives to "Advanced" window if needed.

If we make this one work I can take this to opnsense community and make improvement suggestions there so their config tool would spit out correct configuration.

Cheers and thnx, Jan

Posted: **Thu Aug 11, 2022 10:06 am**

Hmm... seems that adding "local ::" to advanced tab (and to the end of config) makes things a bit better:

root@fw1-test:~ # sockstat -l | grep open | grep udp
root openvpn 93620 9 udp46 *:1194 *:*

But now it's listening on all interfaces... how to limit it to just listening on WAN?

Cheers, Jan

Posted: **Thu Aug 11, 2022 11:45 am**

That is how Openvpn works.

If you do not specify --local then it listens on all interfaces/addresses.
If you do not specify --local and do specify --proto udp6 then it listens on IPv6 and IPv4 UDP.

If you do specify --local then pick your --proto, default is udp4, I believe.

Posted: **Thu Aug 11, 2022 11:47 am**

JanZorz wrote: ↑
Thu Aug 11, 2022 10:06 am
seems that adding "local ::" to advanced tab (and to the end of config) makes things a bit better:

That is the same as not specifying --local.

Posted: **Thu Aug 11, 2022 11:47 am**

JanZorz wrote: ↑
Thu Aug 11, 2022 10:06 am
how to limit it to just listening on WAN?

Use --local.

Posted: **Thu Aug 11, 2022 12:07 pm**

TinCanTech wrote: ↑
Thu Aug 11, 2022 11:47 am

JanZorz wrote: ↑
Thu Aug 11, 2022 10:06 am
how to limit it to just listening on WAN?
Use --local.

Yes, if I don't specify "local ::" then it's listening on all interfaces on both protocols. I still did not find a proper combination that it would listen on both protocols but just on one interface.

Is there a way to say something like:

proto udp
local IPv6_addr, IPv4_addr

so it would bind only to two addresses on specified interface? Or even better:

proto udp
local vtnet0

and it would bind to all addresses (IPv6 and IPv4) on that interface?

Cheers, Jan

Posted: **Thu Aug 11, 2022 1:02 pm**

The short answer is No.

If you do not specify --local then Openvpn binds to all interfaces/addresses.

It is not possible to bind to a specific interface, only address is supported by --local.

If you do specify --local then Openvpn only uses one --proto.

Posted: **Thu Aug 11, 2022 2:02 pm**

TinCanTech wrote: ↑
Thu Aug 11, 2022 1:02 pm
If you do specify --local then Openvpn only uses one --proto.

Ok, thnx for your answer. However, we have udp, udp4 and udp6. Shouldn't udp be dual-stack? In FreeBSD it's called udp46

root openvpn 93620 9 udp46 *:1194 *:*

Something to consider in development?

Cheers, Jan

Posted: **Thu Aug 11, 2022 2:40 pm**

It has been and is being considered in development.

If you prefer then you can ask the developers yourself.

There is the openvpn developers mailing list openvpn-devel at lists.sourceforge.net
or IRC channel #openvpn-devel on libera.chat

Posted: **Thu Aug 11, 2022 3:24 pm**

Thnx, appreciated!

OpenVPN Support Forum

server doesn't bind to IPv6 and IPv4 address when using proto udp6

server doesn't bind to IPv6 and IPv4 address when using proto udp6

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6

Re: server doesn't bind to IPv6 and IPv4 address when using proto udp6