Setting OpenVPN dual stack (IPv4 +IPv6)

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Sep 02, 2022 11:30 am

Setting OpenVPN dual stack (IPv4 +IPv6)

Guys, I need your help to configure OpenVPN dual stack (IPv4 +IPv6)
Right to the point:
I have Ubuntu 22 with this IPv6 block 2a05:8280:f:43aa::/64
After reading hundreds of guides on the Internet, I divided the block into 2:
2a05:8280:f:43aa::/65 and 2a05:8280:f:43aa:8000::/65
Here’s my server config:
Server Config
1
dev tun0
2
proto tcp6
3
proto tcp-server
4
port 2023
5
topology subnet
6
client-to-client
7
ca /etc/openvpn/easy-rsa/pki/ca.crt
8
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
9
key /etc/openvpn/easy-rsa/pki/private/server.key
10
dh /etc/openvpn/easy-rsa/pki/dh.pem
11
server-ipv6 2a05:8280:f:43aa:8000::/65
12
server 192.168.7.0 255.255.255.0
13
push "route-ipv6 2a05:8280:f:43aa::/64"
14
push "route-ipv6 2000::/3"
15
push "dhcp-option DNS 208.67.222.222"
16
push "dhcp-option DNS 208.67.220.220"
17
push "dhcp-option DNS6 2620:0:ccc::2"
18
push "dhcp-option DNS6 2620:0:ccd::2"
19
client-config-dir /etc/openvpn/ccd
20
ccd-exclusive
21
cipher AES-256-CBC
22
user root
23
group root
24
status /etc/openvpn/server/logs/openvpn-status.log
25
log-append /etc/openvpn/server/logs/openvpn.log
26
verb 3
27
mute 20
28
max-clients 100
29
management 127.0.0.1 25341
30
keepalive 10 120
31
tls-server
32
persist-key
33
persist-tun


OpenVPN client log and Tcpdump are attached:
Image
Image

I added these parameters to /etc/sysctl.conf
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp = 1

I didn’t add anything to /etc/ufw/before6.rules

I’m not able to solve this without your help.

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by TinCanTech » Fri Sep 02, 2022 1:41 pm

adroman wrote:
Fri Sep 02, 2022 11:30 am
not able to solve this without your help
Solve what, exactly ?

Please don't use screenies to show your information, use text and BB code: < code > foo < /code >

I don't read screenies because they suck.

viewtopic.php?t=22603

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Sep 02, 2022 4:53 pm

Sorry for scrennies, my first post. Never again!
I guest the main problem in infinite TCP connect state
I don't get if it's UFW misconfig or OpenVPN

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by TinCanTech » Fri Sep 02, 2022 6:00 pm

adroman wrote:
Fri Sep 02, 2022 11:30 am

Code: Select all

proto tcp6
proto tcp-server
That is the problem. If you read your server log you will see what I mean.

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Sep 02, 2022 6:12 pm

Thanks dude, I deleted "proto tcp-server", but still same result.
Is it necessarily to use UDP6? The problem is - Mikrtotik router OS v6. doesn't support udp.

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by TinCanTech » Fri Sep 02, 2022 8:35 pm

adroman wrote:
Fri Sep 02, 2022 6:12 pm
Mikrtotik router
No idea, check your router manual.

See --proto here:
https://build.openvpn.net/man/openvpn-2 ... vpn.8.html

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Tue Sep 06, 2022 9:33 am

TinCanTech wrote:
Fri Sep 02, 2022 8:35 pm
adroman wrote:
Fri Sep 02, 2022 6:12 pm
Mikrtotik router
No idea, check your router manual.

See --proto here:
https://build.openvpn.net/man/openvpn-2 ... vpn.8.html

Thank you very much for the hint. I have changed my configs according to this guide and now I can connect to the server and can get IP settings. I’ve removed splitting of routable block to make settings more simple.
Server Config
1
dev tun0
2
proto tcp6-server
3
port 2023
4
topology subnet
5
client-to-client
6
ca /etc/openvpn/easy-rsa/pki/ca.crt
7
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
8
key /etc/openvpn/easy-rsa/pki/private/server.key
9
dh /etc/openvpn/easy-rsa/pki/dh.pem
10
server 192.168.7.0 255.255.255.0
11
server-ipv6 2a05:8280:f:43aa::/64
12
ifconfig-ipv6 2a05:8280:f:43aa::1 2a05:8280:f:43aa::2
13
push "route-ipv6 2a05:8280:f:43aa::/64"
14
push "route-ipv6 2000::/3"
15
push "dhcp-option DNS 208.67.222.222"
16
push "dhcp-option DNS 208.67.220.220"
17
push "dhcp-option DNS6 2620:0:ccc::2"
18
push "dhcp-option DNS6 2620:0:ccd::2"
19
client-config-dir /etc/openvpn/ccd
20
ccd-exclusive
21
cipher AES-256-CBC
22
user root
23
group root
24
status /etc/openvpn/server/logs/openvpn-status.log
25
log-append /etc/openvpn/server/logs/openvpn.log
26
verb 3
27
mute 20
28
max-clients 100
29
management 127.0.0.1 25341
30
keepalive 10 120
31
persist-key
32
persist-tun


Here’s my Windows client config:
Client Config
1
client
2
dev tun
3
proto tcp6-client
4
remote vps1.linkpc.net 2023
5
resolv-retry infinite
6
nobind
7
persist-key
8
persist-tun
9
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\ca.crt"
10
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\laptop2.crt"
11
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\laptop2.key"
12
cipher AES-256-CBC
13
data-ciphers AES-256-CBC
14
auth SHA1
15
auth-nocache
16
redirect-gateway ipv6 def1
17
verb 3


At /etc/sysctl.conf file a added «net.ipv6.conf.all.forwarding=1» option and removed all rules from /etc/ufw/before6.rules file because I don’t understand what to add : )
Now I can connect to server and get IP settings but can’t reach internet.
I don’t understand these things:
1) If I have IPv6 block from ISP 2a05:8280:f:43aa::/64 – is it necessarily to split it to make VPN work?
2) What rules I have to add to UFW6
3) During google this topic I found that some guys use NDP proxy, do I have to use it too?
Could you please help me : )

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by TinCanTech » Tue Sep 06, 2022 9:51 am

You now understand the requirements to achieve a successful connection.

To setup web browsing via the VPN, you can read the openvpn howto ..
Or you can try one of the many scripts available to automate this function.

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Tue Sep 06, 2022 9:57 am

TinCanTech wrote:
Tue Sep 06, 2022 9:51 am
You now understand the requirements to achieve a successful connection.

To setup web browsing via the VPN, you can read the openvpn howto ..
Or you can try one of the many scripts available to automate this function.
Trust me I’ve read them hungered times especially IPv6 chapter and hundred guides in internet and that didn’t help me – stupid me! I’m able to make IPv4 VPN work easily but with IPv6 I have an issue that I wasn’t able to resolve by myself. That’s why I registered here :)

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by ordex » Sun Sep 11, 2022 10:36 pm

@adroman when specifying server-ipv6, don't specify ifconfig-ipv6 too. The server-ipv6 directive is enough to instruct OpenVPN about which IP to configure on the TUN device.

Then, you talked about "splitting your /64 in 2x /65" but your latest config seems to assign the entire /64 to OpenVPN. is that what you really want to do?

Whether you have to split it or not depends on you. If you want that /64 to be entirely dedicated to the VPN and not use it on any other interface, then it's ok to not split.

Also, no need for "push "route-ipv6 2a05:8280:f:43aa::/64"" as that is exactly the same network you have specified to server-ipv6.

Regarding NDP proxy or not, that depends on whether your ISP is routing that network to you or not. Is it?

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Thu Oct 06, 2022 10:58 pm

ordex wrote:
Sun Sep 11, 2022 10:36 pm
@adroman when specifying server-ipv6, don't specify ifconfig-ipv6 too. The server-ipv6 directive is enough to instruct OpenVPN about which IP to configure on the TUN device.

Then, you talked about "splitting your /64 in 2x /65" but your latest config seems to assign the entire /64 to OpenVPN. is that what you really want to do?

Whether you have to split it or not depends on you. If you want that /64 to be entirely dedicated to the VPN and not use it on any other interface, then it's ok to not split.

Also, no need for "push "route-ipv6 2a05:8280:f:43aa::/64"" as that is exactly the same network you have specified to server-ipv6.

Regarding NDP proxy or not, that depends on whether your ISP is routing that network to you or not. Is it?
Thank you so much for your help, it’s extremely valuable for me! : )

I checked with my VPS provider about the IPv6 block, they route it, so there is no need to use an NDP proxy.
And I removed the division of the block, because the original 64-bit block can be used.

Here’s my SERVER CONFIG:
Server Config
1
dev tun0
2
proto tcp6-server
3
port 2023
4
topology subnet
5
client-to-client
6
ca /etc/openvpn/easy-rsa/pki/ca.crt
7
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
8
key /etc/openvpn/easy-rsa/pki/private/server.key
9
dh /etc/openvpn/easy-rsa/pki/dh.pem
10
server 192.168.7.0 255.255.255.0
11
server-ipv6 2a05:8280:f:43aa::/64
12
push "route-ipv6 2000::/3"
13
route 192.168.5.0 255.255.255.0 192.168.7.2
14
route 192.168.50.0 255.255.255.0 192.168.7.2
15
route 192.168.55.0 255.255.255.0 192.168.7.2
16
route 192.168.8.0 255.255.255.0 192.168.7.2
17
route 192.168.9.0 255.255.255.0 192.168.7.2
18
route 192.168.88.0 255.255.255.0 192.168.7.2
19
route 192.168.80.0 255.255.255.0 192.168.7.2
20
route 192.168.150.0 255.255.255.0 192.168.7.2
21
route 192.168.5.0 255.255.255.0 192.168.7.1
22
push "dhcp-option DNS 208.67.222.222"
23
push "dhcp-option DNS 208.67.220.220"
24
push "dhcp-option DNS6 2620:0:ccc::2"
25
push "dhcp-option DNS6 2620:0:ccd::2"
26
client-config-dir /etc/openvpn/ccd
27
ccd-exclusive
28
cipher AES-256-CBC
29
user root
30
group root
31
status /etc/openvpn/server/logs/openvpn-status.log
32
log-append /etc/openvpn/server/logs/openvpn.log
33
verb 3
34
mute 20
35
max-clients 100
36
management 127.0.0.1 25341
37
keepalive 10 120
38
persist-key
39
persist-tun


Windows CLIENT CONFIG:
client
1
client
2
dev tun
3
proto tcp6-client
4
remote vps1.linkpc.net 2023
5
resolv-retry infinite
6
nobind
7
persist-key
8
persist-tun
9
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\ca.crt"
10
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\laptop2.crt"
11
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\laptop2.key"
12
remote-cert-tls server
13
cipher AES-256-CBC
14
data-ciphers AES-256-CBC
15
auth SHA1
16
auth-nocache
17
redirect-gateway ipv6 def1
18
verb 3


OpenVPN Server LOG:

SERVER LOG (--verb 3):

Code: Select all

DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
WARNING: file '/etc/openvpn/easy-rsa/pki/private/server.key' is group or others accessible
OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 89.38.135.1 dev eth0
Diffie-Hellman initialized with 2048 bit key
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 89.38.135.1 dev eth0
ROUTE_GATEWAY 89.38.135.1/255.255.255.0 IFACE=eth0 HWADDR=8a:3b:12:dc:de:b0
TUN/TAP device tun0 opened
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v4_add: 192.168.7.1/24 dev tun0
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v6_add: 2a05:8280:f:43aa::1/64 dev tun0
net_route_v4_add: 192.168.5.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.50.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.55.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.8.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.9.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.88.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.80.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.150.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.5.0/24 via 192.168.7.1 dev [NULL] table 0 metric -1
Socket Buffers: R=[87380->87380] S=[65536->65536]
setsockopt(IPV6_V6ONLY=0)
Listening for incoming TCP connection on [AF_INET6][undef]:2023
TCPv6_SERVER link local (bound): [AF_INET6][undef]:2023
TCPv6_SERVER link remote: [AF_UNSPEC]
GID set to root
UID set to root
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL IPv4: base=192.168.7.2 size=253
IFCONFIG POOL IPv6: base=2a05:8280:f:43aa::1000 size=65536 netbits=64
NOTE: IPv4 pool size is 253, IPv6 pool size is 65536. IPv4 pool size limits the number of clients that can be served from the pool
MULTI: TCP INIT maxclients=100 maxevents=104
Initialization Sequence Completed
TCP connection established with [AF_INET6]2a02:2168:8e8a:5000:b04f:a4e1:228c:745f:52894
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f TLS: Initial packet from [AF_INET6]2a02:2168:8e8a:5000:b04f:a4e1:228c:745f:52894, sid=a986953f 23a751dd
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f VERIFY OK: depth=1, CN=vps
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f VERIFY OK: depth=0, CN=laptop2
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_VER=2.5.6
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_PLAT=win
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_PROTO=6
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_CIPHERS=AES-256-CBC
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_LZ4=1
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_LZ4v2=1
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_LZO=1
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_COMP_STUB=1
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_COMP_STUBv2=1
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_TCPNL=1
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_GUI_VER=OpenVPN_GUI_11
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f peer info: IV_SSO=openurl,crtext
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2a02:2168:8e8a:5000:b04f:a4e1:228c:745f [laptop2] Peer Connection Initiated with [AF_INET6]2a02:2168:8e8a:5000:b04f:a4e1:228c:745f:52894
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f MULTI_sva: pool returned IPv4=192.168.7.2, IPv6=2a05:8280:f:43aa::1000
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/laptop2
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work.  Use --ifconfig-ipv6-push for IPv6 then.
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f MULTI: Learn: 192.168.7.10 -> laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f MULTI: primary virtual IP for laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f: 192.168.7.10
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f MULTI: Learn: 2a05:8280:f:43aa::1000 -> laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f MULTI: primary virtual IPv6 for laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f: 2a05:8280:f:43aa::1000
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f SENT CONTROL [laptop2]: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa::1000/64 2a05:8280:f:43aa::1,ifconfig 192.168.7.10 255.255.255.0,peer-id 0,cipher AES-256-CBC' (status=1)
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f Connection reset, restarting [-1]
laptop2/2a02:2168:8e8a:5000:b04f:a4e1:228c:745f SIGUSR1[soft,connection-reset] received, client-instance restarting

Windows CLIENT LOG (--verb 3):

Code: Select all

2022-10-07 01:26:48 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 16 2022
2022-10-07 01:26:48 Windows version 10.0 (Windows 10 or greater) 64bit
2022-10-07 01:26:48 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-10-07 01:26:48 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25345
2022-10-07 01:26:48 Need hold release from management interface, waiting...
2022-10-07 01:26:49 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25345
2022-10-07 01:26:49 MANAGEMENT: CMD 'state on'
2022-10-07 01:26:49 MANAGEMENT: CMD 'log all on'
2022-10-07 01:26:49 MANAGEMENT: CMD 'echo all on'
2022-10-07 01:26:49 MANAGEMENT: CMD 'bytecount 5'
2022-10-07 01:26:49 MANAGEMENT: CMD 'hold off'
2022-10-07 01:26:49 MANAGEMENT: CMD 'hold release'
2022-10-07 01:26:49 MANAGEMENT: >STATE:1665095209,RESOLVE,,,,,,
2022-10-07 01:26:50 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 01:26:50 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-10-07 01:26:50 Attempting to establish TCP connection with [AF_INET6]2a05:8280:f:43aa::1:2023 [nonblock]
2022-10-07 01:26:50 MANAGEMENT: >STATE:1665095210,TCP_CONNECT,,,,,,
2022-10-07 01:26:50 TCP connection established with [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 01:26:50 TCPv6_CLIENT link local: (not bound)
2022-10-07 01:26:50 TCPv6_CLIENT link remote: [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 01:26:50 MANAGEMENT: >STATE:1665095210,WAIT,,,,,,
2022-10-07 01:26:50 MANAGEMENT: >STATE:1665095210,AUTH,,,,,,
2022-10-07 01:26:50 TLS: Initial packet from [AF_INET6]2a05:8280:f:43aa::1:2023, sid=a948f2e3 0afde3a0
2022-10-07 01:26:50 VERIFY OK: depth=1, CN=vps
2022-10-07 01:26:50 VERIFY KU OK
2022-10-07 01:26:50 Validating certificate extended key usage
2022-10-07 01:26:50 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-10-07 01:26:50 VERIFY EKU OK
2022-10-07 01:26:50 VERIFY OK: depth=0, CN=server
2022-10-07 01:26:50 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-10-07 01:26:50 [server] Peer Connection Initiated with [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 01:26:50 PUSH: Received control message: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa::1000/64 2a05:8280:f:43aa::1,ifconfig 192.168.7.10 255.255.255.0,peer-id 0,cipher AES-256-CBC'
2022-10-07 01:26:50 OPTIONS IMPORT: timers and/or timeouts modified
2022-10-07 01:26:50 OPTIONS IMPORT: --ifconfig/up options modified
2022-10-07 01:26:50 OPTIONS IMPORT: route options modified
2022-10-07 01:26:50 OPTIONS IMPORT: route-related options modified
2022-10-07 01:26:50 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-10-07 01:26:50 OPTIONS IMPORT: peer-id set
2022-10-07 01:26:50 OPTIONS IMPORT: adjusting link_mtu to 1626
2022-10-07 01:26:50 OPTIONS IMPORT: data channel crypto options modified
2022-10-07 01:26:50 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2022-10-07 01:26:50 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-07 01:26:50 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2022-10-07 01:26:50 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-07 01:26:50 interactive service msg_channel=716
2022-10-07 01:26:50 GDG6: remote_host_ipv6=2a05:8280:f:43aa::1
2022-10-07 01:26:50 GetBestInterfaceEx() returned if=12
2022-10-07 01:26:50 GDG6: II=12 DP=::/0 NH=fe80::ce2d:e0ff:fe9c:207e
2022-10-07 01:26:50 GDG6: Metric=256, Loopback=0, AA=1, I=0
2022-10-07 01:26:50 ROUTE6: 2000::/4 overlaps IPv6 remote 2a05:8280:f:43aa::1, adding host route to VPN endpoint
2022-10-07 01:26:50 ROUTE6: 2000::/3 overlaps IPv6 remote 2a05:8280:f:43aa::1, adding host route to VPN endpoint
2022-10-07 01:26:50 open_tun
2022-10-07 01:26:50 tap-windows6 device [OpenVPN TAP-Windows6] opened
2022-10-07 01:26:50 TAP-Windows Driver Version 9.24 
2022-10-07 01:26:50 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.7.0/192.168.7.10/255.255.255.0 [SUCCEEDED]
2022-10-07 01:26:50 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.7.10/255.255.255.0 on interface {30DC3ECB-1B9D-443C-8ED2-23BFC8F4E46C} [DHCP-serv: 192.168.7.0, lease-time: 31536000]
2022-10-07 01:26:50 Successful ARP Flush on interface [8] {30DC3ECB-1B9D-443C-8ED2-23BFC8F4E46C}
2022-10-07 01:26:50 MANAGEMENT: >STATE:1665095210,ASSIGN_IP,,192.168.7.10,,,,,2a05:8280:f:43aa::1000
2022-10-07 01:26:50 IPv4 MTU set to 1500 on interface 8 using service
2022-10-07 01:26:50 INET6 address service: add 2a05:8280:f:43aa::1000/128
2022-10-07 01:26:50 add_route_ipv6(2a05:8280:f:43aa::/64 -> 2a05:8280:f:43aa::1000 metric 0) dev OpenVPN TAP-Windows6
2022-10-07 01:26:50 IPv6 route addition via service succeeded
2022-10-07 01:26:51 IPv6 dns servers set using service
2022-10-07 01:26:51 IPv6 MTU set to 1500 on interface 8 using service
2022-10-07 01:26:56 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
2022-10-07 01:26:56 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-07 01:26:56 Route addition via service succeeded
2022-10-07 01:26:56 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-07 01:26:56 Route addition via service succeeded
2022-10-07 01:26:56 add_route_ipv6(2a05:8280:f:43aa::1/128 -> fe80::ce2d:e0ff:fe9c:207e metric 1) dev OpenVPN TAP-Windows6
2022-10-07 01:26:56 IPv6 route addition via service succeeded
2022-10-07 01:26:56 add_route_ipv6(2000::/3 -> 2a05:8280:f:43aa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 01:26:56 IPv6 route addition via service succeeded
2022-10-07 01:26:56 add_route_ipv6(::/3 -> 2a05:8280:f:43aa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 01:26:56 IPv6 route addition via service succeeded
2022-10-07 01:26:56 add_route_ipv6(2000::/4 -> 2a05:8280:f:43aa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 01:26:56 IPv6 route addition via service succeeded
2022-10-07 01:26:56 add_route_ipv6(3000::/4 -> 2a05:8280:f:43aa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 01:26:56 IPv6 route addition via service succeeded
2022-10-07 01:26:56 add_route_ipv6(fc00::/7 -> 2a05:8280:f:43aa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 01:26:56 IPv6 route addition via service succeeded
2022-10-07 01:26:56 Initialization Sequence Completed
2022-10-07 01:26:56 MANAGEMENT: >STATE:1665095216,CONNECTED,SUCCESS,192.168.7.10,2a05:8280:f:43aa::1,2023,2a02:2168:8e8a:5000:b04f:a4e1:228c:745f,60718,2a05:8280:f:43aa::1000

I’m getting IPv4 settings and looks like IPv6 too, but IPv6 doesn’t work. IPv4 works fine.
I’m using Ubuntu 22 for OpenVPN server and I suppose I have to configure Firewall rules in order to make it work. Maybe I should enable masquerading, I’m not sure because I have routable IPv6 block. But I guess I have to setup IPv6 FORWARD rule that I need help with.
I also suppose that the problem maybe that my eth0 and tun0 interfaces have the same IPv6 address: 2a05:8280:f:43aa::1
Maybe I have to specify different IPv6 address for tun0?
I also use the client-config-dir (ccd) option, but in the file itself I only have settings for IPv4. I do not know if it is necessary to specify parameters for IPv6 in ccd file, because apparently I get the correct IPv6 address on the client: 2a05:8280:f:43aa::1000
Could you please help me to troubleshoot : )

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by ordex » Fri Oct 07, 2022 7:56 am

adroman wrote:
Thu Oct 06, 2022 10:58 pm
I’m getting IPv4 settings and looks like IPv6 too, but IPv6 doesn’t work. IPv4 works fine.
I’m using Ubuntu 22 for OpenVPN server and I suppose I have to configure Firewall rules in order to make it work. Maybe I should enable masquerading,
No, no need to use masquerading/NAT. You are routing your IPs, so NAT is not needed.
I’m not sure because I have routable IPv6 block. But I guess I have to setup IPv6 FORWARD rule that I need help with.
Forwarding needs to be enabled for sure. Check that your firewall is not blocking anything in the FORWARD chain and that forwarding is enabled system wide with:

Code: Select all

sysctl net.ipv6.conf.all.forwarding
The command above should return 1.
I also suppose that the problem maybe that my eth0 and tun0 interfaces have the same IPv6 address: 2a05:8280:f:43aa::1
Maybe I have to specify different IPv6 address for tun0?
Yes. The same IP on different interfaces is often a hint of some misconfiguration.
Is eth0 the interface facing your ISP? If so, isn't your ISP already assigning you some other IPv6? Or are they giving you only the /64?
In any case, the subnet you configure on the VPN should be exclusive to the VPN, so that it can be "owned" by the VPN tunnel and assigned to clients.
I also use the client-config-dir (ccd) option, but in the file itself I only have settings for IPv4. I do not know if it is necessary to specify parameters for IPv6 in ccd file, because apparently I get the correct IPv6 address on the client: 2a05:8280:f:43aa::1000
Could you please help me to troubleshoot : )
The VPN configuration looks ok. It is more a matter of properly routing IPs on the server.

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Oct 07, 2022 6:16 pm

The VPN configuration looks ok. It is more a matter of properly routing IPs on the server.
Thank you very much Sir!
Yes an eth0 is the interface facing my ISP. The 2a05:8280:f:43aa::/64 IPv6 routable block has been assigned for my server.
The first usable ip is: 2a05:8280:f:43aa::1 (eth0)
The prefix is: /64
The gateway is: 2a05:8280:f:43aa::f
The DNS nameservers are: 2001:4860:4860::8888 and 2001:4860:4860::8844
So by trials and errors I replaced the row « server-ipv6 2a05:8280:f:43aa::/64» with « server-ipv6 2a05:8280:f:43aa::1/64» and now my OpenVPN server tun0 interface have assigned new IPv6 address: 2a05:8280:f:43aa::2 while eth0 has 2a05:8280:f:43aa::1.
Here’s my new SERVER CONFIG:
Server Config
1
dev tun0
2
proto tcp6-server
3
port 2023
4
topology subnet
5
client-to-client
6
ca /etc/openvpn/easy-rsa/pki/ca.crt
7
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
8
key /etc/openvpn/easy-rsa/pki/private/server.key
9
dh /etc/openvpn/easy-rsa/pki/dh.pem
10
server 192.168.7.0 255.255.255.0
11
server-ipv6 2a05:8280:f:43aa::1/64
12
push "route-ipv6 2000::/3"
13
route 192.168.5.0 255.255.255.0 192.168.7.2
14
route 192.168.50.0 255.255.255.0 192.168.7.2
15
route 192.168.55.0 255.255.255.0 192.168.7.2
16
route 192.168.8.0 255.255.255.0 192.168.7.2
17
route 192.168.9.0 255.255.255.0 192.168.7.2
18
route 192.168.88.0 255.255.255.0 192.168.7.2
19
route 192.168.80.0 255.255.255.0 192.168.7.2
20
route 192.168.150.0 255.255.255.0 192.168.7.2
21
route 192.168.5.0 255.255.255.0 192.168.7.1
22
push "dhcp-option DNS 208.67.222.222"
23
push "dhcp-option DNS 208.67.220.220"
24
push "dhcp-option DNS6 2620:0:ccc::2"
25
push "dhcp-option DNS6 2620:0:ccd::2"
26
client-config-dir /etc/openvpn/ccd
27
ccd-exclusive
28
cipher AES-256-CBC
29
user root
30
group root
31
status /etc/openvpn/server/logs/openvpn-status.log
32
log-append /etc/openvpn/server/logs/openvpn.log
33
verb 3
34
mute 20
35
max-clients 100
36
management 127.0.0.1 25341
37
keepalive 10 120
38
persist-key
39
persist-tun


Often in OpenVPN server configs I see this row «push "route-ipv6 ::/0"» - I’m not sure if I also have to add it.

My Windows OpenVPN client config is still the same:
Windows CLIENT CONFIG:
client
1
client
2
dev tun
3
proto tcp6-client
4
remote vps1.linkpc.net 2023
5
resolv-retry infinite
6
nobind
7
persist-key
8
persist-tun
9
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\ca.crt"
10
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\laptop2.crt"
11
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\vps1vm\\laptop2.key"
12
remote-cert-tls server
13
cipher AES-256-CBC
14
data-ciphers AES-256-CBC
15
auth SHA1
16
auth-nocache
17
redirect-gateway ipv6 def1
18
verb 3


I don't understand here if I need to use new tun0 IPv6 address or still the IPv6 address of eth0 interface for connection to the OpenVPN server.
And also, I’m not sure if I need to use «redirect-gateway ipv6 def1» or maybe only «redirect-gateway def1» because my IPv6 address block is routable.
Here’s my OpenVPN server log:
SERVER LOG (--verb 3):

Code: Select all

DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
WARNING: file '/etc/openvpn/easy-rsa/pki/private/server.key' is group or others accessible
OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 89.38.135.1 dev eth0
Diffie-Hellman initialized with 2048 bit key
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 89.38.135.1 dev eth0
ROUTE_GATEWAY 89.38.135.1/255.255.255.0 IFACE=eth0 HWADDR=8a:3b:12:dc:de:b0
TUN/TAP device tun0 opened
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v4_add: 192.168.7.1/24 dev tun0
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v6_add: 2a05:8280:f:43aa::2/64 dev tun0
net_route_v4_add: 192.168.5.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.50.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.55.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.8.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.9.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.88.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.80.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.150.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.5.0/24 via 192.168.7.1 dev [NULL] table 0 metric -1
Socket Buffers: R=[87380->87380] S=[65536->65536]
setsockopt(IPV6_V6ONLY=0)
Listening for incoming TCP connection on [AF_INET6][undef]:2023
TCPv6_SERVER link local (bound): [AF_INET6][undef]:2023
TCPv6_SERVER link remote: [AF_UNSPEC]
GID set to root
UID set to root
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL IPv4: base=192.168.7.2 size=253
IFCONFIG POOL IPv6: base=2a05:8280:f:43aa::1001 size=65536 netbits=64
NOTE: IPv4 pool size is 253, IPv6 pool size is 65536. IPv4 pool size limits the number of clients that can be served from the pool
MULTI: TCP INIT maxclients=100 maxevents=104
Initialization Sequence Completed
TCP connection established with [AF_INET6]::ffff:188.32.154.37:48388
188.32.154.37:48388 TLS: Initial packet from [AF_INET6]::ffff:188.32.154.37:48388, sid=d15f4deb c0262db7
188.32.154.37:48388 VERIFY OK: depth=1, CN=vps
188.32.154.37:48388 VERIFY OK: depth=0, CN=mikrotik
188.32.154.37:48388 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
188.32.154.37:48388 [mikrotik] Peer Connection Initiated with [AF_INET6]::ffff:188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI_sva: pool returned IPv4=192.168.7.2, IPv6=2a05:8280:f:43aa::1001
mikrotik/188.32.154.37:48388 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/mikrotik
mikrotik/188.32.154.37:48388 MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work.  Use --ifconfig-ipv6-push for IPv6 then.
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.7.2 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: primary virtual IP for mikrotik/188.32.154.37:48388: 192.168.7.2
mikrotik/188.32.154.37:48388 MULTI: Learn: 2a05:8280:f:43aa::1001 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: primary virtual IPv6 for mikrotik/188.32.154.37:48388: 2a05:8280:f:43aa::1001
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.150.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.150.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.80.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.80.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.88.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.88.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.55.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.55.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.50.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.50.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.9.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.9.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.8.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.8.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: internal route 192.168.5.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.5.0/24 -> mikrotik/188.32.154.37:48388
mikrotik/188.32.154.37:48388 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
mikrotik/188.32.154.37:48388 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
mikrotik/188.32.154.37:48388 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
mikrotik/188.32.154.37:48388 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
mikrotik/188.32.154.37:48388 PUSH: Received control message: 'PUSH_REQUEST'
mikrotik/188.32.154.37:48388 SENT CONTROL [mikrotik]: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa::1001/64 2a05:8280:f:43aa::2,ifconfig 192.168.7.2 255.255.255.0' (status=1)
mikrotik/188.32.154.37:48388 MULTI: Learn: 192.168.150.1 -> mikrotik/188.32.154.37:48388
TCP connection established with [AF_INET6]2a02:2168:8e8a:5000:88de:b01d:9002:9233:60515
2a02:2168:8e8a:5000:88de:b01d:9002:9233 TLS: Initial packet from [AF_INET6]2a02:2168:8e8a:5000:88de:b01d:9002:9233:60515, sid=4b141ee4 fdc940b7
2a02:2168:8e8a:5000:88de:b01d:9002:9233 VERIFY OK: depth=1, CN=vps
2a02:2168:8e8a:5000:88de:b01d:9002:9233 VERIFY OK: depth=0, CN=laptop2
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_VER=2.5.6
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_PLAT=win
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_PROTO=6
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_CIPHERS=AES-256-CBC
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_LZ4=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_LZ4v2=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_LZO=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_COMP_STUB=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_COMP_STUBv2=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_TCPNL=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_GUI_VER=OpenVPN_GUI_11
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_SSO=openurl,crtext
2a02:2168:8e8a:5000:88de:b01d:9002:9233 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2a02:2168:8e8a:5000:88de:b01d:9002:9233 [laptop2] Peer Connection Initiated with [AF_INET6]2a02:2168:8e8a:5000:88de:b01d:9002:9233:60515
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI_sva: pool returned IPv4=192.168.7.2, IPv6=2a05:8280:f:43aa::1001
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/laptop2
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work.  Use --ifconfig-ipv6-push for IPv6 then.
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: Learn: 192.168.7.10 -> laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: primary virtual IP for laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233: 192.168.7.10
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: Learn: 2a05:8280:f:43aa::1001 -> laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: primary virtual IPv6 for laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233: 2a05:8280:f:43aa::1001
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 SENT CONTROL [laptop2]: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa::1001/64 2a05:8280:f:43aa::2,ifconfig 192.168.7.10 255.255.255.0,peer-id 0,cipher AES-256-CBC' (status=1)

And Windows CLIENT LOG (--verb 3):

Code: Select all

2022-10-07 20:32:21 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 16 2022
2022-10-07 20:32:21 Windows version 10.0 (Windows 10 or greater) 64bit
2022-10-07 20:32:21 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-10-07 20:32:21 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25367
2022-10-07 20:32:21 Need hold release from management interface, waiting...
2022-10-07 20:32:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25367
2022-10-07 20:32:21 MANAGEMENT: CMD 'state on'
2022-10-07 20:32:21 MANAGEMENT: CMD 'log all on'
2022-10-07 20:32:21 MANAGEMENT: CMD 'echo all on'
2022-10-07 20:32:21 MANAGEMENT: CMD 'bytecount 5'
2022-10-07 20:32:21 MANAGEMENT: CMD 'hold off'
2022-10-07 20:32:21 MANAGEMENT: CMD 'hold release'
2022-10-07 20:32:21 MANAGEMENT: >STATE:1665163941,RESOLVE,,,,,,
2022-10-07 20:32:21 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 20:32:21 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-10-07 20:32:21 Attempting to establish TCP connection with [AF_INET6]2a05:8280:f:43aa::1:2023 [nonblock]
2022-10-07 20:32:21 MANAGEMENT: >STATE:1665163941,TCP_CONNECT,,,,,,
2022-10-07 20:32:21 TCP connection established with [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 20:32:21 TCPv6_CLIENT link local: (not bound)
2022-10-07 20:32:21 TCPv6_CLIENT link remote: [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 20:32:21 MANAGEMENT: >STATE:1665163941,WAIT,,,,,,
2022-10-07 20:32:21 MANAGEMENT: >STATE:1665163941,AUTH,,,,,,
2022-10-07 20:32:21 TLS: Initial packet from [AF_INET6]2a05:8280:f:43aa::1:2023, sid=c895fec0 dcb03beb
2022-10-07 20:32:21 VERIFY OK: depth=1, CN=vps
2022-10-07 20:32:21 VERIFY KU OK
2022-10-07 20:32:21 Validating certificate extended key usage
2022-10-07 20:32:21 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-10-07 20:32:21 VERIFY EKU OK
2022-10-07 20:32:21 VERIFY OK: depth=0, CN=server
2022-10-07 20:32:22 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-10-07 20:32:22 [server] Peer Connection Initiated with [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-07 20:32:22 PUSH: Received control message: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa::1001/64 2a05:8280:f:43aa::2,ifconfig 192.168.7.10 255.255.255.0,peer-id 0,cipher AES-256-CBC'
2022-10-07 20:32:22 OPTIONS IMPORT: timers and/or timeouts modified
2022-10-07 20:32:22 OPTIONS IMPORT: --ifconfig/up options modified
2022-10-07 20:32:22 OPTIONS IMPORT: route options modified
2022-10-07 20:32:22 OPTIONS IMPORT: route-related options modified
2022-10-07 20:32:22 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-10-07 20:32:22 OPTIONS IMPORT: peer-id set
2022-10-07 20:32:22 OPTIONS IMPORT: adjusting link_mtu to 1626
2022-10-07 20:32:22 OPTIONS IMPORT: data channel crypto options modified
2022-10-07 20:32:22 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2022-10-07 20:32:22 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-07 20:32:22 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2022-10-07 20:32:22 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-07 20:32:22 interactive service msg_channel=816
2022-10-07 20:32:22 GDG6: remote_host_ipv6=2a05:8280:f:43aa::1
2022-10-07 20:32:22 GetBestInterfaceEx() returned if=12
2022-10-07 20:32:22 GDG6: II=12 DP=::/0 NH=fe80::ce2d:e0ff:fe9c:207e
2022-10-07 20:32:22 GDG6: Metric=256, Loopback=0, AA=1, I=0
2022-10-07 20:32:22 ROUTE6: 2000::/4 overlaps IPv6 remote 2a05:8280:f:43aa::1, adding host route to VPN endpoint
2022-10-07 20:32:22 ROUTE6: 2000::/3 overlaps IPv6 remote 2a05:8280:f:43aa::1, adding host route to VPN endpoint
2022-10-07 20:32:22 open_tun
2022-10-07 20:32:22 tap-windows6 device [OpenVPN TAP-Windows6] opened
2022-10-07 20:32:22 TAP-Windows Driver Version 9.24 
2022-10-07 20:32:22 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.7.0/192.168.7.10/255.255.255.0 [SUCCEEDED]
2022-10-07 20:32:22 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.7.10/255.255.255.0 on interface {30DC3ECB-1B9D-443C-8ED2-23BFC8F4E46C} [DHCP-serv: 192.168.7.0, lease-time: 31536000]
2022-10-07 20:32:22 Successful ARP Flush on interface [8] {30DC3ECB-1B9D-443C-8ED2-23BFC8F4E46C}
2022-10-07 20:32:22 MANAGEMENT: >STATE:1665163942,ASSIGN_IP,,192.168.7.10,,,,,2a05:8280:f:43aa::1001
2022-10-07 20:32:22 IPv4 MTU set to 1500 on interface 8 using service
2022-10-07 20:32:22 INET6 address service: add 2a05:8280:f:43aa::1001/128
2022-10-07 20:32:22 add_route_ipv6(2a05:8280:f:43aa::/64 -> 2a05:8280:f:43aa::1001 metric 0) dev OpenVPN TAP-Windows6
2022-10-07 20:32:22 IPv6 route addition via service succeeded
2022-10-07 20:32:22 IPv6 dns servers set using service
2022-10-07 20:32:22 IPv6 MTU set to 1500 on interface 8 using service
2022-10-07 20:32:27 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
2022-10-07 20:32:27 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-07 20:32:27 Route addition via service succeeded
2022-10-07 20:32:27 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-07 20:32:27 Route addition via service succeeded
2022-10-07 20:32:27 add_route_ipv6(2a05:8280:f:43aa::1/128 -> fe80::ce2d:e0ff:fe9c:207e metric 1) dev OpenVPN TAP-Windows6
2022-10-07 20:32:27 IPv6 route addition via service succeeded
2022-10-07 20:32:27 add_route_ipv6(2000::/3 -> 2a05:8280:f:43aa::2 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 20:32:27 IPv6 route addition via service succeeded
2022-10-07 20:32:27 add_route_ipv6(::/3 -> 2a05:8280:f:43aa::2 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 20:32:27 IPv6 route addition via service succeeded
2022-10-07 20:32:27 add_route_ipv6(2000::/4 -> 2a05:8280:f:43aa::2 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 20:32:27 IPv6 route addition via service succeeded
2022-10-07 20:32:27 add_route_ipv6(3000::/4 -> 2a05:8280:f:43aa::2 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 20:32:27 IPv6 route addition via service succeeded
2022-10-07 20:32:27 add_route_ipv6(fc00::/7 -> 2a05:8280:f:43aa::2 metric -1) dev OpenVPN TAP-Windows6
2022-10-07 20:32:27 IPv6 route addition via service succeeded
2022-10-07 20:32:27 Initialization Sequence Completed
2022-10-07 20:32:27 MANAGEMENT: >STATE:1665163947,CONNECTED,SUCCESS,192.168.7.10,2a05:8280:f:43aa::1,2023,2a02:2168:8e8a:5000:88de:b01d:9002:9233,60515,2a05:8280:f:43aa::1001
2022-10-07 20:33:29 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-07 20:33:29 Route deletion via service succeeded
2022-10-07 20:33:29 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-07 20:33:29 Route deletion via service succeeded
2022-10-07 20:33:29 delete_route_ipv6(2a05:8280:f:43aa::1/128)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 delete_route_ipv6(2000::/3)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 delete_route_ipv6(::/3)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 delete_route_ipv6(2000::/4)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 delete_route_ipv6(3000::/4)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 delete_route_ipv6(fc00::/7)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 Closing TUN/TAP interface
2022-10-07 20:33:29 IPv6 dns servers deleted using service
2022-10-07 20:33:29 delete_route_ipv6(2a05:8280:f:43aa::/64)
2022-10-07 20:33:29 IPv6 route deletion via service succeeded
2022-10-07 20:33:29 INET6 address service: remove 2a05:8280:f:43aa::1001/128
2022-10-07 20:33:30 TAP: DHCP address released
2022-10-07 20:33:30 SIGTERM[hard,] received, process exiting
2022-10-07 20:33:30 MANAGEMENT: >STATE:1665164010,EXITING,SIGTERM,,,,,
The situation is the same I’m getting IPv4 and IPv6 settings, but IPv6 doesn’t work. IPv4 works fine.

Here’s my /etc/sysctl.conf file:
sysctl.conf
1
net.ipv4.ip_forward=1
2
net.ipv6.conf.all.forwarding=1


So here «net.ipv6.conf.all.forwarding=1» is active.

And here’s my /etc/ufw/before6.rules file:
before6.rules
1
*filter
2
:ufw6-before-input - [0:0]
3
:ufw6-before-output - [0:0]
4
:ufw6-before-forward - [0:0]
5
-A ufw6-before-input -i lo -j ACCEPT
6
-A ufw6-before-output -o lo -j ACCEPT
7
-A ufw6-before-input -m rt --rt-type 0 -j DROP
8
-A ufw6-before-forward -m rt --rt-type 0 -j DROP
9
-A ufw6-before-output -m rt --rt-type 0 -j DROP
10
-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
11
-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
12
-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
13
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
14
-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
15
-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
16
-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
17
-A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
18
-A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
19
-A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
20
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
21
-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
22
-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
23
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
24
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
25
-A ufw6-before-input -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
26
-A ufw6-before-input -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
27
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
28
-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
29
-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
30
-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
31
-A ufw6-before-input -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
32
-A ufw6-before-input -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
33
-A ufw6-before-input -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
34
-A ufw6-before-input -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
35
-A ufw6-before-input -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
36
-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
37
-A ufw6-before-output -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
38
-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
39
-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
40
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
41
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
42
-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
43
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
44
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
45
-A ufw6-before-output -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
46
-A ufw6-before-output -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
47
-A ufw6-before-output -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
48
-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
49
-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
50
-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
51
-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
52
-A ufw6-before-output -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
53
-A ufw6-before-output -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
54
-A ufw6-before-output -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
55
-A ufw6-before-output -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
56
-A ufw6-before-output -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
57
-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
58
-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
59
-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
60
-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
61
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
62
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
63
-A ufw6-before-input -p icmpv6 --icmpv6-type 144 -j ACCEPT
64
-A ufw6-before-input -p icmpv6 --icmpv6-type 145 -j ACCEPT
65
-A ufw6-before-input -p icmpv6 --icmpv6-type 146 -j ACCEPT
66
-A ufw6-before-input -p icmpv6 --icmpv6-type 147 -j ACCEPT
67
-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT
68
-A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT
69
-A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT
70
COMMIT


I suppose that somewhere here there must be complicated FORWARD rules for my tun0 interface and/or for IPv6 routable address block.


And here’s my /etc/ufw/after6.rules file:

after6.rules
1
*filter
2
:ufw6-after-input - [0:0]
3
:ufw6-after-output - [0:0]
4
:ufw6-after-forward - [0:0]
5
-A ufw6-after-input -p udp --dport 137 -j ufw6-skip-to-policy-input
6
-A ufw6-after-input -p udp --dport 138 -j ufw6-skip-to-policy-input
7
-A ufw6-after-input -p tcp --dport 139 -j ufw6-skip-to-policy-input
8
-A ufw6-after-input -p tcp --dport 445 -j ufw6-skip-to-policy-input
9
-A ufw6-after-input -p udp --dport 546 -j ufw6-skip-to-policy-input
10
-A ufw6-after-input -p udp --dport 547 -j ufw6-skip-to-policy-input
11
COMMIT


Maybe the additional difficulty is the Ubuntu has its own firewall (UFW) with unique syntax.

If I enable TCP dump with «tcpdump -i tun0» on OpenVPN server virtual interface I see only IPv4 addresses, so it’s almost obvious that some IPv6 firewall rules must be added. But I don't have enough knowledge to figure them out myself.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by ordex » Fri Oct 07, 2022 8:17 pm

OK. one thing at a time :)

First of all, if you are getting "a /64 for your server" you cannot use the same /64 on the server *and* on the VPN.
You must use subparts of that network.

For example you could use:
* 2a05:8280:f:43aa::/80 for the server, so assign 2a05:8280:f:43aa::1/60 to eth0
* 2a05:8280:f:43aa:aaaa::/80 for the VPN.

This is not optimal, because it is always better to not split /64 (like in IPv4 you always try to not split a /24 even further). So the best approach is to ask your ISP for a second /64 network or ask to get a /48 instead of your current /64.
In the latter case you will be able to split the /48 in several /64s, each with its own purpose.

If none of this is possible you can still resort to the /80 splitting mentioned above and see if everything works.
For the server configuration: do not add the ::1 at the end. There you specify the base address and it is good to have the :: as base.

Regarding the firewall: I am not fluent with the ubuntu firewall, so it's hard for me to understand what it is doing.

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Oct 07, 2022 9:52 pm

ordex wrote:
Fri Oct 07, 2022 8:17 pm
First of all, if you are getting "a /64 for your server" you cannot use the same /64 on the server *and* on the VPN.
You must use subparts of that network.

For example you could use:
* 2a05:8280:f:43aa::/80 for the server, so assign 2a05:8280:f:43aa::1/60 to eth0
* 2a05:8280:f:43aa:aaaa::/80 for the VPN.
Many thanks for such a valuable explanation!
My ISP refused to split 64-bit block, so I implemented your suggestion to assign 2a05:8280:f:43aa::1/60 to eth0 and 2a05:8280:f:43aa:aaaa::/80 to OpenVPN server config file.

Here’s my OpenVPN server log:
SERVER LOG (--verb 3):

Code: Select all

DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
WARNING: file '/etc/openvpn/easy-rsa/pki/private/server.key' is group or others accessible
OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 89.38.135.1 dev eth0
Diffie-Hellman initialized with 2048 bit key
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 89.38.135.1 dev eth0
ROUTE_GATEWAY 89.38.135.1/255.255.255.0 IFACE=eth0 HWADDR=8a:3b:12:dc:de:b0
TUN/TAP device tun0 opened
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v4_add: 192.168.7.1/24 dev tun0
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v6_add: 2a05:8280:f:43aa:aaaa::1/80 dev tun0
net_route_v4_add: 192.168.5.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.50.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.55.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.8.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.9.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.88.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.80.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.150.0/24 via 192.168.7.2 dev [NULL] table 0 metric -1
net_route_v4_add: 192.168.5.0/24 via 192.168.7.1 dev [NULL] table 0 metric -1
Socket Buffers: R=[87380->87380] S=[65536->65536]
setsockopt(IPV6_V6ONLY=0)
Listening for incoming TCP connection on [AF_INET6][undef]:2023
TCPv6_SERVER link local (bound): [AF_INET6][undef]:2023
TCPv6_SERVER link remote: [AF_UNSPEC]
GID set to root
UID set to root
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL IPv4: base=192.168.7.2 size=253
IFCONFIG POOL IPv6: base=2a05:8280:f:43aa:aaaa::1000 size=65536 netbits=80
NOTE: IPv4 pool size is 253, IPv6 pool size is 65536. IPv4 pool size limits the number of clients that can be served from the pool
MULTI: TCP INIT maxclients=100 maxevents=104
Initialization Sequence Completed
TCP connection established with [AF_INET6]2a02:2168:8e8a:5000:88de:b01d:9002:9233:65052
2a02:2168:8e8a:5000:88de:b01d:9002:9233 TLS: Initial packet from [AF_INET6]2a02:2168:8e8a:5000:88de:b01d:9002:9233:65052, sid=41171474 73c0a6a2
2a02:2168:8e8a:5000:88de:b01d:9002:9233 VERIFY OK: depth=1, CN=vps
2a02:2168:8e8a:5000:88de:b01d:9002:9233 VERIFY OK: depth=0, CN=laptop2
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_VER=2.5.6
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_PLAT=win
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_PROTO=6
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_CIPHERS=AES-256-CBC
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_LZ4=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_LZ4v2=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_LZO=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_COMP_STUB=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_COMP_STUBv2=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_TCPNL=1
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_GUI_VER=OpenVPN_GUI_11
2a02:2168:8e8a:5000:88de:b01d:9002:9233 peer info: IV_SSO=openurl,crtext
2a02:2168:8e8a:5000:88de:b01d:9002:9233 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2a02:2168:8e8a:5000:88de:b01d:9002:9233 [laptop2] Peer Connection Initiated with [AF_INET6]2a02:2168:8e8a:5000:88de:b01d:9002:9233:65052
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI_sva: pool returned IPv4=192.168.7.2, IPv6=2a05:8280:f:43aa:aaaa::1000
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/laptop2
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work.  Use --ifconfig-ipv6-push for IPv6 then.
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: Learn: 192.168.7.10 -> laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: primary virtual IP for laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233: 192.168.7.10
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: Learn: 2a05:8280:f:43aa:aaaa::1000 -> laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 MULTI: primary virtual IPv6 for laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233: 2a05:8280:f:43aa:aaaa::1000
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
laptop2/2a02:2168:8e8a:5000:88de:b01d:9002:9233 SENT CONTROL [laptop2]: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa:aaaa::1000/80 2a05:8280:f:43aa:aaaa::1,ifconfig 192.168.7.10 255.255.255.0,peer-id 0,cipher AES-256-CBC' (status=1)

And Windows CLIENT LOG (--verb 3):

Code: Select all

2022-10-08 00:46:03 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 16 2022
2022-10-08 00:46:03 Windows version 10.0 (Windows 10 or greater) 64bit
2022-10-08 00:46:03 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-10-08 00:46:03 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
2022-10-08 00:46:03 Need hold release from management interface, waiting...
2022-10-08 00:46:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
2022-10-08 00:46:04 MANAGEMENT: CMD 'state on'
2022-10-08 00:46:04 MANAGEMENT: CMD 'log all on'
2022-10-08 00:46:04 MANAGEMENT: CMD 'echo all on'
2022-10-08 00:46:04 MANAGEMENT: CMD 'bytecount 5'
2022-10-08 00:46:04 MANAGEMENT: CMD 'hold off'
2022-10-08 00:46:04 MANAGEMENT: CMD 'hold release'
2022-10-08 00:46:04 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-08 00:46:04 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-10-08 00:46:04 Attempting to establish TCP connection with [AF_INET6]2a05:8280:f:43aa::1:2023 [nonblock]
2022-10-08 00:46:04 MANAGEMENT: >STATE:1665179164,TCP_CONNECT,,,,,,
2022-10-08 00:46:04 TCP connection established with [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-08 00:46:04 TCPv6_CLIENT link local: (not bound)
2022-10-08 00:46:04 TCPv6_CLIENT link remote: [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-08 00:46:04 MANAGEMENT: >STATE:1665179164,WAIT,,,,,,
2022-10-08 00:46:04 MANAGEMENT: >STATE:1665179164,AUTH,,,,,,
2022-10-08 00:46:04 TLS: Initial packet from [AF_INET6]2a05:8280:f:43aa::1:2023, sid=3b6ee39c 19b9e9b1
2022-10-08 00:46:04 VERIFY OK: depth=1, CN=vps
2022-10-08 00:46:04 VERIFY KU OK
2022-10-08 00:46:04 Validating certificate extended key usage
2022-10-08 00:46:04 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-10-08 00:46:04 VERIFY EKU OK
2022-10-08 00:46:04 VERIFY OK: depth=0, CN=server
2022-10-08 00:46:04 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-10-08 00:46:04 [server] Peer Connection Initiated with [AF_INET6]2a05:8280:f:43aa::1:2023
2022-10-08 00:46:04 PUSH: Received control message: 'PUSH_REPLY,route-ipv6 2000::/3,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS6 2620:0:ccc::2,dhcp-option DNS6 2620:0:ccd::2,tun-ipv6,route-gateway 192.168.7.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a05:8280:f:43aa:aaaa::1000/80 2a05:8280:f:43aa:aaaa::1,ifconfig 192.168.7.10 255.255.255.0,peer-id 0,cipher AES-256-CBC'
2022-10-08 00:46:04 OPTIONS IMPORT: timers and/or timeouts modified
2022-10-08 00:46:04 OPTIONS IMPORT: --ifconfig/up options modified
2022-10-08 00:46:04 OPTIONS IMPORT: route options modified
2022-10-08 00:46:04 OPTIONS IMPORT: route-related options modified
2022-10-08 00:46:04 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-10-08 00:46:04 OPTIONS IMPORT: peer-id set
2022-10-08 00:46:04 OPTIONS IMPORT: adjusting link_mtu to 1626
2022-10-08 00:46:04 OPTIONS IMPORT: data channel crypto options modified
2022-10-08 00:46:04 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2022-10-08 00:46:04 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-08 00:46:04 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2022-10-08 00:46:04 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-10-08 00:46:04 interactive service msg_channel=288
2022-10-08 00:46:04 GDG6: remote_host_ipv6=2a05:8280:f:43aa::1
2022-10-08 00:46:04 GetBestInterfaceEx() returned if=12
2022-10-08 00:46:04 GDG6: II=12 DP=::/0 NH=fe80::ce2d:e0ff:fe9c:207e
2022-10-08 00:46:04 GDG6: Metric=256, Loopback=0, AA=1, I=0
2022-10-08 00:46:04 ROUTE6: 2000::/4 overlaps IPv6 remote 2a05:8280:f:43aa::1, adding host route to VPN endpoint
2022-10-08 00:46:04 ROUTE6: 2000::/3 overlaps IPv6 remote 2a05:8280:f:43aa::1, adding host route to VPN endpoint
2022-10-08 00:46:04 open_tun
2022-10-08 00:46:04 tap-windows6 device [OpenVPN TAP-Windows6] opened
2022-10-08 00:46:04 TAP-Windows Driver Version 9.24 
2022-10-08 00:46:04 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.7.0/192.168.7.10/255.255.255.0 [SUCCEEDED]
2022-10-08 00:46:04 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.7.10/255.255.255.0 on interface {30DC3ECB-1B9D-443C-8ED2-23BFC8F4E46C} [DHCP-serv: 192.168.7.0, lease-time: 31536000]
2022-10-08 00:46:04 Successful ARP Flush on interface [8] {30DC3ECB-1B9D-443C-8ED2-23BFC8F4E46C}
2022-10-08 00:46:04 MANAGEMENT: >STATE:1665179164,ASSIGN_IP,,192.168.7.10,,,,,2a05:8280:f:43aa:aaaa::1000
2022-10-08 00:46:04 IPv4 MTU set to 1500 on interface 8 using service
2022-10-08 00:46:04 INET6 address service: add 2a05:8280:f:43aa:aaaa::1000/128
2022-10-08 00:46:04 add_route_ipv6(2a05:8280:f:43aa:aaaa::/80 -> 2a05:8280:f:43aa:aaaa::1000 metric 0) dev OpenVPN TAP-Windows6
2022-10-08 00:46:04 IPv6 route addition via service succeeded
2022-10-08 00:46:05 IPv6 dns servers set using service
2022-10-08 00:46:05 IPv6 MTU set to 1500 on interface 8 using service
2022-10-08 00:46:10 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
2022-10-08 00:46:10 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-08 00:46:10 Route addition via service succeeded
2022-10-08 00:46:10 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.7.1
2022-10-08 00:46:10 Route addition via service succeeded
2022-10-08 00:46:10 add_route_ipv6(2a05:8280:f:43aa::1/128 -> fe80::ce2d:e0ff:fe9c:207e metric 1) dev OpenVPN TAP-Windows6
2022-10-08 00:46:10 IPv6 route addition via service succeeded
2022-10-08 00:46:10 add_route_ipv6(2000::/3 -> 2a05:8280:f:43aa:aaaa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-08 00:46:10 IPv6 route addition via service succeeded
2022-10-08 00:46:10 add_route_ipv6(::/3 -> 2a05:8280:f:43aa:aaaa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-08 00:46:10 IPv6 route addition via service succeeded
2022-10-08 00:46:10 add_route_ipv6(2000::/4 -> 2a05:8280:f:43aa:aaaa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-08 00:46:10 IPv6 route addition via service succeeded
2022-10-08 00:46:10 add_route_ipv6(3000::/4 -> 2a05:8280:f:43aa:aaaa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-08 00:46:10 IPv6 route addition via service succeeded
2022-10-08 00:46:10 add_route_ipv6(fc00::/7 -> 2a05:8280:f:43aa:aaaa::1 metric -1) dev OpenVPN TAP-Windows6
2022-10-08 00:46:10 IPv6 route addition via service succeeded
2022-10-08 00:46:10 Initialization Sequence Completed
2022-10-08 00:46:10 MANAGEMENT: >STATE:1665179170,CONNECTED,SUCCESS,192.168.7.10,2a05:8280:f:43aa::1,2023,2a02:2168:8e8a:5000:88de:b01d:9002:9233,65052,2a05:8280:f:43aa:aaaa::1000
And when I enable «tcpdump -i tun0» command on OpenVPN server there’s only IPv4 addresses.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by ordex » Fri Oct 07, 2022 10:08 pm

There was a typ0 in my message: /60 was wrong. I always meant /80. However, this shouldn't be an issue.
Your logs look correct though.

What happens if on the windows client you try:

ping6 2a05:8280:f:43aa:aaaa::1

(or just "ping" - I don't recall what's the exact name of the tool on windows)

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Oct 07, 2022 10:18 pm

ordex wrote:
Fri Oct 07, 2022 10:08 pm
ping6 2a05:8280:f:43aa:aaaa::1

Thank you so much, I fixed the typo anyway :)
As expected, nothing has changed :)
Address 2a05:8280:f:43aa:aaaa::1 pings without problems :)
And I began to get IPv6 in TCP dump while pinging this address : )

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by ordex » Fri Oct 07, 2022 10:27 pm

what if you ping 2a00:1450:4002:403::2004 ? (google's address)
Do you still the ping going through tun0?

adroman
OpenVPN User
Posts: 20
Joined: Thu Jun 14, 2018 2:40 pm

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by adroman » Fri Oct 07, 2022 10:32 pm

ordex wrote:
Fri Oct 07, 2022 10:27 pm
what if you ping 2a00:1450:4002:403::2004 ? (google's address)
Do you still the ping going through tun0?
Unfortunately this address isn't accessible :o
Image

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Setting OpenVPN dual stack (IPv4 +IPv6)

Post by ordex » Fri Oct 07, 2022 10:37 pm

do you see any traffic on tun0 on the server? If you see the ICMP ECHO requests, but you see no reply, then most likely the server is not forwarding the traffic.

Post Reply