If I modify the server config from
Code: Select all
proto udp
Code: Select all
proto udp6
When the server is running (it runs on port 5353), issuing this command
Code: Select all
netstat --numeric-ports -lu | grep 5353
Code: Select all
udp6 0 0 [::]:5353 [::]:*
The connection attempt in OpenVPN Connect shows an error in the log.
Code: Select all
[Sep 24, 2022, 14:47:32] OpenVPN core 3.git::c2153df1 win x86_64 64-bit built on Oct 6 2021 14:20:53
⏎[Sep 24, 2022, 14:47:32] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Sep 24, 2022, 14:47:32] UNUSED OPTIONS
8 [verb] [2]
9 [mute] [20]
12 [persist-key]
13 [persist-tun]
15 [resolv-retry] [infinite]
16 [nobind]
⏎[Sep 24, 2022, 14:47:32] EVENT: RESOLVE ⏎[Sep 24, 2022, 14:47:32] Contacting [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:5353 via UDP
⏎[Sep 24, 2022, 14:47:32] EVENT: WAIT ⏎[Sep 24, 2022, 14:47:32] WinCommandAgent: transmitting bypass route to xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
{
"host" : "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx",
"ipv6" : true
}
⏎[Sep 24, 2022, 14:47:32] Transport Error: socket_protect error (UDP)
⏎[Sep 24, 2022, 14:47:32] Client terminated, restarting in 2000 ms...
- The VPS is able to receive and process IPv6 traffic with other applications, both TCP and UDP.
- The VPN server is able to process IPv6 traffic being bounced from incoming IPv4 data.
- No traffic is reaching the server from OpenVPN Connect in IPv6 mode.
- The agent service IS running (verified)
- I am using the latest version of OpenVPN Connect 3.3.4 (2600) (at least that's what the update feature downloaded)
- My Windows install is perfectly capable of communicating over IPv6 to my VPS and to other hosts.
Can anyone please explain what is wrong with OpenVPN Connect for windows using IPv6 and how I can resolve the problem?
Thanks
Spud.
EDIT1:
Found multiple posts in this forum with pretty much similar or identical issues with no solutions posted, some of them being quite old. Leads me to believe this is a known issue that is being "overlooked" or ignored. This is unfortunate, but I guess free software ain't going to be perfect. I will attempt to find a work around or fix myself. I have already managed to redirect ipv4 traffic to ipv6 using a windows side application (self-written) which actually works, so I can at least connect to the VPN over IPv6 with an ugly hack. My situation is that IPv4 is not available on some subnets, so IPv6 connection is the only alternative. The local bouncing app solves that problem but it's not ideal at all.
EDIT2:
On initial investigation, the issue would appear to lie with the agent service (OpenVPN Agent agent_ovpnconnect). If I stop this service running, I get EXACTLY the same error with IPv4 as I do with IPv6. With the service running, v4 will then work, but v6 will not, it acts like the service is not running at all. This leads me to believe the agent service is not correctly dealing with IPv6. Next step is to completely remove OpenVPN Connect including all services et all. Then re-install. Maybe the agent service is not being updated correctly? Who knows?
EDIT3:
Well, literally one hour ago, the updater downloaded 3.3.4, I'm now informed that 3.3.6 is the latest version. *sigh* like wth?
EDIT4:
Okay, after uninstalling 3.3.4 (why didn't the updater just download 3.3.6???) restarting, confirming the agent service had been removed, installing 3.3.6, again restarting, confirming the agent service was back and running and importing profile. Exactly the same, "Transport Error: socket_protect error (UDP)". So re-installing fresh wasn't the solution. The hypothesis is that the agent service is bugged with regard to IPv6 and needs fixing. Now investigating further.
EDIT5:
Right. I uninstalled OpenVPN Connect, restarted then installed the regular OpenVPN GUI (which seems to have been made deliberately awkward to find), copied over the IPv6 tunnel profile and VIOLA! Works perfectly, in fact I'm using it while writing this. Thus the issue is 100% OpenVPN Connect having badly bugged IPv6 support. My suggestion is not to use it as it seems somewhat flaky. Not downloading the current latest version for updating, not supporting IPv6 properly, god knows what else is wrong with it. To be brutally frank, these are pretty simple things compared to security components so I definitely would not trust it an inch.