OpenVPN IPv6 not working
-
Had some more issues with connecting to the OpenVPN setup. Decided to scrap all of my OpenVPN settings and certs and start fresh. I can connect successfully to the VPN while I am on the LAN side of the network. As soon as my connection is coming from the WAN side, it fails to establish a connection. The firewall logs (System Logs>Firewall) say the block is due to block/1000000105 "Default Deny IPv6 rule". Looking into this, all of my IPv6 connections are being blocked by this rule. IPv6 used to work fine so it must be some change I made. Under System>Advanced>Networking "Allow IPv6" is still checked. Under Firewall > Rules > LAN, I have an allow IPv6 rule above all the other IPv6 rules. See attached screenshot.
The only other stuff I was playing around with at the time was Suricata. In trying to get to the bottom of this I have disabled Suricata, Snort, pfBlockerNG, and a Squid transparent proxy.
Posted here as it is kind of a follow-up but may be better in a different subforum?
Thanks
Edit: about 2 hours later with no other changes made and IPv6 seems to be mostly back to normal. The router IPv6 address has changed a few times over the last few hours so my ISP (a small startup) could've been "tinkering". Still struggling to get OpenVPN to connect from outside the network as my remote device is having it's IP caught in the default deny IPv6 rule.
-
Shouldn't the IPv6 address be inside the /64 range that my home ISP is handing out? I know with IPv6 everything can have it's own IP address but I was expecting the IPv6 addresses of my home network to be handed to my phone over the VPN as it does with IPv4.
With a VPN in tunnel mode, you want different network addresses for the remote, not on the home network. With IPv6, you often get multiple /64s. Use a different one from at home.
-
Thanks JKnott. My understanding is that in order to have multiple /64s that my ISP would have to hand out something like a /56 to each customer. I previously verified with my ISP that each customer is just getting a /64. So I'm not sure what I can do about that.
As far as the blocked remote client, all solicited IPv6 traffic seems to pass. I'm thinking since the VPN initialization is unsolicited, that is why it is being blocked but the firewall rule from the OpenVPN wizard should've fixed that by opening the correct port. At this point, it feels like I must have made a stupid mistake somewhere along the line.
-
"I previously verified with my ISP that each customer is just getting a /64. So I'm not sure what I can do about that."
Just get a /48 from HE and not give 2 shits what your isp is doing with or not with ipv6 ;) Or how bad they are dicking it up, etc. etc..
That they would think users should only get a /64 is just beyond stupid.. Should be allowed to get atleast a /60… That would give you 16 /64 to work with... Which should cover most homes with room to play and segment their wifi networks, etc. etc.
Shoot even the lamest of the lamest wifi routers these days allow for a "guest" wifi network - which would need its own /64 so even billy what is network user would have valid use of 2 /64s..
-
Thanks JKnott. My understanding is that in order to have multiple /64s that my ISP would have to hand out something like a /56 to each customer. I previously verified with my ISP that each customer is just getting a /64. So I'm not sure what I can do about that.
My ISP provides only a single /64, if you use their gateway. However, if it's placed in bridge mode and used with a separate router, up to a /56 is available. Does the same apply to your ISP? Since you're using pfSense, you want to be using bridge mode.
Also, i find first level support often does not really understand what they're talking about.
-
johnpoz, I could certainly attempt to set that up but at this point I think there should be a way for me to get this working without using any HE services, as nice as they are.
JKnott, I just set my WAN to a /56 and the router and my other devices would no longer grab an IPv6 address. I switched it back to /64 and everything came back. So I'm thinking /64 is all I've got. My ISP uses fiber so the closest thing I have to a modem is their media converter from fiber to ethernet. They don't supply a router (which is good as far as I'm concerned) so there is nothing to bridge.
Looking through the firewall logs, the "deny IPv6" I was seeing of my VPN client was a port 53 request. I had setup the OpenVPN server to use my router for DNS. Once I changed the OpenVPN server to use a public DNS provider I'm no longer seeing packets from my client hitting the firewall and being blocked.
JKnott, looking at the OpenVPN logs you might be on to something with the IPv6 address issue.
Here are the OpenVPN server logs with my IP redacted:
Oct 21 12:31:40
openvpn
30854
CLIENT_IPv6_ADDRESS write UDPv6: Can't assign requested address (code=49)Oct 21 12:31:42
openvpn
30854
CLIENT_IPv6_ADDRESS Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1508603499) Sat Oct 21 12:31:39 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warningsOct 21 12:31:42
openvpn
30854
CLIENT_IPv6_ADDRESS TLS Error: incoming packet authentication failed from [AF_INET6]CLIENT_IPv6_ADDRESS:40549 (via SERVER_IPv6_ADDRESS%em0)Oct 21 12:31:42
openvpn
30854
CLIENT_IPv6_ADDRESS write UDPv6: Can't assign requested address (code=49)Oct 21 12:31:44
openvpn
30854
CLIENT_IPv6_ADDRESS Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1508603499) Sat Oct 21 12:31:39 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warningsOct 21 12:31:44
openvpn
30854
CLIENT_IPv6_ADDRESS TLS Error: incoming packet authentication failed from [AF_INET6]CLIENT_IPv6_ADDRESS:40549 (via SERVER_IPv6_ADDRESS%em0) -
JKnott, I just set my WAN to a /56 and the router and my other devices would no longer grab an IPv6 address. I switched it back to /64 and everything came back. So I'm thinking /64 is all I've got. My ISP uses fiber so the closest thing I have to a modem is their media converter from fiber to ethernet. They don't supply a router (which is good as far as I'm concerned) so there is nothing to bridge.
Do you have other devices connected directly to the media converter? Or are they behind pfSense? When you change to /56, does your WAN interface still get an IPv6 address?
Also, a quick search shows AT&T providing bigger prefixes than just a /64. Perhaps someone else here has experience with them.
-
There are no other devices connected to the media converter. It only has one ethernet jack and that goes straight to the WAN port of pfSense. All of my devices are behind pfSense. My ISP is a small regional one so all I know is what they tell me (for better or worse). Forgive my lack of knowledge with IPv6. pfSense reports my WAN address something like 2001:0db8:0a0b:12f0:: for example, when I have selected a /64. It reports my LAN address something similar to 2001:0db8:3731:65fe:0e2a:2357:4ac4:0732 where the first two "groups" match the WAN address and the last six numbers/digits match the last six of the LAN MAC address. When I switch to a /56, the WAN address stays the same but the LAN address only lists an IPv4 address. I tested this with setting the prefix size to a /48 and none, and they all reacted the same with no LAN IPv6. Only the /64 gave a LAN IPv6 address.
-
"When I switch to a /56"
It doesn't work that way!!! You can not just switch the mask..
You would request a prefix delegation from your ISP for the size of network you need.. Or they need to give you the info on what it is static… There is NO scenario ever that you would change the mask on an interface to /56..
-
You can select a different prefix size on the WAN interface page. This is done in the DHCPv6 Prefix Delegation size box.
-
I said I lacked IPv6 knowledge…guess it shows haha. Anyway, when I "switch to a /56" I am going to the WAN interface and selecting the "DHCP Prefix Delegation size" box and changing that value.
Johnpoz, it sounds like you are saying the Prefix size should only be changed after I verify with my ISP the size that they are giving me or request a different size and set my Prefix size to match?
JKnott, my assumption was that changing the Prefix size would somehow request that Prefix size from my ISP. It sounds like that isn't the case according to johnpoz.
Thanks for the help guys. Apologies for being a newb.
-
"verified with my ISP that each customer is just getting a /64."
If they are not going to to delegate a /X to you then nothing you can do is going to change that. Be it you request a /56 or /60 or whatever.
Like I said before - if your isp ipv6 deployment is borked.. Why dick with it when it takes all of 1 minute to have a /48 that you can do with as you will.. And just forget your stupid ISP until such time they get their act together.. Which I highly doubt they will for years to come.. Since the vast majority of users are idiot users that just plug in their soho router and see if facebook.com loads on their devices.
The other advantage is this /48 you get from HE is yours - it not going to change.. Even if you have your isp delegate you a /60 or /56, etc. That could change to some other IP block at the drop of hat.. It's not like this /X has been assigned to you and only you like you get with a HE delegation.. HE even allows you setup PTR records on this space - your isp going to allow you to do that?
Your talking about dicking with a borked setup for at best shaving off a few extra ms the tunnel to HE is going to add.
I just do not understand the point of dicking with such a setup when it takes all of 1 minute to have a working setup that gives you complete control.
Another advantage of HE tunnel - is you can move ISPs and not care if they support IPv6 or not, etc. You can move your /48 to any isp you wish to use for connectivity. I have had the same IPv6 space from HE since Jun 20, 2013..
-
JKnott, my assumption was that changing the Prefix size would somehow request that Prefix size from my ISP. It sounds like that isn't the case according to johnpoz.
I suspect he means you can't ask for something that isn't offered. With my ISP, I can request any size prefix up to /56. So, if I only wanted a /60, I could configure pfSense to request that. On the other hand, requesting a /48 would not work, as my ISP doesn't provide that. I have pfSense configured to request a /56.
-
Johnpoz, at this point I agree. It's not a simple fix for me on the ISP side. Just want to clarify you are talking about their tunnel broker service. Do you know right off hand if it'll work with me having CGNAT'ed IPv4 and a /64 IPv6? I'm assuming you wouldn't recommend it if it wouldn't work for me. I'll prolly just Google some setup tutorials unless you can recommend one. Thanks for all the help.
-
JKnott, thanks for the clarification.
-
If you are behind a carrier grade nat for your IPv4. Then you could have some problems with a tunnel.. Is it a 1:1 nat where all traffic is sent to your rfc1918 IPv4?
My bad!! I did not catch the CGNat part… Sorry.. But depends on how the CGnat is being done.
Off the top a way around your shitty ISP.. They put you behind a nat for ipv4 and only give you 1 /64.. Would be to change ISP ;) That is not always an options though..
You could just get a VPS somewhere... There are many that offer /48 with your vps.. Then create a tunnel to this VPS where your the initiator.. Say openvpn tunnel.. Then tunnel the ipv6 through this tunnel.. Its a bit of a hack.. But there are many ways to work around the incompetence of some of these so called ISPs..
-
I can't say for sure that it is a 1:1 nat. I'm happy to test it, if there is a way I can. All I know is that I have a 10.x.x.x address behind a public IP. It's fiber internet so I do see some broadcast traffic from neighbors that share the fiber splitter.
Not to go off topic but as far as my "shitty ISP" goes, they are the only real competition in town. They offer gigabit and the next fastest competitor maxes out at 60mbits from the cable company (Granted the cable company offers public IPv4 and IPv6 addresses). With my ISP the upload speeds are much better too. I would rather deal with these guys than the cable company. The customer service is a lot better. They originally were handing out public IPv4 addresses when I signed up but ran out of them shortly thereafter and started NATing. I don't like it either but I'll deal.
Not looking to sign up for a vps. If I have to spend money, I'll just setup something like teamviewer and deal. I'd rather not, but works in a pinch for my needs (mostly just local access to my machines)
-
Stupid question…I'm making some assumptions based on what I know of IPv4 that probably don't translate to IPv6 but here it goes...I am only using the VPN to access remote machines at home. I don't "need" a public IPv6 handed to my client from the OpenVPN server (assuming that is even right to say), I just need access to a couple machines at the house. Is there any way to accomplish that? When I had OpenVPN setup before my IPv4 address was put behind CGNAT I just used a 10.x.x.x address for the OpenVPN clients while my actual network used 192.168.x.x addresses. Does IPv6 have anything like this? A non-routable address that I could hand out to the client just to provide some connectivity across OpenVPN.
Like I said, I'm probably missing something. I know the fundamental idea behind IPv6 is to NOT need non-routable IP's. Hoping someone can correct any of my misconceptions.
Thanks
-
^^^^
You could use Unique Local Addresses, which are the IPv6 version of the IPv4 RFC 1918 addresses. -
Thanks for the quick reply. I'll try it out tonight. Looks like something in the fc00::/7 block is what I need to use?
Thanks again