OpenVPN IPv6 not working
-
If you are behind a carrier grade nat for your IPv4. Then you could have some problems with a tunnel.. Is it a 1:1 nat where all traffic is sent to your rfc1918 IPv4?
My bad!! I did not catch the CGNat part… Sorry.. But depends on how the CGnat is being done.
Off the top a way around your shitty ISP.. They put you behind a nat for ipv4 and only give you 1 /64.. Would be to change ISP ;) That is not always an options though..
You could just get a VPS somewhere... There are many that offer /48 with your vps.. Then create a tunnel to this VPS where your the initiator.. Say openvpn tunnel.. Then tunnel the ipv6 through this tunnel.. Its a bit of a hack.. But there are many ways to work around the incompetence of some of these so called ISPs..
-
I can't say for sure that it is a 1:1 nat. I'm happy to test it, if there is a way I can. All I know is that I have a 10.x.x.x address behind a public IP. It's fiber internet so I do see some broadcast traffic from neighbors that share the fiber splitter.
Not to go off topic but as far as my "shitty ISP" goes, they are the only real competition in town. They offer gigabit and the next fastest competitor maxes out at 60mbits from the cable company (Granted the cable company offers public IPv4 and IPv6 addresses). With my ISP the upload speeds are much better too. I would rather deal with these guys than the cable company. The customer service is a lot better. They originally were handing out public IPv4 addresses when I signed up but ran out of them shortly thereafter and started NATing. I don't like it either but I'll deal.
Not looking to sign up for a vps. If I have to spend money, I'll just setup something like teamviewer and deal. I'd rather not, but works in a pinch for my needs (mostly just local access to my machines)
-
Stupid question…I'm making some assumptions based on what I know of IPv4 that probably don't translate to IPv6 but here it goes...I am only using the VPN to access remote machines at home. I don't "need" a public IPv6 handed to my client from the OpenVPN server (assuming that is even right to say), I just need access to a couple machines at the house. Is there any way to accomplish that? When I had OpenVPN setup before my IPv4 address was put behind CGNAT I just used a 10.x.x.x address for the OpenVPN clients while my actual network used 192.168.x.x addresses. Does IPv6 have anything like this? A non-routable address that I could hand out to the client just to provide some connectivity across OpenVPN.
Like I said, I'm probably missing something. I know the fundamental idea behind IPv6 is to NOT need non-routable IP's. Hoping someone can correct any of my misconceptions.
Thanks
-
^^^^
You could use Unique Local Addresses, which are the IPv6 version of the IPv4 RFC 1918 addresses. -
Thanks for the quick reply. I'll try it out tonight. Looks like something in the fc00::/7 block is what I need to use?
Thanks again
-
If all you want is ipv6 access into your local network from your vpn clients then yes you could use a ULA prefixes. But these remote clients will not be able to get access to internet from this ULA address. But you could then NPt that to your /64 you get from isp.. But off the top of my head not sure if possible to nat multiple ULA to a single /64 prefix via NPt? (network prefix translation).. JKnott would know..
What exactly is your end game with IPv6? What are you hoping to accomplish with it?
-
Thanks for the quick reply. I'll try it out tonight. Looks like something in the fc00::/7 block is what I need to use?
Thanks again
While the entire fc::/7 block is ULA, officially, fc:: /8 is supposed to be assigned from a central server and fd::/8 is used with a random 40 bit number you can choose, to create a /48 prefix.
-
If all you want is ipv6 access into your local network from your vpn clients then yes you could use a ULA prefixes. But these remote clients will not be able to get access to internet from this ULA address. But you could then NPt that to your /64 you get from isp.. But off the top of my head not sure if possible to nat multiple ULA to a single /64 prefix via NPt? (network prefix translation).. JKnott would know..
I've never used it, as I'm allergic to NAT. ;)
However, I believe NAT is possible, but not recommended. Regardless, I believe the OP only wanted access to his own network and not the Internet, so ULA, without NAT would be fine
-
End game is secure access to my home network from my devices when out of the house. This basically boils down to SSH access from my android phone to multiple devices on my network. OpenVPN was the easiest way to accomplish this in my mind (at the time) so that I only needed one port open instead of a different port for each SSH server and managing all of that. Originally I had a public IPv4 and all was well. Then my ISP NATed my IPv4 and I was screwed. Then a few months later they enabled IPv6 (/64) and that's where I'm at now. My only need for IPv6 is that my pfSense box now has a public IP. When my VPN was working I would access devices using IPv4 addresses anyway. So my only real need for IPv6 is the fact that it is the only public IP address my router (OpenVPN server) has.
Edit: Beyond SSH access, would also like access to some locally hosted web pages and the pfSense web GUI :D
-
End game is secure access to my home network from my devices when out of the house.
Then ULA will do fine. As I said, pick a 40 bit number to append to fd, to create a /48 prefix. Then assign 1 of the /64 prefixes, from the /48 to OpenVPN. PfSense should be able to route appropriately.
Incidentally, the reason for the 40 bit random number is to avoid the collisions that often happened with the limited RFC 1918 space on IPv4. It's highly unlikely that 2 people would choose the same number. One way to create a "random" number is to go to www.grc.com to the Perfect Passwords page, where you'll find one box that has 64 random hex digits. Select any 10 for your 40 bit random number.
-
Ok cool. I'm familiar with grc.com so I will head over there. Sorry for not leading off with the "end game"…would've saved everyone some time. We will see how this all goes.
Thanks again JKnott and johnpoz for the help.
-
So I was feeling good about everything but when it came time to implement I ended up with more questions than answers. I'm feeling a bit in over my head at the moment and I know this should be pretty easy. I made up a /48 but am I supposed to enter it somewhere? I used the /48 and made up a /64 that I entered into the OpenVPN server under IPv6 Tunnel Network. That didn't make any difference so I'm obviously missing something. :-\
-
I assume the /64 was one of the 65536 /64s in your /48? When you set up the server, you put the /64 in "IPv6 Tunnel Network". Do you see an IPv6 address on the client?
-
Yeah. So I made up the /48 (ex. fd07:34ac:089d:: ) and didn't enter it anywhere. Then in the OpenVPN server I entered something like "fd07:34ac:089d:78ad::/64" under IPv6 Tunnel Network. When connected to my LAN over wifi I can startup the client OpenVPN app, connect, and get an IP of "fd07:34ac:089d:78ad::1000" along with the IPv4 Tunnel Network IP address. If I try to connect over the cellular network, OpenVPN gives me "CLIENT_IPv6_ADDRESS write UDPv6: Can't assign requested address (code=49)" errors along with "CLIENT_IPv6_ADDRESS Authenticate/Decrypt packet error: bad packet ID (may be a replay)" and then "TLS Error: incoming packet authentication failed" then it just times out.
Edit: this might be nothing but I was playing around with the OpenVPN server protocol setting and the successful connection over wifi only works with the protocol set to "UDP IPv4 and IPv6 on all interfaces (multihome)". The firewall settings only allow IPv6 to the OpenVPN port. And the openVPN client lists the protocol as IPv6 when successfully connected. Just seemed odd to me that it doesn't work on "UDP on IPv6 Only" when the other settings seem like it should.
-
If you tunnel with IPv6 and your cell phone doesn't support IPv6, then you have a problem. I have my tunnel set to use IPv4 as it's everywhere, but IPv6 is not.
-
That shouldn't be the issue. I'm on AT&T and have verified the IPv6 address that my phone gets from them is the same IPv6 address that comes up in any of the "what is my ip" services.
-
That shouldn't be the issue. I'm on AT&T and have verified the IPv6 address that my phone gets from them is the same IPv6 address that comes up in any of the "what is my ip" services.
If it works when on WiFi when you're away from home, but not when connected via the cell network, that's the likely problem. What happens if you use IPv4 for the tunnel?
-
My work only has IPv4 access through it's ISP so I can't test IPv6 connectivity over WiFi there. I'll have to hop on a buddies wifi to test. And to clarify, I've never tested it over Wifi while away from home. My "wifi testing" has been at home on the same network as my pfSense box so everything is local. If I use IPv4 for the tunnel I imagine I will have the problem that started when my ISP enabled CGNAT. That is, no connectivity as my IPv4 WAN at home is 10.10.x.x. Unless you mean testing it locally over wifi and an IPv4 tunnel…but that won't help me once I leave the house.
johnpoz, I asked my ISP if the CGNAT was using 1:1 NAT with all public IPv4 traffic going to all NATed clients. Their response was "No, the information is only sent to the client that sent traffic out. The client sends traffic out and it is NATed to a predetermined port group back to the client". So it sounds like they keep tying my hands at every turn.
-
My work only has IPv4 access through it's ISP so I can't test IPv6 connectivity over WiFi there. I'll have to hop on a buddies wifi to test. And to clarify, I've never tested it over Wifi while away from home.
You seem to have missed my point. My VPN travels over IPv4, as I know that it's available everywhere, whereas the same does not yet apply for IPv6. Regardless, it doesn't matter which is used when it comes to whether the VPN can carry IPv4 or IPv6. It will carry both equally well over IPv4 or IPv6. However, if you have a place where you can test over IPv6, then it will verify where the problem is.
-
Yeah, I don't see how that is different from what I am doing. I cannot establish a VPN connection over IPv4 (while out of the house) because my pfSense IPv4 WAN address is not public (CGNAT 10.10.x.x address) so my open port for VPN is not accessible via IPv4. My home ISP provides the /64 IPv6 address that we've discussed so my pfSense IPv6 WAN address is public and my open port for VPN is accessible over IPv6. I'm aware that a VPN tunnel can move IPv4 or IPv6 traffic equally well. With my android client (AT&T service) I can get a public IPv6 address over the cell network. Yes, AT&T is doing CGNAT on my cellular IPv4 address but that doesn't apply as it is the client, not the server. So to answer "if you have a place where you can test over IPv6", I was assuming that my cell carrier fit this bill.
I used to have my vpn travel over IPv4 but once my home ISP enabled CGNAT, it got totally hosed. Am I still missing something?
