OpenVPN IPv6 not working
-
Stupid question…I'm making some assumptions based on what I know of IPv4 that probably don't translate to IPv6 but here it goes...I am only using the VPN to access remote machines at home. I don't "need" a public IPv6 handed to my client from the OpenVPN server (assuming that is even right to say), I just need access to a couple machines at the house. Is there any way to accomplish that? When I had OpenVPN setup before my IPv4 address was put behind CGNAT I just used a 10.x.x.x address for the OpenVPN clients while my actual network used 192.168.x.x addresses. Does IPv6 have anything like this? A non-routable address that I could hand out to the client just to provide some connectivity across OpenVPN.
Like I said, I'm probably missing something. I know the fundamental idea behind IPv6 is to NOT need non-routable IP's. Hoping someone can correct any of my misconceptions.
Thanks
-
^^^^
You could use Unique Local Addresses, which are the IPv6 version of the IPv4 RFC 1918 addresses. -
Thanks for the quick reply. I'll try it out tonight. Looks like something in the fc00::/7 block is what I need to use?
Thanks again
-
If all you want is ipv6 access into your local network from your vpn clients then yes you could use a ULA prefixes. But these remote clients will not be able to get access to internet from this ULA address. But you could then NPt that to your /64 you get from isp.. But off the top of my head not sure if possible to nat multiple ULA to a single /64 prefix via NPt? (network prefix translation).. JKnott would know..
What exactly is your end game with IPv6? What are you hoping to accomplish with it?
-
Thanks for the quick reply. I'll try it out tonight. Looks like something in the fc00::/7 block is what I need to use?
Thanks again
While the entire fc::/7 block is ULA, officially, fc:: /8 is supposed to be assigned from a central server and fd::/8 is used with a random 40 bit number you can choose, to create a /48 prefix.
-
If all you want is ipv6 access into your local network from your vpn clients then yes you could use a ULA prefixes. But these remote clients will not be able to get access to internet from this ULA address. But you could then NPt that to your /64 you get from isp.. But off the top of my head not sure if possible to nat multiple ULA to a single /64 prefix via NPt? (network prefix translation).. JKnott would know..
I've never used it, as I'm allergic to NAT. ;)
However, I believe NAT is possible, but not recommended. Regardless, I believe the OP only wanted access to his own network and not the Internet, so ULA, without NAT would be fine
-
End game is secure access to my home network from my devices when out of the house. This basically boils down to SSH access from my android phone to multiple devices on my network. OpenVPN was the easiest way to accomplish this in my mind (at the time) so that I only needed one port open instead of a different port for each SSH server and managing all of that. Originally I had a public IPv4 and all was well. Then my ISP NATed my IPv4 and I was screwed. Then a few months later they enabled IPv6 (/64) and that's where I'm at now. My only need for IPv6 is that my pfSense box now has a public IP. When my VPN was working I would access devices using IPv4 addresses anyway. So my only real need for IPv6 is the fact that it is the only public IP address my router (OpenVPN server) has.
Edit: Beyond SSH access, would also like access to some locally hosted web pages and the pfSense web GUI :D
-
End game is secure access to my home network from my devices when out of the house.
Then ULA will do fine. As I said, pick a 40 bit number to append to fd, to create a /48 prefix. Then assign 1 of the /64 prefixes, from the /48 to OpenVPN. PfSense should be able to route appropriately.
Incidentally, the reason for the 40 bit random number is to avoid the collisions that often happened with the limited RFC 1918 space on IPv4. It's highly unlikely that 2 people would choose the same number. One way to create a "random" number is to go to www.grc.com to the Perfect Passwords page, where you'll find one box that has 64 random hex digits. Select any 10 for your 40 bit random number.
-
Ok cool. I'm familiar with grc.com so I will head over there. Sorry for not leading off with the "end game"…would've saved everyone some time. We will see how this all goes.
Thanks again JKnott and johnpoz for the help.
-
So I was feeling good about everything but when it came time to implement I ended up with more questions than answers. I'm feeling a bit in over my head at the moment and I know this should be pretty easy. I made up a /48 but am I supposed to enter it somewhere? I used the /48 and made up a /64 that I entered into the OpenVPN server under IPv6 Tunnel Network. That didn't make any difference so I'm obviously missing something. :-\
-
I assume the /64 was one of the 65536 /64s in your /48? When you set up the server, you put the /64 in "IPv6 Tunnel Network". Do you see an IPv6 address on the client?
-
Yeah. So I made up the /48 (ex. fd07:34ac:089d:: ) and didn't enter it anywhere. Then in the OpenVPN server I entered something like "fd07:34ac:089d:78ad::/64" under IPv6 Tunnel Network. When connected to my LAN over wifi I can startup the client OpenVPN app, connect, and get an IP of "fd07:34ac:089d:78ad::1000" along with the IPv4 Tunnel Network IP address. If I try to connect over the cellular network, OpenVPN gives me "CLIENT_IPv6_ADDRESS write UDPv6: Can't assign requested address (code=49)" errors along with "CLIENT_IPv6_ADDRESS Authenticate/Decrypt packet error: bad packet ID (may be a replay)" and then "TLS Error: incoming packet authentication failed" then it just times out.
Edit: this might be nothing but I was playing around with the OpenVPN server protocol setting and the successful connection over wifi only works with the protocol set to "UDP IPv4 and IPv6 on all interfaces (multihome)". The firewall settings only allow IPv6 to the OpenVPN port. And the openVPN client lists the protocol as IPv6 when successfully connected. Just seemed odd to me that it doesn't work on "UDP on IPv6 Only" when the other settings seem like it should.
-
If you tunnel with IPv6 and your cell phone doesn't support IPv6, then you have a problem. I have my tunnel set to use IPv4 as it's everywhere, but IPv6 is not.
-
That shouldn't be the issue. I'm on AT&T and have verified the IPv6 address that my phone gets from them is the same IPv6 address that comes up in any of the "what is my ip" services.
-
That shouldn't be the issue. I'm on AT&T and have verified the IPv6 address that my phone gets from them is the same IPv6 address that comes up in any of the "what is my ip" services.
If it works when on WiFi when you're away from home, but not when connected via the cell network, that's the likely problem. What happens if you use IPv4 for the tunnel?
-
My work only has IPv4 access through it's ISP so I can't test IPv6 connectivity over WiFi there. I'll have to hop on a buddies wifi to test. And to clarify, I've never tested it over Wifi while away from home. My "wifi testing" has been at home on the same network as my pfSense box so everything is local. If I use IPv4 for the tunnel I imagine I will have the problem that started when my ISP enabled CGNAT. That is, no connectivity as my IPv4 WAN at home is 10.10.x.x. Unless you mean testing it locally over wifi and an IPv4 tunnel…but that won't help me once I leave the house.
johnpoz, I asked my ISP if the CGNAT was using 1:1 NAT with all public IPv4 traffic going to all NATed clients. Their response was "No, the information is only sent to the client that sent traffic out. The client sends traffic out and it is NATed to a predetermined port group back to the client". So it sounds like they keep tying my hands at every turn.
-
My work only has IPv4 access through it's ISP so I can't test IPv6 connectivity over WiFi there. I'll have to hop on a buddies wifi to test. And to clarify, I've never tested it over Wifi while away from home.
You seem to have missed my point. My VPN travels over IPv4, as I know that it's available everywhere, whereas the same does not yet apply for IPv6. Regardless, it doesn't matter which is used when it comes to whether the VPN can carry IPv4 or IPv6. It will carry both equally well over IPv4 or IPv6. However, if you have a place where you can test over IPv6, then it will verify where the problem is.
-
Yeah, I don't see how that is different from what I am doing. I cannot establish a VPN connection over IPv4 (while out of the house) because my pfSense IPv4 WAN address is not public (CGNAT 10.10.x.x address) so my open port for VPN is not accessible via IPv4. My home ISP provides the /64 IPv6 address that we've discussed so my pfSense IPv6 WAN address is public and my open port for VPN is accessible over IPv6. I'm aware that a VPN tunnel can move IPv4 or IPv6 traffic equally well. With my android client (AT&T service) I can get a public IPv6 address over the cell network. Yes, AT&T is doing CGNAT on my cellular IPv4 address but that doesn't apply as it is the client, not the server. So to answer "if you have a place where you can test over IPv6", I was assuming that my cell carrier fit this bill.
I used to have my vpn travel over IPv4 but once my home ISP enabled CGNAT, it got totally hosed. Am I still missing something?
-
So to answer "if you have a place where you can test over IPv6", I was assuming that my cell carrier fit this bill.
I forgot your IPv4 is NAT. When testing, it's always best to isolate things as much as possible. For example, here I have an extra NIC on my firewall that I can test OpenVPN through. This verifies it works locally and then I test elsewhere. If it works for you elsewhere, over IPv6, but not through the cell network, then the problem is with the cell network. Are they blocking the VPN? Incidentally, if you're using SSH, you don't need a VPN. Just allow it through the firewall. You can set up SSH to use public/private keys, so that you don't need to use a password, though you still could if you want. I have been using SSH that way for years.
Even IPv4 doesn't always work. For example, I can't use OpenVPN from my local library, as they block everything other than http & https.
-
I've got a spare port on my firewall I could test OpenVPN through if needed (though I avoid it cus it's an onboard realtek. Using PCI intels for LAN and WAN). I'd rather not use SSH as I lose access to internal web pages on my home network but I suppose if it will work then I shouldn't complain because right now I have zero access. I'm using a non standard port for my VPN server. I suppose I could test it using port 80 or 443. I would think if the cell carrier was blocking the VPN that my OpenVPN server logs wouldn't show any attempted connections…unless they block the connection coming back from my server to my phone? My OpenVPN Connect app on the client hangs at "Waiting for server" and never receives any packets, even with several packets leaving the client according to the app. Sounds like I need another IPv6 network to test on...