OpenVPN and Deutsche Glasfaser - IPV6 and CGNAT blocking connection?
-
Honestly I do not know if/how to connect with the IPV6 address as I never used it.
I made a quick hacky attempt to try it out - I got the WAN IPV6 address using ifconfig as a shell command, then replaced the OpenVPN host name in the client export with this address but no packets are received in the packet capture on 1194. It is late here and I am tired so possibly I overlooked something but so far no joy.
-
The easiest way is to connect to ipv6.google.com, which is reachable via IPv6 only. You can also try a test site, such as ipv6-test.com or test-ipv6.com. These will show if you have IPv6 available at the remote site you're trying to connect from. If you have IPv6 available, using it is transparent, compared to IPv4. You really shouldn't notice any difference. Once you have verified you have IPv6 at both ends, just recreate the OpenVPN client with the IPv6 address. If possible, you can preferrably use the host name.
-
Sitck with the ip (v6)address initially. Host name resolution for dynamically allocated ipv6 subnets is very rare.
-
OK - this seems to be a good line of attack. From a first quick test I cannot access any of those IPv6 sites so I imagine there is something wrong with my PFSense - firewall rule, NAT or something else - that is missing.
From a first inspection of the firewall settings I do not see anything obvious and my setup is really simple, essentially a basic installation with nothing added. Any tips where to start? I will of course start Googling :)
-
@charry2014 wan settings, ipv6?
Also system advanced networking allow ipv6 -
Many thanks - I now have IPv6 connecting. I found some helpful posts around the net (mostly in German as this is a German internet provider) - listed here for anyone who follows me:
beechy.de
glasfaserforum.de
And here gives some hints about things to look at for IPv6 - pfstore.com.auA combination of these things has made my IPv6 connect - The final detail was this
• 6rd Prefix: 2A00:61E0::
• 6rd Prefix Length: 32
• 6rd BR IPv4 Address: 100.127.0.1
• IPv4 Mask Length: 8Now to go back to OpenVPN and see if I can get that going.
Edit - still nothing. I reconfigured the VPN from scratch, following the wizard again. Got my IPv6 address from the sites mentioned above, used that directly in the client export. I get no packets logged on 1194.
-
@charry2014 Only a reflector site will tell you your ip.
Status interfaces should have it
can you ping ipv6.google.com from pfsense cli? -
The WAN address may often have a host name which can be used. Use host or nslookup command on the WAN address to see what turns up.
-
@charry2014 said in OpenVPN and Deutsche Glasfaser - IPV6 and CGNAT blocking connection?:
6rd Prefix: 2A00:61E0::
They're using a tunnel, rather than native IPv6. I used a tunnel for the first 6 years I had IPv6, but now I get a native IPv6 connection from my ISP. I'm surprised they're using a tunnel and CGNAT. How old is that info? My ISP also used a tunnel (though not the one I used) prior to providing native IPv6. If they're using a tunnel these days, I'd have to question their competence.
-
Does your (smartphone) service provider has IPv6? Than you can connect OVPN via IPv6 directly.
-
I could get my IPv6 address from https://ipv6-test.com/ easily enough but have drawn a blank trying to test OpenVPN connecting to it. Both running the OpenVPN client on my phone, and using the phone as wifi hotspot for my Mac result in no packets received at the PFSense WAN. Tunnelblick on Mac reports:
2020-07-26 15:43:16.288025 write UDPv6: No route to host (code=65) -
Please answer the question:
@Bob-Dig said in OpenVPN and Deutsche Glasfaser - IPV6 and CGNAT blocking connection?:
Does your (smartphone) service provider has IPv6?
-
Yes. My phone (Samsung S20) is on Vodafone in Germany and I have read that they have IPv6 nationwide.
Edit - I did some digging and it has an IPv6 address too. -
@charry2014 That's great, you don't need any IPv4, at least not if you want to connect the phone to home via OVPN.
-
The site https://ipv6-test.com/ reports that my firewall is filtering ICMP v6 messages. Could this be a problem for OpenVPN? I am suspecting it might. How do I enable this?
-
No. How is your IPv6 configured? I think your ISP is doing native IPv6.
-
I think so too, but I am not sure of much from my ISP.
One thing I did notice is that when I connect to whatismyipaddress.com or similar from different computers in my LAN that the IPv6 address that is returned is different for each one. The IPv4 address is the same, as I would expect. Now I think I am stumbling into a noob difference between IPv4 and IPv6 addresses.
So the question - what actually is the IPv6 address of my PFSense WAN?
-
You can see it in the interfaces-gadget and other places. (Status - Interfaces)
-
Alright - so it is something like 2a00:61e0:abcd:?
It is not the much longer address 2a00:61e0:b00b5:34dd:6969:beef:babe:face?
-
@charry2014 Can't say but maybe you did something wrong. Try this and go for DHCPv6 and not 6rd.