OpenVPN Server & IPv6 Gateway
-
Looking for clarity around OpenVPN server config and a few inconsistencies.
There doesn't seem to be a way to configure routing advertisements on the interface. The interface is missing from the DHCPv6 Server & RA section. Is this handled in the background? The client gets a IPv6 address when connecting, and it's in the correct range.
A strange thing I noticed was the IPv6 address being assigned to the gateway is ::2 where the server has occupied ::1. The gateway is marked as down, and a packet capture shows no ICMP response from the Gateway IP (::2).
The mobile client I'm connecting with is able to route properly using IPv4, but I'm not seeing any IPv6 traffic on the interface.
I have any / any rules for all protocols defined on the _OPVS001 interface, just to make sure it's not a rule issue.
What have I got wrong?
Config as follows:
dev ovpns4
verb 1
dev-type tun
dev-node /dev/tun4
writepid /var/run/openvpn_server4.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 173.10.2.20
engine rdrand
tls-server
server 172.16.254.128 255.255.255.248
server-ipv6 2001:1010:1ac:cafe:1::0/64
client-config-dir /var/etc/openvpn-csc/server4
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user asdfasdfasdf false server4 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'openvpn.foobar.com' 1"
lport 1194
management /var/etc/openvpn/server4.sock unix
max-clients 5
push "dhcp-option DOMAIN foobar.com"
push "dhcp-option DNS6 2001:1010:1ac:cafe:2::1"
push "dhcp-option DNS 172.16.38.18"
push "block-outside-dns"
push "register-dns"
push "redirect-gateway def1"
push "redirect-gateway ipv6"
ca /var/etc/openvpn/server4.ca
cert /var/etc/openvpn/server4.cert
key /var/etc/openvpn/server4.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server4.tls-auth 0
ncp-ciphers AES-256-CBC
persist-remote-ip
float
topology subnet
fast-io
explicit-exit-notify 2
sndbuf 1048576
rcvbuf 1048576
-
@aewhitlock Did you ever resolve this?
I'm having the exact same issue as well where the auto-generated OpenVPN IPv6 gateway uses a different IPv6 IP than the VPN's IPv6 address when the IPv4 address and gateway are the same.
In my settup the IPv6 gateway is auto-generated as *:103::2, but the actual address on the interface is *:103::1.
For IPv4 they are both 192.168.3.1 as expected.
I can't figure out why pfsense thinks the gateway should be *:103.:2 and not *:103::1.