Problems setting up Mullvad

bimmerdriver

I'm trying to set up Mullvad using pfsense 2.4 beta. Their guide (https://www.mullvad.net/guides/using-pfsense-mullvad/) is somewhat vague and is for an earlier version of pfsense. It's working for ipv4 but not for ipv6.

I've attached screen captures of the configuration and the status. I'm sure I must be missing something, but I don't know what. I'm hoping someone can help me sort it out.

I'll post the entire configuration when I get it working.

bimmerdriver

Another question I have is why are there three interfaces (wan, lan, opt1) in status interfaces and on the dashboard, but there are four interfaces in the NAT rule (wan, lan, opt1, openvpn).

bimmerdriver

Anyone have a comment about this?

I searched for configuration guides for other vpn services. I saw a few but none were using ipv6.

Also, in a configuration guide for pure vpn (https://support.purevpn.com/pfsense-openvpn-configuration-guide), it said to reconfigure all four of the outbound NAT rules. (See below.) Is this to prevent DNS leakage?

bimmerdriver

Still trying to figure out what's wrong. I found that I can ping hosts from pfsense using ipv6 over either OPT1 or the OpenVPN client interface. So is routing the problem? I've attached a screen capture of the ipv6 routing.

bimmerdriver

I've been reading some of the other guides to get ideas.

I experimented with the default allow LAN ipv6 to any rule. I set the gateway to the vpn gateway. It didn't make any difference. Still no ipv6. I set the gateway to the wan gateway and it worked.

I can ping hosts from pfsense via the vpn gateway. So why can't I get any traffic to pass through?

bimmerdriver

Still trying to get this working. Still no luck with ipv6, although I have been able to get two vpn connections open and have been able to use firewall rules to route ipv4 traffic to both.

I can ping a host from pfsense if I select the opt1 ipv6 gateway, but not using the opt2 ipv6 gateway.

I've attached screen captures of the dashboard interface and gateway status and status interfaces and status gateways. I'm wondering why the gateway ipv6 address appears to be a prefix, not and address. Is that because it's being incorrectly pushed up from the vpn server?


bimmerdriver

Here's the latest installment in this conversation that I'm having with myself…

I'm wondering about the gateway address that appears to be truncated (fdda:d0d0:cafe:1300::).

According to the openvpn documentation, ifconfig-ipv6 should take two addresses as parameters:

--ifconfig-ipv6 ipv6addr/bits ipv6remoteconfigure IPv6 address ipv6addr/bits on the ``tun'' device. The second parameter is used as route target for --route-ipv6 if no gateway is specified.

The only reference to this address in the log is the following:

Apr 26 10:49:22	openvpn	16204	PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.14.0.1,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,route-gateway 10.14.0.1,topology subnet,ifconfig-ipv6 fdda:d0d0:cafe:1300::100a/64 fdda:d0d0:cafe:1300::,ifconfig 10.14.0.12 255.255.0.0,peer-id 10'

If I understand correctly, this is being pushed from the server. If so is this caused by an incorrect configuration file on the server?

arafey

I'm having the exact same problem as you. I contacted Mullvad support a few minutes ago and am awaiting their response.

arafey

From Mullvad support:

Hello,

Currently our pfSense guide is only set up for IPv4, the plans are to
update the guide when pfSense 2.4 is released, and to make sure IPv6 is
working as well.

You most likely would need to add either a static IPv6 address on your
clients and also set up nat outbound rules for IPv6 in pfSense.

Best regards,
Richard

I wonder if it has to do with this OpenVPN issue, which may be the reason Mullvad is waiting on pfSense 2.4 (and OpenVPN 2.4).

johnpoz

"clients and also set up nat outbound rules for IPv6 in pfSense."

Clearly they don't have clue one about IPv6 ;)  You sure and the F would not be setting up outbound IPv6 nat rules…

bimmerdriver

@arafey:

From Mullvad support:

Hello,

Currently our pfSense guide is only set up for IPv4, the plans are to
update the guide when pfSense 2.4 is released, and to make sure IPv6 is
working as well.

You most likely would need to add either a static IPv6 address on your
clients and also set up nat outbound rules for IPv6 in pfSense.

Best regards,
Richard

I wonder if it has to do with this OpenVPN issue, which may be the reason Mullvad is waiting on pfSense 2.4 (and OpenVPN 2.4).

I have no idea why they are waiting for pfsense 2.4 and AFAIK, they are already using openvpn 2.4. I'm going to contact them again.

bimmerdriver

@johnpoz:

"clients and also set up nat outbound rules for IPv6 in pfSense."

Clearly they don't have clue one about IPv6 ;)  You sure and the F would not be setting up outbound IPv6 nat rules…

I hope the reference to NAT is a typo.  :o

I'm wondering about the ifconfig-ipv6 statement that I quoted above. It seems wrong. Shouldn't the gateway be a proper address, not a truncated address?

johnpoz

Question for you are you trying to tunnel your ipv6 through your ipv4 based tunnel, or are you trying to create a openvpn connection via ipv6 and tunnel IPv6 through that?

Do you even have IPv6 connectivity through your ISP or a tunnel broker like HE?

bimmerdriver

@johnpoz:

Question for you are you trying to tunnel your ipv6 through your ipv4 based tunnel, or are you trying to create a openvpn connection via ipv6 and tunnel IPv6 through that?

Do you even have IPv6 connectivity through your ISP or a tunnel broker like HE?

Thanks for your reply. I have native ipv6 (no tunnel). You can see this in the screen captures that I posted above. I use mullvad on one of my pcs and it supports both ipv4 and ipv6, verified with ipv6-test.com and other similar websites. To be honest, I don't know if openvpn tunnels ipv4 through ipv6 or simply does ipv4 over ipv4 and ipv6 over ipv6.

I'm setting up the vpn on my pfsense test system to try out policy based routing, instead of having to start and stop the vpn on a dedicated pc. You can see in the screen captures that the ipv4 and ipv6 vpn gateways are starting (and I proved they are working by pinging hosts through them from pfsense) but for some reason, I can't get any traffic from the lan to pass through the ipv6 vpn gateway. I think this is because of the truncated gateway address. I was able to get two vpn gateways up, but not very well because I believe the truncated gateway address is confusing dpinger.

I think I've posted all of the relevant configuration screens, but if you would like to see anything else or logs, let me know.

johnpoz

Not sure why you think you need any sort of routing setup for your ipv4 or your ipv6 that your going to force through a tunnel with firewall policy statement.. The thing with IPv6 tunnel is the IPv6 vpn needs to hand your client an IPv6 address to the return traffic will come back through the vpn..

How exactly is that going to happen if pfsense is ipv6 client connection for your client behind pfsense?  What IPv6 address is your client using behind pfsense that return traffic would get routed back through the vpn..

The only way you could make IPv6 work through your vpn service is for them to hand you IP range that your clients use - or you would have to NAT your ipv6.. which is just stupid!!  To try and use ipv6 from a vpn service you most likely would want to use tap connection, so all your clients got an IPv6 address from the vpn service..  Or they would have to tell you want IPv6 address space to use, etc..

Why exactly do you feel you need to try and hide your public IPv6 address from someone by sending it down a vpn??

So I hand off my remote clients that vpn into my pfsense openvpn server an IPv6 address - so they can use IPv6 through the ipv4 tunnel, but this IPv6 is /64 from the /48 I have via HE.. And that is routed to me.. So return traffic comes back to pfsense, and pfsense knows to send that traffic to the client down the tunnel, etc.

Your really going to have to get with this vpn service on the details of how they are planning on providing ipv6 to pfsense and the clients behind pfsense.  They are going to have to provide you specific IPv6 space to use behind the tunnel for your clients.

bimmerdriver

@johnpoz:

Not sure why you think you need any sort of routing setup for your ipv4 or your ipv6 that your going to force through a tunnel with firewall policy statement.. The thing with IPv6 tunnel is the IPv6 vpn needs to hand your client an IPv6 address to the return traffic will come back through the vpn..

How exactly is that going to happen if pfsense is ipv6 client connection for your client behind pfsense?  What IPv6 address is your client using behind pfsense that return traffic would get routed back through the vpn..

The only way you could make IPv6 work through your vpn service is for them to hand you IP range that your clients use - or you would have to NAT your ipv6.. which is just stupid!!  To try and use ipv6 from a vpn service you most likely would want to use tap connection, so all your clients got an IPv6 address from the vpn service..  Or they would have to tell you want IPv6 address space to use, etc..

Why exactly do you feel you need to try and hide your public IPv6 address from someone by sending it down a vpn??

So I hand off my remote clients that vpn into my pfsense openvpn server an IPv6 address - so they can use IPv6 through the ipv4 tunnel, but this IPv6 is /64 from the /48 I have via HE.. And that is routed to me.. So return traffic comes back to pfsense, and pfsense knows to send that traffic to the client down the tunnel, etc.

Your really going to have to get with this vpn service on the details of how they are planning on providing ipv6 to pfsense and the clients behind pfsense.  They are going to have to provide you specific IPv6 space to use behind the tunnel for your clients.

Why does anyone want to use a vpn? Geolocation, anonymity, etc. My reasons for using a vpn are no different from anyone else's reasons. I'm not clear why it matters. pfsense supports dual-stack networking. Openvpn supports dual-stack networking. Presumably both support dual-stack networking to be used. The world is going to dual-stack networking, so I'm trying to get it working with pfsense. It's there, so I want to try it.

Again, my reasons are my own, but I would like to have multiple (e.g., 2) connections. One in close proximity since it's faster (which I've verified). Another in the USA, so I can get around blocked content ("the content you are trying to view is not available in your area"). I got that working for ipv4 using firewall rules. Now I'm trying to get it working with ipv6.

Maybe the solution that Richard from Mullvad mentioned (to NAT ipv6) is the only way for to this work. I posted in this forum because I assumed if anyone would know how to get pfsense and openvpn working, they would be in this forum.

I've verified that when the openvpn clients within pfsense are started, they get unique ipv6 addresses. I've seen screen captures of other working configurations with dual-stack and noticed that they had a "proper" gateway address (i.e., not truncated), so that seems to be a problem here. However, even if that was fixed, I'm not clear how it will work, considering that my computer got it's ipv6 address from the dhcp6 server in pfsense using the delegated prefix.

johnpoz

Dude I think you need to research how IPv6 changes everything!!

But if you really want to "nat" ipv6
https://doc.pfsense.org/index.php/NPt

But your not going go be able to nat this to your global IPv6 you get from you isp, you would have to nat this to some ULA prefix you setup..

"I've verified that when the openvpn clients within pfsense are started, they get unique ipv6 addresses."

And do those addresses route through your vpn connection on a return.. Ie I am on the public internet and I want to go to one of these ipv6 address - do I go to your vpn provider?  So it can send that traffic back down your tunnel??

As to circumvention of geo restrictions - have at it.. So this stuff you want to download via your geo restrictions.. Is it only available via IPv6??  If not then what the F does it matter for?

My question was not why people use vpn.. I fully understand why users think they need them.. Or that they want to circumvent something with them.. But my question was why do you think you need to do this with IPv6.. You do understand how big a /64 is right?  You do understand that for example windows out of the box would be using privacy extensions for ipv6 and using different IPv6 address for its outbound connections, etc.  That change now and then in side your HUGE 2^64 address space..

And most isp would be handing you a different /64 everytime you boot your machine/router.. Look on the thread of all the issues of keeping your tracking PDs from changing..

bimmerdriver

@johnpoz:

Dude I think you need to research how IPv6 changes everything!!

But if you really want to "nat" ipv6
https://doc.pfsense.org/index.php/NPt

But your not going go be able to nat this to your global IPv6 you get from you isp, you would have to nat this to some ULA prefix you setup..

"I've verified that when the openvpn clients within pfsense are started, they get unique ipv6 addresses."

And do those addresses route through your vpn connection on a return.. Ie I am on the public internet and I want to go to one of these ipv6 address - do I go to your vpn provider?  So it can send that traffic back down your tunnel??

As to circumvention of geo restrictions - have at it.. So this stuff you want to download via your geo restrictions.. Is it only available via IPv6??  If not then what the F does it matter for?

My question was not why people use vpn.. I fully understand why users think they need them.. Or that they want to circumvent something with them.. But my question was why do you think you need to do this with IPv6.. You do understand how big a /64 is right?  You do understand that for example windows out of the box would be using privacy extensions for ipv6 and using different IPv6 address for its outbound connections, etc.  That change now and then in side your HUGE 2^64 address space..

And most isp would be handing you a different /64 everytime you boot your machine/router.. Look on the thread of all the issues of keeping your tracking PDs from changing..

"Dude", thanks for your advice to "research how IPv6 changes everything". That never would have occurred to me…  ::)

FYI, like most people who would run pfsense at home, I'm not completely ignorant of the differences between ipv4 and ipv6, such as the number of bits in an address. I'm also not completely ignorant about dhcp6, prefix delegation, slaac, link-local addresses and privacy extensions. Almost all of the hosts on my network have been running dual-stack for years and using a vpn for almost as long. I used to use an HE tunnel, but since pfsense 2.3.3 came out, I've been using native ipv6. (Native ipv6 was available from my isp quite a while ago, but there was no release version of pfsense that supported "dhcpv6 before RA", which my ISP edge router requires.) Was it necessary for me to set up ipv6 years ago? No, I set it up because I felt like setting it up. After all, the internet has been migrating to ipv6 for years…

If I use the prefix delegated by my isp to allocate an ipv6 address, the allocated address is associated with my isp and my prefix, so it's traceable to me like it is if I'm using ipv4. I can ping the host using the ipv6 address and enable or disable echo requests using the host firewall.

If I start up openvpn on my pc, the ipv4 and ipv6 addresses are from the local isp used by the vpn service provider wherever the server I chose to use is located. The ipv4 and ipv6 addresses are not unique to me. If I connect different computers from different networks to the same vpn server, they have the same ipv4 and ipv6 addresses, according to ipv6-test.com. That is exactly what I would expect. (They do not have the same private ipv4 and ipv6 addresses.) If I want to "change" locations, I have to shut down the vpn client, select another server and restart the client. The addresses change to reflect whichever server I choose and they are NOT the same addresses as I get if I'm using the ISP delegated prefix. If you are using openvpn, you know this.

I was hoping that since pfsense supports openvpn I could use openvpn from within pfsense and have one or more connections open all the time and use whichever of them as I wanted. I can do that with ipv4 using firewall rules, as discussed in other threads. I was assuming that since openvpn and pfsense both support ipv4 and ipv6 the same mechanism that works with ipv4 would work with ipv6 as well. I see now that what I was hoping to do apparently isn't possible and I'm more than a little surprised. Considering how powerful pfsense is, I would have expected this to be possible, using NPT or whatever. Do I need to do this? No. I'm trying to do this because I want to know if it's possible.

Also, nowhere did I suggest NAT should be used between the vpn address and the isp global address. However, every host that supports ipv6 has a link-local address. Why wouldn't / couldn't pfsense use the link-local address? The vpn allocates a ula (fdda:), similar to the way it allocates a private ipv4 address. Again, if you are using openvpn, you already know this. I would have thought that pfsense would "NAT" the ula and the link-local address as part of integrating openvpn. Given it apparently doesn't support this, I'm honestly curious how ipv6 can be used with openvpn and pfsense. It seems to be incomplete and unusable otherwise.

I don't think what I'm trying to do is unreasonable and I'm surprised to find out it's apparently not supported. If anything, people have more reasons than ever to use a vpn and since the internet is increasingly migrating to ipv6, being able to do the same things using a vpn with ipv6 that we are have been doing with ipv4 for years seems reasonable.

gibbzy2k1

@bimmerdriver:

I'm trying to set up Mullvad using pfsense 2.4 beta. Their guide (https://www.mullvad.net/guides/using-pfsense-mullvad/) is somewhat vague and is for an earlier version of pfsense. It's working for ipv4 but not for ipv6.

Can I ask, did you deviate from the guide at all? I have tried to setup mullvad on my pfsense box following that guide and it doesn't seem to be working at all. I am relatively new to this so any help would be greatly appreciated as you seem to have it working for IPV4, which is all I need at the moment.