Requesting help with ubuntu 16.04 LTS OpenVPN 2.4 dual-stack server



  • A while back, I tried to set up a dual-stack openvpn client and server using windows 10 hosts. I was able to get the vpn to work for ipv4 and I was able to get the client and server to ping each other using both ipv4 and ipv6, but I could never get the server to forward the ipv6 traffic. I tried to get help on the openvpn forum and openvpn-users email list and was told I have a routing problem. I may be a noob, but I had already reached that conclusion myself. I was not able to get anyone with a working configuration to explain how they configured the routing on the server, so I gave up on it and now I'm trying to configure a linux server. I'm stuck at exactly the same place, so I thought I'd ask here if anyone is willing to help a noob set up an openvpn server.

    I have two independent networks, one with pfsense 2.3.4 and one with pfsense 2.4 beta. The client is on the former. The server is on the latter. Both networks have separate /56 prefixes and one LAN each with a /64. I'm using a hyper-v server, so I can add another /64 if it's required.

    The ubuntu server is completely up-to-date. The client and server both the latest version of openvpn (2.4.2). The client is working properly (ipv6-test.com) when the vpn is disconnected. The server can also ping and traceroute external addresses.

    When the vpn is connected, the client and server can ping each other using ipv4 and ipv6. The client can access external sites using ipv4, but not ipv6. I've tried using several ipv6 addressing configurations including ULA, prefix::/64 and prefix:8000::/65. I found that with prefix::/64 it was not possible for the server to ping the client, I guess because it was using the default route. prefix:8000::/65 solved that, but the traffic still isn't being forwarded.

    I have made the following changes on the server:

    sysctl net.ipv4.ip_forward=1
    sysctl net.ipv6.conf.all.forwarding=1
    sysctl net.ipv6.conf.eth0.accept_ra=2
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    ip6tables -A FORWARD -s prefix:8000::/65 -i tun0 -o eth0 -j ACCEPT

    If anyone is willing to take a look and offer suggestions, I would be most grateful. I will post whatever info is required.


  • LAYER 8 Global Moderator

    "prefix:8000::/65 "

    Borked config.. You would never use /65 on anything.. /64 would be the correct prefix for any network/transit in ipv6.

    What exactly are you trying to vpn between - a server sitting behind pfsense and what some road warrior or site to site?  Yeah that is going to run into asymmetrical routing issues and hairpins.  Its always simpler to put the vpn enpoints at the edge.. not inside a network.  if you do you have to source nat, which kind of hard to do in ipv6 ;)

    So you you would have to host route on each host in your different networks to the other networks to use the inside vpnendpoint.  So vpn is to the vpn endpoint, it sends traffic to the host on this internal network from source network X..  Where does the host send that that return traffic - back to its gateway, normally pfsense.  To get around this you would either have to source nat the traffic so it looks like came from the vpn server.  Which your not going to do with ipv6.  Or you have to put a route on your device in the network to say hey to get to network X talk to the vpn endpoint.  Or you would have to put this vpn endpoint/server on a transit network connected to your router so you do not have asymmetrical flow.

    I asked you for a drawing before, I would highly suggest you draw up your network so you can easy work through this stuff and makes it much easier to explain to someone trying to help you.  Either breakout the crayons and napkin or use of the multitude of FREE options for drawing basic network diagrams.




  • @johnpoz:

    "prefix:8000::/65 "

    Borked config.. You would never use /65 on anything.. /64 would be the correct prefix for any network/transit in ipv6.

    What exactly are you trying to vpn between - a server sitting behind pfsense and what some road warrior or site to site?  Yeah that is going to run into asymmetrical routing issues and hairpins.  Its always simpler to put the vpn enpoints at the edge.. not inside a network.  if you do you have to source nat, which kind of hard to do in ipv6 ;)

    So you you would have to host route on each host in your different networks to the other networks to use the inside vpnendpoint.  So vpn is to the vpn endpoint, it sends traffic to the host on this internal network from source network X..  Where does the host send that that return traffic - back to its gateway, normally pfsense.  To get around this you would either have to source nat the traffic so it looks like came from the vpn server.  Which your not going to do with ipv6.  Or you have to put a route on your device in the network to say hey to get to network X talk to the vpn endpoint.  Or you would have to put this vpn endpoint/server on a transit network connected to your router so you do not have asymmetrical flow.

    I asked you for a drawing before, I would highly suggest you draw up your network so you can easy work through this stuff and makes it much easier to explain to someone trying to help you.  Either breakout the crayons and napkin or use of the multitude of FREE options for drawing basic network diagrams.

    WRT your comment about the config being borked, I got it from the openvpn wiki https://community.openvpn.net/openvpn/wiki/IPv6. (I think the openvpn documentation is terrible, especially for ipv6 and it's incomplete.)

    I found other examples of using a subset of /64 when I googled linux openvpn ipv6.

    Here are a few of the examples that I found:

    https://www.tecmint.com/install-openvpn-in-debian/

    https://techblog.synagila.com/2016/02/24/build-a-openvpn-server-on-ubuntu-to-provide-a-ipv6-tunnel-over-ipv4/

    https://unix.stackexchange.com/questions/311699/openvpn-ipv6-route-traffic-through-server

    They are all different and I'm unclear what the "right way" to configure it is.

    I'm trying to create a dual-stack openvpn server to use as a gateway from a remote location. I already got it to work with ipv4, but not ipv6. I'm not trying to get ipv6 working for any reason than "because I want to". Openvpn supports ipv6 (arguably not very well), but since it does, I want to get it working, for the sake of getting it working.

    I'll draw a picture and post it.



  • Here is a simplified drawing of the network.



  • LAYER 8 Global Moderator

    "Openvpn supports ipv6 (arguably not very well), but since it does, I want to get it working, for the sake of getting it working."

    Not sure where you got that idea - I have openvpn on ipv6, even hand out ipv6 address to ipv4 clients..

    Drawing is pretty much useless from a network perspective.. Where are you networks in use - lets see a logical layer 3 drawing.  With networks and prefixes labelled.. You can obfuscate your ipv6 prefixes if you so desire..

    Where is the vpn your trying to put in play - is it site to site between your pfsense, is it road warrior to one of them?  Is client from one of them?  Site to site to some other location, etc.



  • @johnpoz:

    "Openvpn supports ipv6 (arguably not very well), but since it does, I want to get it working, for the sake of getting it working."

    Not sure where you got that idea - I have openvpn on ipv6, even hand out ipv6 address to ipv4 clients..

    You said:
    @johnpoz:

    Borked config.. You would never use /65 on anything.. /64 would be the correct prefix for any network/transit in ipv6.

    The /65 wasn't my idea. It was from the "IPv6 in OpenVPN" wiki https://community.openvpn.net/openvpn/wiki/IPv6. I tried using the /65 because I couldn't get it to work with a /64, I think because the route created by openvpn for the tun0 conflicted with the default route for eth0. You say Openvpn supports ipv6. I'm not disputing that, but while the software may support ipv6, it's hard to argue that the documentation for using openvpn with ipv6 is not sorely lacking. The "Bridging and Routing" wiki https://community.openvpn.net/openvpn/wiki/BridgingAndRouting mentions that openvpn supports ipv6, but then only provides examples for ipv4.

    I got the client and server fully working for ipv4 and I was also able to get it to hand out an ipv6 address to the client and the client and server to ping each other back and forth. However, I can't get the server to pass the ipv6 traffic. That's what I'm asking for help with. I'm asking here, because if pfsense needs to be configured for it to work, where better to ask about that than here?

    Also, for the record, quite a few people on the openvpn forum and the openvpn-users email list have admitted that the documentation for ipv6 is lacking because ipv6 is not widely used, so I don't think I'm alone in holding that opinion.

    @johnpoz:

    Drawing is pretty much useless from a network perspective.. Where are you networks in use - lets see a logical layer 3 drawing.  With networks and prefixes labelled.. You can obfuscate your ipv6 prefixes if you so desire..

    You said:
    @johnpoz:

    I asked you for a drawing before, I would highly suggest you draw up your network so you can easy work through this stuff and makes it much easier to explain to someone trying to help you.  Either breakout the crayons and napkin or use of the multitude of FREE options for drawing basic network diagrams.

    Good thing I didn't use my napkin and crayons…

    I gave you a drawing that depicts the configuration in a manner that anyone familiar with virtualization should understand. I also explained each network (modem / lan, pfsense 2.3.4 / lan and pfsense 2.4 beta / lan have separate /56 prefixes and the lans are /64 subnets. Aside for packets from all three networks being visible on the NIC, the networks are completely independent. I've been using this configuration for several years with no problems.

    I have used the modem lan exactly once, to enable port bridging. The only devices on this network are the pvr and stb.

    Both of the pfsense networks are minimally simple. They each have one wan and one lan interface. Both use dhcp, dhcpv6 with assisted RA and unbound. Snort is also running on pfsense 2.3.4. The wan interfaces have pd only, no address, because that is only configuration the ISP supports. The lans have no subnets. The routing is all default. I haven't made any changes.

    I'm not going to post the prefixes. What information about the networks that would pertain to getting the openvpn server to work is missing or unclear?

    @johnpoz:

    Where is the vpn your trying to put in play - is it site to site between your pfsense, is it road warrior to one of them?  Is client from one of them?  Site to site to some other location, etc.

    I should have been more clear about this. I want the server to be used to provide a local routed gateway for a single client as if I'm at home, for use when I'm away from home - not a site to site bridge (i.e., it should work the same as any other vpn privacy service).

    As I already explained, it's working for ipv4, but not for ipv6. I'm asking for help to sort out why it's not working for ipv6. I can post the client and server configs or whatever. Just let me know what is needed.


Log in to reply