Need help with OpenVPN IPV6



  • Hi,

    I'm brand-new to pfSense and don't have much experience configuring IPV6 and VPN connections, so please bear with me.

    I've successfully setup the latest version of pfSense 2.3.4 on a Zotec ZBOX C1327 as a router to work correctly over both IPV4 and the native IPV6 provided by my ISP (Comcast Business). I get 10/10 on the tests performed by test-ipv6.com.

    I've also successfully setup OpenVPN to work over IPV4 with my VPN provider, Perfect Privacy, with performance equal to what I was seeing with the their client apps on fast computers before installing the pfSense router.

    But after many hours of research and experimentation, I haven't been able to get IPV6 working with Perfect Privacy. They do support IPV6 and it works fine on a non-OpenVPN connection using the VPN client app on Windows or via IKEv2 on iOS.

    I think this may be due to a routing problem that's specific to OpenVPN v2.3. Here's the error message I get:

    There were error(s) loading the rules: /tmp/rules.debug:179: no routing address with matching address family found. - The line in question reads [179]: pass in quick on $OpenVPN $GWPERFECTPRIVACY_DHCP6 inet6 from any to any tracker 1504558464 keep state label "USER_RULE: OpenVPN Pass All"

    The OpenVPN log shows a push request from my side, with this response from the VPN:

    PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,sndbuf 131072,rcvbuf 131072,comp-lzo adaptive,route-gateway 10.1.67.1,redirect-gateway ipv6,route-ipv6 2000::/3,ping 10,ping-restart 60,dhcp-option DNS 96.9.249.46,dhcp-option DNS 92.222.212.19,ifconfig-ipv6 fdbf:1d37:bbe0:0:20:3:0:1243/112 fdbf:1d37:bbe0:0:20:3:0:1,ifconfig 10.1.67.243 255.255.255.0,peer-id 3'  and a response from the VPN that generates this log error:
    The log then shows this error:

    Options error: unknown –redirect-gateway flag: ipv6

    a little later in the log I see:

    ROUTE6: default_gateway=UNDEF

    The OpenVPN initialization completes normally, but is usually followed by these lines:

    MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    ]MANAGEMENT: CMD 'state 1'
    MANAGEMENT: CMD 'status 2'
    MANAGEMENT: Client disconnected

    Presumably this is the VPN's IPV6 connection disconnecting.

    The Gateways list Status field contains Online for my ISP IPV4 and IPV6, as well as the VPN IPV4, and all have reasonable RTT, RTTsd and Loss values. Usually the VPN IPV6 Status is UNKNOWN, with Pending in the RTT, RTTsd and Loss fields. However, sometimes it does go Online, but with zeroes in the RTT, RTTsd and Loss fields.

    Searching around the web I found one post (I think it was on the OpenVPN forum) to the effect that the option 'redirect-gateway ipv6' is not supported by OpenVPN 2.3, and never will be. The VPN told me that the option should simply be ignored, but it seems that if that's the case something else must be missing.

    Given that post, I installed the latest build of 2.4.0 RC. This time I didn't get any errors in the OpenVPN log and the Gateway status for the VPN IPV6 connection was Online with non-zero values in the RTT, RTTsd and Loss fields. However, there still wasn't any IPV6 connectivity through the VPN. Much worse, performance on the VPN IPV4 connection was horrendous. RTT and RTTsd times were 2x-3x pfSense 2.3.4, and download times were 1/3-1/2 as fast. RTT and RTTsd times for the non-VPN connections was also 2x-3x what I saw under 2.3.4, though performance on the non-VPN connections was "only" off by about 20%. I tried the stable version of 2.4.0 RC, but that was no better.

    I need to get IPV6 working on 2.3.4, or I need to fix the performance problem on 2.4.0. Can anyone help?

    FWIW, to do the configuration, I used the certs, keys and options from .opvn files provided by the VPN. There were a small number of options that weren't accepted by pfSense 2.3.4 OpenVPN:

    ignore-unknown-option ncp-disable # ovpn 2.3 to 2.4 transition
    dev tun (FreeBSD ifconfig failed: external program exited with error status: 1)
    nobind (lport and –nobind don't make sense when used together

    These options were OK:

    tun-mtu 1500
    fragment 1300
    mssfix
    ncp-disable
    client
    comp-lzo
    #float
    hand-window 120
    inactive 604800
    mute-replay-warnings
    ns-cert-type server
    persist-key
    persist-remote-ip
    persist-tun
    keepalive 5 120
    redirect-gateway def1
    remote-random
    reneg-sec 3600
    resolv-retry 60
    route-delay 2
    route-method exe
    script-security 2
    tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
    tls-timeout 5
    verb 4
    key-direction 1

    I was able to add back ncp-disable in 2.4.0.

    Thanks for any help you can provide.