OpenVPN-Client different Gateways when using IPv4 or IPv6 as remote VPN-Server



  • My VPN Server (Debian OpenVPN latest Version) is in Dual-Stack Mode (has a public IPv4 (e.g. 4.4.4.4) & IPv6 Address (e.g. 2a01:aaaa:bbbb:cccc:0:0:0:1)). All is working very well with Ubuntu, Windows etc.

    When connecting my PfSense (Client of the VPN) with the IPv4 Address of the Linux VPN-Server (under VPN -> OpenVPN -> Clients -> Edit), the Gateway which is pushed is something like  2a01:aaaa:bbbb:cccc:0:0:1:1. The v6 Gateway and the IPv6 Internet is pingable. All works fine.

    When connecting my PfSsense with the IPv6 Address of the Linux VPN-Server, the Gateway which is pushed is something like fe80:🔢4567🔢4567. The v6 Gateway and the IPv6 Internet is not pingable. 100% Packet Loss.

    IPv4 Connection Log:
    OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017
    library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
    MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
    WARNING: –ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
    NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Outgoing Control Channel Authentication: Using 128 bit message hash 'SHA' for HMAC authentication
    Incoming Control Channel Authentication: Using 128 bit message hash 'SHA' for HMAC authentication
    TCP/UDP: Preserving recently used remote address: [AF_INET]4.4.4.4:1992
    Socket Buffers: R=[42080->42080] S=[57344->57344]
    UDP link local (bound): [AF_INET][undef]:1992
    UDP link remote: [AF_INET]4.4.4.4:1992
    TLS: Initial packet from [AF_INET]4.4.4.4:1992 (via [AF_INET]192.168.0.100%), sid=7962a9e6 dec2475c
    VERIFY OK: …
    VERIFY OK: ...
    VERIFY OK: ...
    Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA, 4096 bit RSA
    [server] Peer Connection Initiated with [AF_INET]4.4.4.4:1992 (via [AF_INET]192.168.0.100%)
    SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,redirect-gateway ipv6,dhcp-option DOMAIN local.domains,dhcp-option DOMAIN local.domains,dhcp-option DNS 10.8.0.1,dhcp-option DNS6 2a01:aaaa:bbbb:cccc:0:0:1:1,tun-ipv6,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig-ipv6 2a01:aaaa:bbbb:cccc:0:0:1:100/112 2a01:aaaa:bbbb:cccc:0:0:1:1,ifconfig 10.8.0.100 255.255.255.0,peer-id 1'
    Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
    OPTIONS IMPORT: timers and/or timeouts modified
    OPTIONS IMPORT: –ifconfig/up options modified
    OPTIONS IMPORT: route options modified
    OPTIONS IMPORT: route-related options modified
    OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    OPTIONS IMPORT: peer-id set
    OPTIONS IMPORT: adjusting link_mtu to 1656
    Outgoing Data Channel: Cipher 'AES-AES-AES' initialized with 256 bit key
    Outgoing Data Channel: Using 128 bit message hash 'SHA' for HMAC authentication
    Incoming Data Channel: Cipher 'AES-AES-AES' initialized with 256 bit key
    Incoming Data Channel: Using 128 bit message hash 'SHA' for HMAC authentication
    ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=vtnet2 HWADDR=aa:06:bb:2b:53:e2
    GDG6: remote_host_ipv6=n/a
    ROUTE6_GATEWAY fe80:🔢4567🔢4567 IFACE=vtnet2
    TUN/TAP device ovpnc1 exists previously, keep at program end
    TUN/TAP device /dev/tap1 opened
    do_ifconfig, tt->did_ifconfig_ipv6_setup=1
    /sbin/ifconfig ovpnc1 10.8.0.100 netmask 255.255.255.0 mtu 1500 up
    /sbin/ifconfig ovpnc1 inet6 2a01:aaaa:bbbb:cccc:0:0:1:100/112
    /usr/local/sbin/ovpn-linkup ovpnc1 1500 1620 10.8.0.100 255.255.255.0 init
    /sbin/route add -net 4.4.4.4 192.168.0.1 255.255.255.255
    /sbin/route add -net 0.0.0.0 10.8.0.1 128.0.0.0
    /sbin/route add -net 128.0.0.0 10.8.0.1 128.0.0.0
    add_route_ipv6(::/3 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
    /sbin/route add -inet6 ::/3 2a01:aaaa:bbbb:cccc:0:0:1:1
    add_route_ipv6(2000::/4 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
    /sbin/route add -inet6 2000::/4 2a01:aaaa:bbbb:cccc:0:0:1:1
    add_route_ipv6(3000::/4 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
    /sbin/route add -inet6 3000::/4 2a01:aaaa:bbbb:cccc:0:0:1:1
    add_route_ipv6(fc00::/7 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
    /sbin/route add -inet6 fc00::/7 2a01:aaaa:bbbb:cccc:0:0:1:1
    Initialization Sequence Completed

    IPv6 Connection Log:

    OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017
    library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
    MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
    WARNING: –ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
    NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Outgoing Control Channel Authentication: Using 128 bit message hash 'SHA' for HMAC authentication
    Incoming Control Channel Authentication: Using 128 bit message hash 'SHA' for HMAC authentication
    TCP/UDP: Preserving recently used remote address: [AF_INET6]2a01:aaaa:bbbb:cccc:0:0:0:1:1992
    Socket Buffers: R=[42080->42080] S=[57344->57344]
    setsockopt(IPV6_V6ONLY=0)
    UDP link local (bound): [AF_INET6][undef]:1990
    UDP link remote: [AF_INET6]2a01:aaaa:bbbb:cccc:0:0:0:1:1992
    TLS: Initial packet from [AF_INET6]2a01:aaaa:bbbb:cccc:0:0:0:1:1992 (via 2a02:cccc:bbbb:aaaa:1234🔢1234:1234%vtnet2), sid=1a46f25c fbf95001
    VERIFY OK: …
    VERIFY OK: ...
    VERIFY OK: ...
    Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ... RSA
    [server] Peer Connection Initiated with [AF_INET6]2a01:aaaa:bbbb:cccc:0:0:0:1:1992 (via 2a02:cccc:bbbb:aaaa:1234🔢1234:1234%vtnet2)
    Key [AF_INET6]2a01:aaaa:bbbb:cccc:0:0:0:1:1992 (via 2a02:cccc:bbbb:aaaa:1234🔢1234:1234%vtnet2) not initialized (yet), dropping packet.
    SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,redirect-gateway ipv6,dhcp-option DOMAIN local.domains,dhcp-option DOMAIN local.domain,dhcp-option DNS 10.8.0.1,dhcp-option DNS6 2a01:aaaa:bbbb:cccc:0:0:1:1,tun-ipv6,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig-ipv6 2a01:aaaa:bbbb:cccc:0:0:1:100/112 2a01:aaaa:bbbb:cccc:0:0:1:1,ifconfig 10.8.0.100 255.255.255.0,peer-id 4'
    Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
    OPTIONS IMPORT: timers and/or timeouts modified
    OPTIONS IMPORT: –ifconfig/up options modified
    OPTIONS IMPORT: route options modified
    OPTIONS IMPORT: route-related options modified
    OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    OPTIONS IMPORT: peer-id set
    OPTIONS IMPORT: adjusting link_mtu to 1656
    Outgoing Data Channel: Cipher 'AES-AES-AES' initialized with 256 bit key
    Outgoing Data Channel: Using 384 bit message hash 'SHA' for HMAC authentication
    Incoming Data Channel: Cipher 'AES-AES-AES' initialized with 256 bit key
    Incoming Data Channel: Using 384 bit message hash 'SHA' for HMAC authentication
    ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=vtnet2 HWADDR=aa:06:bb:2b:53:e2
    GDG6: remote_host_ipv6=2a01:aaaa:bbbb:cccc:0:0:0:1
    ROUTE6_GATEWAY fe80:🔢4567🔢4567 IFACE=vtnet2
    ROUTE6: 2000::/4 overlaps IPv6 remote 2a01:aaaa:bbbb:cccc:0:0:0:1, adding host route to VPN endpoint
    TUN/TAP device ovpnc1 exists previously, keep at program end
    TUN/TAP device /dev/tap1 opened
    do_ifconfig, tt->did_ifconfig_ipv6_setup=1
    /sbin/ifconfig ovpnc1 10.8.0.100 netmask 255.255.255.0 mtu 1500 up
    /sbin/ifconfig ovpnc1 inet6 2a01:aaaa:bbbb:cccc:0:0:1:100/112
    /usr/local/sbin/ovpn-linkup ovpnc1 1500 1620 10.8.0.100 255.255.255.0 init
    ROUTE remote_host protocol differs from tunneled
    /sbin/route add -net 0.0.0.0 10.8.0.1 128.0.0.0
    /sbin/route add -net 128.0.0.0 10.8.0.1 128.0.0.0
    add_route_ipv6(2a01:aaaa:bbbb:cccc:0:0:0:1/128 -> fe80:🔢4567🔢4567%vtnet2 metric 1) dev vtnet2
    /sbin/route add -inet6 2a01:aaaa:bbbb:cccc:0:0:0:1/128 fe80:🔢4567🔢4567%vtnet2
    add_route_ipv6(::/3 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
    /sbin/route add -inet6 ::/3 2a01:aaaa:bbbb:cccc:0:0:1:1
    add_route_ipv6(2000::/4 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
    /sbin/route add -inet6 2000::/4 2a01:aaaa:bbbb:cccc:0:0:1:1
    add_route_ipv6(3000::/4 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
    /sbin/route add -inet6 3000::/4 2a01:aaaa:bbbb:cccc:0:0:1:1
    add_route_ipv6(fc00::/7 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
    /sbin/route add -inet6 fc00::/7 2a01:aaaa:bbbb:cccc:0:0:1:1
    Initialization Sequence Completed
    MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    MANAGEMENT: CMD 'state 1'
    MANAGEMENT: CMD 'status 2'
    MANAGEMENT: Client disconnected

    If you need more information, please let me know.
    Thank you for your help and for your time making pfsense even more perfect and IPv6 running like v4!!! THX


Log in to reply