OpenVPN on IPv6 using difficult setup



  • Hello reader

    I'm currently struggling to get OpenVPN setup on IPv6 as my ISP only provides me a /56 range using DHCPv6 via a link-local gateway, meaning I have no static WAN IP... It independently requests a random dynamic IP/128 within the DHCP request.

    My question is, would it be possible to bind OpenVPN on both my IPv4 WAN IP (For legacy connections) aswell as a IPv6 IP to provide the services I need?
    How would I do that considering I don't want to use Dyndns of any sort to provide my WAN IP which changes.
    I've tried multihome IPv4 and IPv6 allowing traffic to go to my LAN's v6 address but that has not worked at all.

    0_1538573575843_b7ab3483-f833-4977-af42-1d140436f2cb-afbeelding.png


  • Rebel Alliance Developer Netgate

    Is your LAN IPv6 allocation static? If not you'd still need dynamic DNS. And why not use dynamic DNS? That's what it is meant for.

    The "multihome" options are as close as you'll get to what you want, but you still need to be able to tell the clients how to reach you, which means you'll either need to use a hostname or hardcode the IP addresses into the exported configuration. The client export package can't easily guess what you want with the multihome option.

    Alternately, create a copy of the VPN with most of the same settings -- the tunnel network would need to be different -- and bind each one where you want (one on IPv4 WAN, one on IPv6 LAN for example) and then export them separately, or add multiple remote statements to the client configs manually.



  • @jimp said in OpenVPN on IPv6 using difficult setup:

    Alternately, create a copy of the VPN with most of the same settings -- the tunnel network would need to be different -- and bind each one where you want (one on

    I'm using DHCPv6 to receive the range and it's assigned statically to my clients with SLAAC disabled so the gateway is a static prefix::1 indeed. My routes where configured and I saw states going through to the IP from WAN.

    I indeed changed the remote IP in the 'Client Export' file to my LAN IP.



  • This post is deleted!


  • After recreating the entire tunnel I've managed to get OpenVPN traffic on IPv6 to my (static xxxx::1) LAN bind for the tunnel. But I've hit another wall regarding TLS errors aswell as a 'UDPv6: Can't assign requested address (code=49)' error.

    Logs:

    Oct 3 19:11:02 	openvpn 	43317 	remote_ipv6 write UDPv6: Can't assign requested address (code=49)
    Oct 3 19:11:02 	openvpn 	43317 	remote_ipv6 UDPv6 WRITE [54] to [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 1628610373 3975897907 2956103679 1745102930 3408654865 3736207840 1680969745 4222632448 859 3036160000 0 ]
    Oct 3 19:11:02 	openvpn 	43317 	remote_ipv6 TLS Error: incoming packet authentication failed from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0)
    Oct 3 19:11:02 	openvpn 	43317 	remote_ipv6 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1538586659) Wed Oct 3 19:10:59 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Oct 3 19:11:02 	openvpn 	43317 	remote_ipv6 PID_ERR replay [0] [TLS_WRAP-0] [6] 1538586659:1 1538586659:1 t=1538586662[0] r=[-1,64,15,0,1] sl=[63,1,64,528]
    Oct 3 19:11:02 	openvpn 	43317 	remote_ipv6 UDPv6 READ [54] from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 748149755 3352728783 3269648873 232741582 1777461001 3802391277 100464314 541435648 347 3036160768 0 ]
    Oct 3 19:11:01 	openvpn 	43317 	remote_ipv6 TLS Error: incoming packet authentication failed from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0)
    Oct 3 19:11:01 	openvpn 	43317 	remote_ipv6 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1538586659) Wed Oct 3 19:10:59 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Oct 3 19:11:01 	openvpn 	43317 	remote_ipv6 PID_ERR replay [0] [TLS_WRAP-0] [5] 1538586659:1 1538586659:1 t=1538586661[0] r=[0,64,15,0,1] sl=[63,1,64,528]
    Oct 3 19:11:01 	openvpn 	43317 	remote_ipv6 UDPv6 READ [54] from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 748149755 3352728783 3269648873 232741582 1777461001 3802391277 100464314 541435648 347 3036160768 0 ]
    Oct 3 19:11:00 	openvpn 	43317 	remote_ipv6 write UDPv6: Can't assign requested address (code=49)
    Oct 3 19:11:00 	openvpn 	43317 	remote_ipv6 UDPv6 WRITE [54] to [AF_INET6]remote_ipv6:40069 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 2703148123 3213995142 2082495053 3254603688 2724808838 3722528718 2576139292 2062524160 1115 3036157440 0 ]
    Oct 3 19:11:00 	openvpn 	43317 	remote_ipv6 TLS Error: incoming packet authentication failed from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0)
    Oct 3 19:11:00 	openvpn 	43317 	remote_ipv6 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1538586659) Wed Oct 3 19:10:59 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Oct 3 19:11:00 	openvpn 	43317 	remote_ipv6 PID_ERR replay [0] [TLS_WRAP-0] [4] 1538586659:1 1538586659:1 t=1538586660[0] r=[-4,64,15,0,1] sl=[63,1,64,528]
    Oct 3 19:11:00 	openvpn 	43317 	remote_ipv6 UDPv6 READ [54] from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 748149755 3352728783 3269648873 232741582 1777461001 3802391277 100464314 541435648 347 3036160768 0 ]
    Oct 3 19:10:59 	openvpn 	43317 	remote_ipv6 TLS Error: incoming packet authentication failed from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0)
    Oct 3 19:10:59 	openvpn 	43317 	remote_ipv6 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1538586659) Wed Oct 3 19:10:59 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Oct 3 19:10:59 	openvpn 	43317 	remote_ipv6 PID_ERR replay [0] [TLS_WRAP-0] [3] 1538586659:1 1538586659:1 t=1538586659[0] r=[-3,64,15,0,1] sl=[63,1,64,528]
    Oct 3 19:10:59 	openvpn 	43317 	remote_ipv6 UDPv6 READ [54] from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 748149755 3352728783 3269648873 232741582 1777461001 3802391277 100464314 541435648 347 3036160768 0 ]
    Oct 3 19:10:58 	openvpn 	43317 	remote_ipv6 write UDPv6: Can't assign requested address (code=49)
    Oct 3 19:10:58 	openvpn 	43317 	remote_ipv6 UDPv6 WRITE [54] to [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 3224135521 3463278917 2357160450 3922332272 2946747879 2652140587 2664488951 1949800960 603 3036160000 0 ]
    Oct 3 19:10:58 	openvpn 	43317 	remote_ipv6 TLS Error: incoming packet authentication failed from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0)
    Oct 3 19:10:58 	openvpn 	43317 	remote_ipv6 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1538586659) Wed Oct 3 19:10:59 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Oct 3 19:10:58 	openvpn 	43317 	remote_ipv6 PID_ERR replay [0] [TLS_WRAP-0] [2] 1538586659:1 1538586659:1 t=1538586658[0] r=[-2,64,15,0,1] sl=[63,1,64,528]
    Oct 3 19:10:58 	openvpn 	43317 	remote_ipv6 UDPv6 READ [54] from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 748149755 3352728783 3269648873 232741582 1777461001 3802391277 100464314 541435648 347 3036160768 0 ]
    Oct 3 19:10:57 	openvpn 	43317 	remote_ipv6 TLS Error: incoming packet authentication failed from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0)
    Oct 3 19:10:57 	openvpn 	43317 	remote_ipv6 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1538586659) Wed Oct 3 19:10:59 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Oct 3 19:10:57 	openvpn 	43317 	remote_ipv6 PID_ERR replay [0] [TLS_WRAP-0] [1] 1538586659:1 1538586659:1 t=1538586657[0] r=[-1,64,15,0,1] sl=[63,1,64,528]
    Oct 3 19:10:57 	openvpn 	43317 	remote_ipv6 UDPv6 READ [54] from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 748149755 3352728783 3269648873 232741582 1777461001 3802391277 100464314 541435648 347 3036160768 0 ]
    Oct 3 19:10:56 	openvpn 	43317 	remote_ipv6 write UDPv6: Can't assign requested address (code=49)
    Oct 3 19:10:56 	openvpn 	43317 	remote_ipv6 UDPv6 WRITE [54] to [AF_INET6]remote_ipv6:43950 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 1325090080 700281522 3166883039 976873906 1621651604 1671309037 307441620 1475649024 1115 3036156416 0 ]
    Oct 3 19:10:56 	openvpn 	43317 	remote_ipv6 write UDPv6: Can't assign requested address (code=49)
    Oct 3 19:10:56 	openvpn 	43317 	remote_ipv6 UDPv6 WRITE [66] to [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 2815234335 4291793796 3553278574 121223867 1169181582 3833352236 767693434 3815159552 347 3036160001 0 752703770 3836762626 0 ]
    Oct 3 19:10:56 	openvpn 	43317 	remote_ipv6 TLS: Initial packet from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0), sid=2cdd591a e4b05a02
    Oct 3 19:10:56 	openvpn 	43317 	remote_ipv6 UDPv6 READ [54] from [AF_INET6]remote_ipv6:46968 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 748149755 3352728783 3269648873 232741582 1777461001 3802391277 100464314 541435648 347 3036160768 0 ]
    Oct 3 19:10:56 	openvpn 	43317 	remote_ipv6 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-192-GCM,auth [null-digest],keysize 192,tls-auth,key-method 2,tls-client'
    Oct 3 19:10:56 	openvpn 	43317 	remote_ipv6 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-192-GCM,auth [null-digest],keysize 192,tls-auth,key-method 2,tls-server'
    Oct 3 19:10:56 	openvpn 	43317 	remote_ipv6 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
    Oct 3 19:10:56 	openvpn 	43317 	remote_ipv6 Control Channel MTU parms [ L:1622 D:1172 EF:78 EB:0 ET:0 EL:3 ]
    Oct 3 19:10:56 	openvpn 	43317 	remote_ipv6 Re-using SSL/TLS context
    Oct 3 19:10:56 	openvpn 	43317 	MULTI: multi_create_instance called
    Oct 3 19:10:55 	openvpn 	43317 	remote_ipv6 TLS Error: incoming packet authentication failed from [AF_INET6]remote_ipv6:40069 (via lan_ipv6%vmx0)
    Oct 3 19:10:55 	openvpn 	43317 	remote_ipv6 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1538586649) Wed Oct 3 19:10:49 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Oct 3 19:10:55 	openvpn 	43317 	remote_ipv6 PID_ERR replay [0] [TLS_WRAP-0] [9] 1538586649:1 1538586649:1 t=1538586655[0] r=[-4,64,15,0,1] sl=[63,1,64,528]
    Oct 3 19:10:55 	openvpn 	43317 	remote_ipv6 UDPv6 READ [54] from [AF_INET6]remote_ipv6:40069 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 1745637740 3405758555 3779407451 3449927915 3105435793 3700927638 2891246867 1602304 347 3036158208 0 ]
    Oct 3 19:10:54 	openvpn 	43317 	remote_ipv6 TLS Error: incoming packet authentication failed from [AF_INET6]remote_ipv6:40069 (via lan_ipv6%vmx0)
    Oct 3 19:10:54 	openvpn 	43317 	remote_ipv6 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1538586649) Wed Oct 3 19:10:49 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Oct 3 19:10:54 	openvpn 	43317 	remote_ipv6 PID_ERR replay [0] [TLS_WRAP-0] [8] 1538586649:1 1538586649:1 t=1538586654[0] r=[-3,64,15,0,1] sl=[63,1,64,528]
    Oct 3 19:10:54 	openvpn 	43317 	remote_ipv6 UDPv6 READ [54] from [AF_INET6]remote_ipv6:40069 (via lan_ipv6%vmx0): P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 1745637740 3405758555 3779407451 3449927915 3105435793 3700927638 2891246867 1602304 347 3036158208 0 ] 
    

    I don't know if the 'Can't assign requested address' is related to the client or the server. I'll try debugging it client-side on my desktop as that has logs also.



  • @wraptor said in OpenVPN on IPv6 using difficult setup:

    My question is, would it be possible to bind OpenVPN on both my IPv4 WAN IP (For legacy connections) aswell as a IPv6 IP to provide the services I need?

    You could use the LAN IPv6 address for OpenVPN. Also, you don't need an IPv6 connection to carry IPv6 in the VPN. The two are completely independent. I have OpenVPN configured to work over IPv4 only and it carries both IPv4 and IPv6 traffic.



  • @jimp said in OpenVPN on IPv6 using difficult setup:

    Is your LAN IPv6 allocation static? If not you'd still need dynamic DNS. And why not use dynamic DNS? That's what it is meant for.

    IPv6 is normally routed over link local addresses and so the firewall does not need a routeable address on the WAN side. As long as he has a consistent IPv6 address, as is normally provided with DUID, then he doesn't even need DNS. Just use the IPv6 address. Also, be aware of the difference between privacy and non privacy addresses. You want to use the non privacy ones. They could be based on the MAC address or a consistent random number.


  • Rebel Alliance Developer Netgate

    @jknott said in OpenVPN on IPv6 using difficult setup:

    @jimp said in OpenVPN on IPv6 using difficult setup:

    Is your LAN IPv6 allocation static? If not you'd still need dynamic DNS. And why not use dynamic DNS? That's what it is meant for.

    IPv6 is normally routed over link local addresses and so the firewall does not need a routeable address on the WAN side. As long as he has a consistent IPv6 address, as is normally provided with DUID, then he doesn't even need DNS. Just use the IPv6 address. Also, be aware of the difference between privacy and non privacy addresses. You want to use the non privacy ones. They could be based on the MAC address or a consistent random number.

    That does not make any sense in this context. IPv6 uses link-local for contacting a gateway but not for contacting a VPN across the Internet. He's talking about an address that his clients can use to reach the VPN server remotely. The WAN or LAN would need a consistent and predictable global address to use for that purpose. And DNS is the best way to make sure even that is irrelevant. That's the entire point of DNS -- users don't need know, or care about, the IP addresses a site uses, v4 or v6.



  • Exactly. But my issue is that I have no static WAN v6 address, I receive a random, true-dynamic /128 address for the WAN interface which isn't suitable for my deployment setup. I've successfully configured it to work with the LAN v6 address after recreating it with the same config, this somehow fixed a possible legacy error.

    My issues where related to the OpenVPN app and Android 9 support and not the pfSense configuration, tested on multiple Windows devices.

    @jknott said in OpenVPN on IPv6 using difficult setup:

    IPv6 is normally routed over link local addresses and so the firewall does not need a routeable address on the WAN side. As long as he has a consistent IPv6 address, as is normally provided with DUID, then he doesn't even need DNS. Just use the IPv6 address. Also, be aware of the difference between privacy and non privacy addresses. You want to use the non privacy ones. They could be based on the MAC address or a consistent random number.

    I don't like SLAAC ip's, they are to exposing.

    @jknott said in OpenVPN on IPv6 using difficult setup:

    @wraptor said in OpenVPN on IPv6 using difficult setup:

    My question is, would it be possible to bind OpenVPN on both my IPv4 WAN IP (For legacy connections) aswell as a IPv6 IP to provide the services I need?

    You could use the LAN IPv6 address for OpenVPN. Also, you don't need an IPv6 connection to carry IPv6 in the VPN. The two are completely independent. I have OpenVPN configured to work over IPv4 only and it carries both IPv4 and IPv6 traffic.

    I am aware of being able to use IPv4 to tunnel both v4 and v6 traffic but I'm trying to make IPv6 primary connectivity and IPv4 legacy support only, same goes for VPN.



  • @jimp said in OpenVPN on IPv6 using difficult setup:

    That does not make any sense in this context. IPv6 uses link-local for contacting a gateway but not for contacting a VPN across the Internet.

    I never said use the link local for the VPN. What I had suggested, in another post, was to use the LAN IPv6 address for the VPN. I also said he doesn't even need IPv6 for the VPN to carry IPv6 traffic. Both IPv4 and IPv6 can be carried over the VPN, regardless of whether the VPN is carried over IPv4 or IPv6.



  • @wraptor said in OpenVPN on IPv6 using difficult setup:

    Exactly. But my issue is that I have no static WAN v6 address, I receive a random, true-dynamic /128 address for the WAN interface which isn't suitable for my deployment setup. I've successfully configured it to work with the LAN v6 address after recreating it with the same config, this somehow fixed a possible legacy error.

    It's not a legacy error. It's just routing. You don't have a routeable address on the WAN side, so by using one on the LAN side, pfSense can still run the VPN.

    Also, SLAAC or not, you need a consistent address for the VPN to connect to. You will normally have one consistent address, either MAC or random, and up to 7 privacy addresses, which will change daily. The consistent addresses are what you use for servers and the privacy addresses are used when you connect to the 'net with a browser, etc..



  • @jknott said in OpenVPN on IPv6 using difficult setup:

    @wraptor said in OpenVPN on IPv6 using difficult setup:

    Exactly. But my issue is that I have no static WAN v6 address, I receive a random, true-dynamic /128 address for the WAN interface which isn't suitable for my deployment setup. I've successfully configured it to work with the LAN v6 address after recreating it with the same config, this somehow fixed a possible legacy error.

    It's not a legacy error. It's just routing. You don't have a routeable address on the WAN side, so by using one on the LAN side, pfSense can still run the VPN.

    Also, SLAAC or not, you need a consistent address for the VPN to connect to. You will normally have one consistent address, either MAC or random, and up to 7 privacy addresses, which will change daily. The consistent addresses are what you use for servers and the privacy addresses are used when you connect to the 'net with a browser, etc..

    I'm aware of how the IPv6 protocol is constructed...
    My WAN does have a /128 always-changing v6 routable address but it's nothing to rely on for a VPN. I've never used anything other than my LAN interface's address but that didn't work before, after recreating the entire configuration (identically) it worked like a charm

    Care to explain how it would be a routing issue if I used the same exact setup and never changed any firewall rules?



  • @wraptor said in OpenVPN on IPv6 using difficult setup:

    @jknott said in OpenVPN on IPv6 using difficult setup:

    @wraptor said in OpenVPN on IPv6 using difficult setup:

    Exactly. But my issue is that I have no static WAN v6 address, I receive a random, true-dynamic /128 address for the WAN interface which isn't suitable for my deployment setup. I've successfully configured it to work with the LAN v6 address after recreating it with the same config, this somehow fixed a possible legacy error.

    It's not a legacy error. It's just routing. You don't have a routeable address on the WAN side, so by using one on the LAN side, pfSense can still run the VPN.

    Also, SLAAC or not, you need a consistent address for the VPN to connect to. You will normally have one consistent address, either MAC or random, and up to 7 privacy addresses, which will change daily. The consistent addresses are what you use for servers and the privacy addresses are used when you connect to the 'net with a browser, etc..

    I'm aware of how the IPv6 protocol is constructed...
    My WAN does have a /128 always-changing v6 routable address but it's nothing to rely on for a VPN. I've never used anything other than my LAN interface's address but that didn't work before, after recreating the entire configuration (identically) it worked like a charm

    Care to explain how it would be a routing issue if I used the same exact setup and never changed any firewall rules?

    You originally said:

    "I'm currently struggling to get OpenVPN setup on IPv6 as my ISP only provides me a /56 range using DHCPv6 via a link-local gateway, meaning I have no static WAN IP... It independently requests a random dynamic IP/128 within the DHCP request."

    You also said you didn't want to use DYNDNS etc., so that means you're trying to connect to a moving target. If your address changes, what you you configure the VPN to use? One other possibility is the host name on your WAN interface may be consistent. If so, you could use that.

    Failing the above, you need some other consistent address to use. That means the pfSense LAN interface. It's entirely possible to do that, as pfSense will receive the incoming packet, addressed to the LAN interface and receive it. As far as the ISP and the rest of the 'net is concerned, it's just basic routing to get the OpenVPN packets to where they have to go.



  • I did, I also later on stated I've tried my LAN v6 but it never worked. Afterwards I got it to work recreating it using identical configuration.

    Thank you both @jimp and @JKnott for the help. My issue has been resolved by itself.