• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Need some IPv6 OpenVPN guidance

Scheduled Pinned Locked Moved IPv6
3 Posts 2 Posters 261 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Q
    q54e3w
    last edited by q54e3w May 24, 2020, 5:16 AM May 24, 2020, 3:28 AM

    At the limit of my knowledge and not quite sure what to try next so hoping for some direction.

    Using pfSense 2.5.0. I have a WAN connection with /56 prefix. The secure LAN and other subnets track the WAN and IPv4 and IPv6 addresses are allocated to clients on the subnets.

    I have an OpenVPN connection via AirVPN which has historically been used over IPv4 but now want to be able to use IPv6 over this connection also. I've configured the OpenVPN connection to create both an IPv4 and an IPv6 gateway. These gateways show as Online on my dashboard, i.e

    ipv6gateways.png

    edit: added more details re igb0 WAN connection.

    igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    	description: WAN
    	options=e520bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
    	ether ac:1f:6b:73:87:e0
    	inet6 fe80::ae1f:6bff:fe73:87e0%igb0 prefixlen 64 scopeid 0x1
    	inet6 2605:e000:xxxx:xx:19b8:e4cf:633a:2830 prefixlen 128
    	inet 76.xx.x.116 netmask 0xfffff000 broadcast 255.255.255.255
    	media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
    

    I expected I could use the IPv6 in a policy routing type rule on the subnet but this doesn't seem to work. As far as I can tell the routing table is populated with the gateways

    netstat -nr
    Routing tables
    
    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            76.xx.0.1          UGS        igb0
    10.9.xxx.0/24      10.9.162.1         UGS      ovpnc1
    10.9.xxx.1         link#28            UH       ovpnc1
    <snip>
    
    Internet6:
    Destination                       Gateway                       Flags     Netif Expire
    default                           fe80::201:5cff:fe69:2446%igb0 UG         igb0
    fde6:xx:xxxx:5a2::/64             link#28                       U        ovpnc1
    fde6:xx:xxxx:5a2::1001            link#28                       UHS         lo0
    <snip>
    

    I've tried adding the Ipv6 address (fde6:xx:xxxx:5a2::/64 )to the OpenVPN client "IPv6 tunnel network", but I'm just guessing at this point and that doesnt appear to help anyway.

    My firewall rule is a simple match for IPv6, TCP/UDP any any directed out of gateway VPN1_WAN_V6.

    Logs from y openvpn connection are below

    May 23 22:11:57 pfSense openvpn[31098]: Data Channel: using negotiated cipher 'AES-256-GCM'
    May 23 22:11:57 pfSense openvpn[31098]: Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
    May 23 22:11:57 pfSense openvpn[31098]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    May 23 22:11:57 pfSense openvpn[31098]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    May 23 22:11:57 pfSense openvpn[31098]: ROUTE_GATEWAY 76.xx.x.1/255.255.240.0 IFACE=igb0 HWADDR=ac:1f:xx:xx:xx:xx
    May 23 22:11:57 pfSense openvpn[31098]: GDG6: remote_host_ipv6=n/a
    May 23 22:11:57 pfSense openvpn[31098]: ROUTE6_GATEWAY fe80::xxx:xxxx:fe69:2446 IFACE=igb0
    May 23 22:11:57 pfSense openvpn[31098]: TUN/TAP device ovpnc1 exists previously, keep at program end
    May 23 22:11:57 pfSense openvpn[31098]: TUN/TAP device /dev/tun1 opened
    May 23 22:11:57 pfSense openvpn[31098]: do_ifconfig, tt->did_ifconfig_ipv6_setup=1
    May 23 22:11:57 pfSense openvpn[31098]: /sbin/ifconfig ovpnc1 10.x.xxx.3 10.x.xxx.1 mtu 1500 netmask 255.255.255.0 up
    May 23 22:11:57 pfSense openvpn[31098]: /sbin/route add -net 10.x.xxx.0 10.x.xxx.1 255.255.255.0
    May 23 22:11:57 pfSense openvpn[31098]: /sbin/ifconfig ovpnc1 inet6 fde6:xx:xxxx:5a2::1001/64
    May 23 22:11:57 pfSense openvpn[31098]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.9.162.3 255.255.255.0 init
    May 23 22:11:57 pfSense openvpn[31098]: Initialization Sequence Completed
    

    Clearly something I'm not understanding so hopefully some kind soul can fill in some knowledge gaps for me.

    thanks in advance,

    N 1 Reply Last reply May 24, 2020, 5:48 AM Reply Quote 0
    • N
      netblues @q54e3w
      last edited by May 24, 2020, 5:48 AM

      @q54e3w A few remarks 10.x is private, so no need to smudge it
      same goes for fe80:: which is ipv6 link local.

      Are you sure your ipv6 works on your setup?
      Is ping6 working ?

      Q 1 Reply Last reply May 24, 2020, 6:07 PM Reply Quote 0
      • Q
        q54e3w @netblues
        last edited by q54e3w May 24, 2020, 6:08 PM May 24, 2020, 6:07 PM

        @netblues

        Sorry for the heavy handed smudging, wanted to be sure I was t posting unnecessary details re MAC or private addresses, I've tried to be more selective in this response.

        Heres the diagnostics that led me to think its something to do with the Ipv6 tunnel to AirVPN.

        From my local subnet my local PC gets a IPv4 and IPv6 address

        With the egress gateway set to default I can a IP test site ping over both IPv4 and IPv6

        % ping -c 3 ifconfig.co
        PING ifconfig.co (104.28.18.94): 56 data bytes
        64 bytes from 104.28.18.94: icmp_seq=0 ttl=54 time=508.991 ms
        64 bytes from 104.28.18.94: icmp_seq=1 ttl=54 time=47.812 ms
        64 bytes from 104.28.18.94: icmp_seq=2 ttl=54 time=77.452 ms
        
        % ping6 -c 3 ifconfig.co
        PING6(56=40+8+8 bytes) 2605:e000:xxxx:xxxx:9051:ad0b:d360:b654 --> 2606:4700:3032::681c:125e
        16 bytes from 2606:4700:3032::681c:125e, icmp_seq=0 hlim=56 time=88.167 ms
        16 bytes from 2606:4700:3032::681c:125e, icmp_seq=1 hlim=56 time=92.328 ms
        16 bytes from 2606:4700:3032::681c:125e, icmp_seq=2 hlim=56 time=127.620 ms
        

        I can also get an IP address back from curl'ing the site over both IPv4 and IPv6 so I think can correctly conclude my basic DNS, routing and transport is working correctly over the default non VPN gateway.

        % curl ifconfig.co
        199.249.223.130
        
        % curl -6 ifconfig.co
        2605:e000:xxxx:xxxx:9051:ad0b:d360:b654
        

        If I change my gateway to VPN_WAN_V6 for ICMP and TCP/UDP both pings and curl stop functioning. They just hang.

        ping6 ifconfig.co
        PING6(56=40+8+8 bytes) 2605:e000:xxx:xxx:9051:ad0b:d360:b654 --> 2606:4700:3034::681c:135e
        ^C
        
        % curl -6 ifconfig.co
        ^C
        

        I'm not sure this is useful, but heres the ifconfig of the openvpn interface

        ovpnc1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        	options=80000<LINKSTATE>
        	inet6 fe80::ae1f:6bff:fe73:87e0%ovpnc1 prefixlen 64 scopeid 0x1c
        	inet6 fde6:7a:7d20:5a2::1001 prefixlen 64
        	inet 10.9.162.3 --> 10.9.162.1 netmask 0xffffff00
        	groups: tun openvpn
        	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        	Opened by PID 84260
        

        I'm sure this is a newbie IPv6 user error, theres something I'm not understanding clearly like a possible need to do some address translation for IPv6 traffic egressing over a IPv6 link established in a IPv4 tunnel?

        thanks for reading and any suggestions.

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received