Need some IPv6 OpenVPN guidance
-
At the limit of my knowledge and not quite sure what to try next so hoping for some direction.
Using pfSense 2.5.0. I have a WAN connection with /56 prefix. The secure LAN and other subnets track the WAN and IPv4 and IPv6 addresses are allocated to clients on the subnets.
I have an OpenVPN connection via AirVPN which has historically been used over IPv4 but now want to be able to use IPv6 over this connection also. I've configured the OpenVPN connection to create both an IPv4 and an IPv6 gateway. These gateways show as Online on my dashboard, i.e
edit: added more details re igb0 WAN connection.
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: WAN options=e520bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6> ether ac:1f:6b:73:87:e0 inet6 fe80::ae1f:6bff:fe73:87e0%igb0 prefixlen 64 scopeid 0x1 inet6 2605:e000:xxxx:xx:19b8:e4cf:633a:2830 prefixlen 128 inet 76.xx.x.116 netmask 0xfffff000 broadcast 255.255.255.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
I expected I could use the IPv6 in a policy routing type rule on the subnet but this doesn't seem to work. As far as I can tell the routing table is populated with the gateways
netstat -nr Routing tables Internet: Destination Gateway Flags Netif Expire default 76.xx.0.1 UGS igb0 10.9.xxx.0/24 10.9.162.1 UGS ovpnc1 10.9.xxx.1 link#28 UH ovpnc1 <snip> Internet6: Destination Gateway Flags Netif Expire default fe80::201:5cff:fe69:2446%igb0 UG igb0 fde6:xx:xxxx:5a2::/64 link#28 U ovpnc1 fde6:xx:xxxx:5a2::1001 link#28 UHS lo0 <snip>
I've tried adding the Ipv6 address (fde6:xx:xxxx:5a2::/64 )to the OpenVPN client "IPv6 tunnel network", but I'm just guessing at this point and that doesnt appear to help anyway.
My firewall rule is a simple match for IPv6, TCP/UDP any any directed out of gateway VPN1_WAN_V6.
Logs from y openvpn connection are below
May 23 22:11:57 pfSense openvpn[31098]: Data Channel: using negotiated cipher 'AES-256-GCM' May 23 22:11:57 pfSense openvpn[31098]: Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ] May 23 22:11:57 pfSense openvpn[31098]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key May 23 22:11:57 pfSense openvpn[31098]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key May 23 22:11:57 pfSense openvpn[31098]: ROUTE_GATEWAY 76.xx.x.1/255.255.240.0 IFACE=igb0 HWADDR=ac:1f:xx:xx:xx:xx May 23 22:11:57 pfSense openvpn[31098]: GDG6: remote_host_ipv6=n/a May 23 22:11:57 pfSense openvpn[31098]: ROUTE6_GATEWAY fe80::xxx:xxxx:fe69:2446 IFACE=igb0 May 23 22:11:57 pfSense openvpn[31098]: TUN/TAP device ovpnc1 exists previously, keep at program end May 23 22:11:57 pfSense openvpn[31098]: TUN/TAP device /dev/tun1 opened May 23 22:11:57 pfSense openvpn[31098]: do_ifconfig, tt->did_ifconfig_ipv6_setup=1 May 23 22:11:57 pfSense openvpn[31098]: /sbin/ifconfig ovpnc1 10.x.xxx.3 10.x.xxx.1 mtu 1500 netmask 255.255.255.0 up May 23 22:11:57 pfSense openvpn[31098]: /sbin/route add -net 10.x.xxx.0 10.x.xxx.1 255.255.255.0 May 23 22:11:57 pfSense openvpn[31098]: /sbin/ifconfig ovpnc1 inet6 fde6:xx:xxxx:5a2::1001/64 May 23 22:11:57 pfSense openvpn[31098]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.9.162.3 255.255.255.0 init May 23 22:11:57 pfSense openvpn[31098]: Initialization Sequence Completed
Clearly something I'm not understanding so hopefully some kind soul can fill in some knowledge gaps for me.
thanks in advance,
-
@q54e3w A few remarks 10.x is private, so no need to smudge it
same goes for fe80:: which is ipv6 link local.Are you sure your ipv6 works on your setup?
Is ping6 working ? -
Sorry for the heavy handed smudging, wanted to be sure I was t posting unnecessary details re MAC or private addresses, I've tried to be more selective in this response.
Heres the diagnostics that led me to think its something to do with the Ipv6 tunnel to AirVPN.
From my local subnet my local PC gets a IPv4 and IPv6 address
With the egress gateway set to default I can a IP test site ping over both IPv4 and IPv6
% ping -c 3 ifconfig.co PING ifconfig.co (104.28.18.94): 56 data bytes 64 bytes from 104.28.18.94: icmp_seq=0 ttl=54 time=508.991 ms 64 bytes from 104.28.18.94: icmp_seq=1 ttl=54 time=47.812 ms 64 bytes from 104.28.18.94: icmp_seq=2 ttl=54 time=77.452 ms % ping6 -c 3 ifconfig.co PING6(56=40+8+8 bytes) 2605:e000:xxxx:xxxx:9051:ad0b:d360:b654 --> 2606:4700:3032::681c:125e 16 bytes from 2606:4700:3032::681c:125e, icmp_seq=0 hlim=56 time=88.167 ms 16 bytes from 2606:4700:3032::681c:125e, icmp_seq=1 hlim=56 time=92.328 ms 16 bytes from 2606:4700:3032::681c:125e, icmp_seq=2 hlim=56 time=127.620 ms
I can also get an IP address back from curl'ing the site over both IPv4 and IPv6 so I think can correctly conclude my basic DNS, routing and transport is working correctly over the default non VPN gateway.
% curl ifconfig.co 199.249.223.130 % curl -6 ifconfig.co 2605:e000:xxxx:xxxx:9051:ad0b:d360:b654
If I change my gateway to VPN_WAN_V6 for ICMP and TCP/UDP both pings and curl stop functioning. They just hang.
ping6 ifconfig.co PING6(56=40+8+8 bytes) 2605:e000:xxx:xxx:9051:ad0b:d360:b654 --> 2606:4700:3034::681c:135e ^C % curl -6 ifconfig.co ^C
I'm not sure this is useful, but heres the ifconfig of the openvpn interface
ovpnc1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet6 fe80::ae1f:6bff:fe73:87e0%ovpnc1 prefixlen 64 scopeid 0x1c inet6 fde6:7a:7d20:5a2::1001 prefixlen 64 inet 10.9.162.3 --> 10.9.162.1 netmask 0xffffff00 groups: tun openvpn nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> Opened by PID 84260
I'm sure this is a newbie IPv6 user error, theres something I'm not understanding clearly like a possible need to do some address translation for IPv6 traffic egressing over a IPv6 link established in a IPv4 tunnel?
thanks for reading and any suggestions.