Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN and Deutsche Glasfaser - IPV6 and CGNAT blocking connection?

    OpenVPN
    5
    45
    1476
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      charry2014
      last edited by charry2014

      Hello everyone, I am struggling to get OpenVPN running on my PFSense firewall. This is something I managed a couple of years back with no problems, but now I get no reaction at all from my pfsense. I followed the instructions carefully working through the wizard and still nothing. None of the clients I tried (Android OpenVPN and Tunnelblick on Mac) get any response at all, packet capture on the firewall shows nothing on 1194, all configuration settings look fine. This really should work.

      Since I got OpenVPN working last a few things have changed, one of them is my internet provider - switched from Deutsche Telekom to Deutsche Glasfaser and now I read that DG use IPV6 internally with CGNAT to give an IPV4 address in the 100.xxx.yyy.zzz range. These 100.xxx addresses are not accessible from the internet. I say that like I know what it means, which I half do. PFSense shows the WAN address is indeed a 100.x.y.z.

      Putting these two together - I have got OpenVPN working before and now I get absolutely nothing and a hint of an issue from my internet provider - I am wondering if my internet provider and IPV6 may be playing a role in confounding my OpenVPN setup? If so, how do I fix it?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        If you have CGNAT you can't make inbound connections to it from the outside. The inbound connections would never reach the firewall. If the connection never reaches the firewall there is nothing for it to do.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10000 words and 15 conference calls.
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • C
          charry2014
          last edited by

          Many thanks for the reply - so that means if the provider uses CGNAT then I am SOOL? No chance to get OpenVPN connections working?

          I did some more digging round this topic and found this - I followed through the points best I can and now get packets arriving at the WAN:

          23:30:32.743269 IP 100.69.223.179.18813 > 94.31.96.153.1194: UDP, length 54
          23:30:34.902711 IP 100.69.223.179.18813 > 94.31.96.153.1194: UDP, length 54
          

          However the server still does not manage to respond. Perhaps now this is an internal problem - but with this IPV4 & IPV6 stuff I am completely out of my depth. Any help gratefully received.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Which one of those is your WAN address? The 100.69.223.179 is a CGNAT address but that indicates an outbound connection being attempted by an OpenVPN client on your node, not an inbound connection to an OpenVPN server on your node.

            Outbound clients should work fine. Your problem will be connecting inbound.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10000 words and 15 conference calls.
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • C
              charry2014
              last edited by

              You are right, I realised my mistake just after posting - the PC attempting the OpenVPN connection was inside the LAN. The WAN address is 100.69.223.179. This starts to explain why my phone on its data connection cannot reach the WAN at all.

              What can be done to get OpenVPN working again?

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott @charry2014
                last edited by

                @charry2014 said in OpenVPN and Deutsche Glasfaser - IPV6 and CGNAT blocking connection?:

                No chance to get OpenVPN connections working?

                Can you connect to your IPv6 address? It shouldn't matter to OpenVPN whether you connect via IPv4 or IPv6. It can also carry both.

                but with this IPV4 & IPV6 stuff I am completely out of my depth

                Other than address length, the fundamentals are much the same, though IPv6 relies on ICMP for a lot of things, such as Neighbour Discovery, instead of ARP on IPv4. There are a lot of referrences around that cover IPv6.

                The smallest address block (/64) you get from an ISP contains 18.4 billion, billion addresses, but many ISPs provide a /56 or /48 prefix for 256 or 65536 /64s.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • C
                  charry2014
                  last edited by

                  Honestly I do not know if/how to connect with the IPV6 address as I never used it.

                  I made a quick hacky attempt to try it out - I got the WAN IPV6 address using ifconfig as a shell command, then replaced the OpenVPN host name in the client export with this address but no packets are received in the packet capture on 1194. It is late here and I am tired so possibly I overlooked something but so far no joy.

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @charry2014
                    last edited by

                    @charry2014

                    The easiest way is to connect to ipv6.google.com, which is reachable via IPv6 only. You can also try a test site, such as ipv6-test.com or test-ipv6.com. These will show if you have IPv6 available at the remote site you're trying to connect from. If you have IPv6 available, using it is transparent, compared to IPv4. You really shouldn't notice any difference. Once you have verified you have IPv6 at both ends, just recreate the OpenVPN client with the IPv6 address. If possible, you can preferrably use the host name.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    N 1 Reply Last reply Reply Quote 0
                    • N
                      netblues @JKnott
                      last edited by

                      Sitck with the ip (v6)address initially. Host name resolution for dynamically allocated ipv6 subnets is very rare.

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • C
                        charry2014
                        last edited by

                        OK - this seems to be a good line of attack. From a first quick test I cannot access any of those IPv6 sites so I imagine there is something wrong with my PFSense - firewall rule, NAT or something else - that is missing.

                        From a first inspection of the firewall settings I do not see anything obvious and my setup is really simple, essentially a basic installation with nothing added. Any tips where to start? I will of course start Googling :)

                        N 1 Reply Last reply Reply Quote 0
                        • N
                          netblues @charry2014
                          last edited by

                          @charry2014 wan settings, ipv6?
                          Also system advanced networking allow ipv6

                          1 Reply Last reply Reply Quote 0
                          • C
                            charry2014
                            last edited by charry2014

                            Many thanks - I now have IPv6 connecting. I found some helpful posts around the net (mostly in German as this is a German internet provider) - listed here for anyone who follows me:
                            beechy.de
                            glasfaserforum.de
                            And here gives some hints about things to look at for IPv6 - pfstore.com.au

                            A combination of these things has made my IPv6 connect - The final detail was this
                            • 6rd Prefix: 2A00:61E0::
                            • 6rd Prefix Length: 32
                            • 6rd BR IPv4 Address: 100.127.0.1
                            • IPv4 Mask Length: 8

                            Now to go back to OpenVPN and see if I can get that going.

                            Edit - still nothing. I reconfigured the VPN from scratch, following the wizard again. Got my IPv6 address from the sites mentioned above, used that directly in the client export. I get no packets logged on 1194.

                            N JKnottJ 2 Replies Last reply Reply Quote 0
                            • N
                              netblues @charry2014
                              last edited by

                              @charry2014 Only a reflector site will tell you your ip.
                              Status interfaces should have it
                              can you ping ipv6.google.com from pfsense cli?

                              1 Reply Last reply Reply Quote 0
                              • JKnottJ
                                JKnott @netblues
                                last edited by

                                @netblues

                                The WAN address may often have a host name which can be used. Use host or nslookup command on the WAN address to see what turns up.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                1 Reply Last reply Reply Quote 0
                                • JKnottJ
                                  JKnott @charry2014
                                  last edited by

                                  @charry2014 said in OpenVPN and Deutsche Glasfaser - IPV6 and CGNAT blocking connection?:

                                  6rd Prefix: 2A00:61E0::

                                  They're using a tunnel, rather than native IPv6. I used a tunnel for the first 6 years I had IPv6, but now I get a native IPv6 connection from my ISP. I'm surprised they're using a tunnel and CGNAT. How old is that info? My ISP also used a tunnel (though not the one I used) prior to providing native IPv6. If they're using a tunnel these days, I'd have to question their competence.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  1 Reply Last reply Reply Quote 0
                                  • Bob.DigB
                                    Bob.Dig LAYER 8
                                    last edited by Bob.Dig

                                    Does your (smartphone) service provider has IPv6? Than you can connect OVPN via IPv6 directly.

                                    pfSense on Hyper-V

                                    Bob.DigB 1 Reply Last reply Reply Quote 0
                                    • C
                                      charry2014
                                      last edited by

                                      I could get my IPv6 address from https://ipv6-test.com/ easily enough but have drawn a blank trying to test OpenVPN connecting to it. Both running the OpenVPN client on my phone, and using the phone as wifi hotspot for my Mac result in no packets received at the PFSense WAN. Tunnelblick on Mac reports:
                                      2020-07-26 15:43:16.288025 write UDPv6: No route to host (code=65)

                                      1 Reply Last reply Reply Quote 0
                                      • Bob.DigB
                                        Bob.Dig LAYER 8 @Bob.Dig
                                        last edited by Bob.Dig

                                        Please answer the question:

                                        @Bob-Dig said in OpenVPN and Deutsche Glasfaser - IPV6 and CGNAT blocking connection?:

                                        Does your (smartphone) service provider has IPv6?

                                        pfSense on Hyper-V

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          charry2014
                                          last edited by charry2014

                                          Yes. My phone (Samsung S20) is on Vodafone in Germany and I have read that they have IPv6 nationwide.
                                          Edit - I did some digging and it has an IPv6 address too.

                                          Bob.DigB 1 Reply Last reply Reply Quote 0
                                          • Bob.DigB
                                            Bob.Dig LAYER 8 @charry2014
                                            last edited by

                                            @charry2014 That's great, you don't need any IPv4, at least not if you want to connect the phone to home via OVPN.

                                            pfSense on Hyper-V

                                            1 Reply Last reply Reply Quote 0
                                            • C
                                              charry2014
                                              last edited by

                                              The site https://ipv6-test.com/ reports that my firewall is filtering ICMP v6 messages. Could this be a problem for OpenVPN? I am suspecting it might. How do I enable this?

                                              JKnottJ 1 Reply Last reply Reply Quote 0
                                              • Bob.DigB
                                                Bob.Dig LAYER 8
                                                last edited by Bob.Dig

                                                No. How is your IPv6 configured? I think your ISP is doing native IPv6.

                                                pfSense on Hyper-V

                                                1 Reply Last reply Reply Quote 0
                                                • C
                                                  charry2014
                                                  last edited by

                                                  I think so too, but I am not sure of much from my ISP.

                                                  One thing I did notice is that when I connect to whatismyipaddress.com or similar from different computers in my LAN that the IPv6 address that is returned is different for each one. The IPv4 address is the same, as I would expect. Now I think I am stumbling into a noob difference between IPv4 and IPv6 addresses.

                                                  So the question - what actually is the IPv6 address of my PFSense WAN?

                                                  JKnottJ 1 Reply Last reply Reply Quote 0
                                                  • Bob.DigB
                                                    Bob.Dig LAYER 8
                                                    last edited by Bob.Dig

                                                    You can see it in the interfaces-gadget and other places. 😉 (Status - Interfaces)

                                                    pfSense on Hyper-V

                                                    1 Reply Last reply Reply Quote 0
                                                    • C
                                                      charry2014
                                                      last edited by

                                                      Alright - so it is something like 2a00:61e0:abcd🔢:?

                                                      It is not the much longer address 2a00:61e0:b00b5:34dd:6969:beef:babe:face?

                                                      Bob.DigB 1 Reply Last reply Reply Quote 0
                                                      • Bob.DigB
                                                        Bob.Dig LAYER 8 @charry2014
                                                        last edited by Bob.Dig

                                                        @charry2014 Can't say but maybe you did something wrong. Try this and go for DHCPv6 and not 6rd.

                                                        pfSense on Hyper-V

                                                        1 Reply Last reply Reply Quote 0
                                                        • C
                                                          charry2014
                                                          last edited by

                                                          Boom - that did it - using the IPv6 address for the WAN as shown in the Interfaces widget on the dashboard packets are now flowing.

                                                          I now get an authentication error, but the connection is there. Authentication errors are kinda the staple for getting OpenVPN working so somehow I am back on known territory now.

                                                          1 Reply Last reply Reply Quote 0
                                                          • JKnottJ
                                                            JKnott @charry2014
                                                            last edited by

                                                            @charry2014

                                                            No, OpenVPN uses UDP, not ICMPv6. However, ICMPv6 is used for a lot of things, so be careful about any rules blocking it.

                                                            PfSense running on Qotom mini PC
                                                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                                            UniFi AC-Lite access point

                                                            I haven't lost my mind. It's around here...somewhere...

                                                            1 Reply Last reply Reply Quote 0
                                                            • JKnottJ
                                                              JKnott @charry2014
                                                              last edited by

                                                              @charry2014

                                                              One nice thing about IPv6 is there are plenty of addresses to go around. This means no longer having to share an address with NAT. Not only does each device get an address, it will often get several. With SLAAC, privacy addresses are often used. These are random number based addresses and you get a new one every day. They expire after a week. This is in addition to the consistent address, so you could have as many as 8 public addresses on each device.

                                                              PfSense running on Qotom mini PC
                                                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                                              UniFi AC-Lite access point

                                                              I haven't lost my mind. It's around here...somewhere...

                                                              1 Reply Last reply Reply Quote 0
                                                              • C
                                                                charry2014
                                                                last edited by

                                                                Thanks everyone for your help - it seems that a little background reading would be a good idea sometime soon. This may well change the settings in the firewall rules, then?

                                                                JKnottJ 1 Reply Last reply Reply Quote 0
                                                                • JKnottJ
                                                                  JKnott @charry2014
                                                                  last edited by

                                                                  @charry2014

                                                                  That depends on what the rules do. If filtering on protocol, then you can often create a single rule that handles both. If filtering on address, then you'd need separate rules.

                                                                  PfSense running on Qotom mini PC
                                                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                                                  UniFi AC-Lite access point

                                                                  I haven't lost my mind. It's around here...somewhere...

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • C
                                                                    charry2014
                                                                    last edited by

                                                                    So here it is, best I can remember it. All the things I changed to get this working:

                                                                    System - Advanced - Networking
                                                                    a539b8e1-4fea-4842-a249-397b68fe9769-image.png

                                                                    Interfaces - WAN
                                                                    0f469929-d495-4ecc-918c-10c081001e7f-image.png
                                                                    d5ac4ad4-c53f-4b6c-b78b-d608e71c7687-image.png

                                                                    Interfaces - LAN:
                                                                    cb7eb2b6-7155-4731-8e0d-eeae16b2cae9-image.png
                                                                    6655c340-d9fb-4936-ae80-1b32133c45ef-image.png

                                                                    The PFSense WAN IPv6 address is then in the Dashboard.

                                                                    Finally I meant to link to beechy.de above but got the wrong link pasted in.

                                                                    JKnottJ 1 Reply Last reply Reply Quote 0
                                                                    • JKnottJ
                                                                      JKnott @charry2014
                                                                      last edited by

                                                                      @charry2014

                                                                      That link @Bob-Dig provided says 6rd is going to be shut down, which means you should be configuring for DHCPv6 instead. My ISP did the same thing. They provided both 6rd and 6to4 tunnels, until they provided native IPv6 via DHCPv6-PD. This is what you should be configuring for, as that link describes.

                                                                      PfSense running on Qotom mini PC
                                                                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                                                      UniFi AC-Lite access point

                                                                      I haven't lost my mind. It's around here...somewhere...

                                                                      1 Reply Last reply Reply Quote 1
                                                                      • C
                                                                        charry2014
                                                                        last edited by

                                                                        @Bob-Dig said in OpenVPN and Deutsche Glasfaser - IPV6 and CGNAT blocking connection?:

                                                                        this

                                                                        Feeling brave I tried DHCPv6 like suggested instead of 6rd and from a quick late-night hack it broke the IPv6 connectivity for me. This is one for more experimentation.

                                                                        For the moment my pressing requirement is to fix my OpenVPN authentication issue rather than future-proofing the IPv6 connection.

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • C
                                                                          charry2014
                                                                          last edited by

                                                                          My authentication problems seem to be documented as a PFSense bug here so I have downgraded the login to SSL/TLS only and it works. Will keep researching the correct settings for DHCPv6. Cue small celebration here...

                                                                          One further question - is there any way I can access my home network over IPv4? This would be very handy, for one thing my employer only allows IPv4 traffic through their network, and I am sure to travel to corners of the world where the mobile network is not quite so modern as here. I have no idea what options there may be for this.

                                                                          JKnottJ 1 Reply Last reply Reply Quote 0
                                                                          • DerelictD
                                                                            Derelict LAYER 8 Netgate
                                                                            last edited by

                                                                            If you mean connecting to your home network over an IPv4 tunnel, with IPv4 endpoints, probably not.

                                                                            Chattanooga, Tennessee, USA
                                                                            A comprehensive network diagram is worth 10000 words and 15 conference calls.
                                                                            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                                                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • JKnottJ
                                                                              JKnott @charry2014
                                                                              last edited by

                                                                              @charry2014

                                                                              Not with that CGNAT address. Perhaps you could get an IPv6 tunnel from he.net. It will send IPv6 in IPv4 UDP packets, similar to that 6rd tunnel you were using. Then you'd use IPv6 to access your network.

                                                                              It sure will be nice when the world moves fully to IPv6, so that we can put all this NAT nonsense behind us.

                                                                              PfSense running on Qotom mini PC
                                                                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                                                              UniFi AC-Lite access point

                                                                              I haven't lost my mind. It's around here...somewhere...

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • DerelictD
                                                                                Derelict LAYER 8 Netgate
                                                                                last edited by

                                                                                I think he was asking about accessing his network from an IPv4 source. Seems he has IPv6 worked out.

                                                                                Chattanooga, Tennessee, USA
                                                                                A comprehensive network diagram is worth 10000 words and 15 conference calls.
                                                                                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                                                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • C
                                                                                  charry2014
                                                                                  last edited by

                                                                                  Exactly that - I am able to reach my home network when the remote device is on an IPv6 capable network but I am willing to bet that much of the world is still IPv4 only. From these networks I apparently have no possibility to establish a link home, which seems a bit of a problem.

                                                                                  JKnottJ 1 Reply Last reply Reply Quote 0
                                                                                  • JKnottJ
                                                                                    JKnott @charry2014
                                                                                    last edited by

                                                                                    @charry2014

                                                                                    That is why I suggested he.net. They will provide IPv6 over IPv4, so that you can access IPv6 from an IPv4 only network. I haven't used he.net myself, but I used to use a 6in4 tunnel from another provider. With it, I could arrange for a /56 for a network a single IPv6 address for a device. I'd get a single address for my notebook computer, in addition to the /56 for my home network. I used a 6in4 tunnel for almost 6 years. Your ISP provided a 6rd tunnel, but I doubt it could be used off their network.

                                                                                    PfSense running on Qotom mini PC
                                                                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                                                                    UniFi AC-Lite access point

                                                                                    I haven't lost my mind. It's around here...somewhere...

                                                                                    Bob.DigB 1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post