Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No LAN, Quirky Firewall Access, IPv6

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 1 Posters 701 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jarrodsfarrell
      last edited by jarrodsfarrell

      This has left me rather stumped so here's my end goal:

      • Have OpenVPN set up so I and someone else can get on the home network remotely
      • Be able to access it either IPv4 through the native IPv4 connection or IPv6 through the GIF connection by HE's tunnel broker.
      • Access LAN devices either by it's IPv4 or IPv6 address routed through the OpenVPN tunnel

      What I've set up initially:

      • UDP Multihome which is letting me connect either by IPv4 or IPv6 since the tunnel broker gives us a separate WANV6
      • 192.168.7.0/24 as the VPN IPv4 subnet
      • AAAA:BBBB:CCCC:DDDD:7::/80 as the VPN IPv6 subnet (omitting our assigned prefix)
      • 192.168.1.0/24 as the LAN IPv4 subnet
      • AAAA:BBBB:CCCC:DDDD::/80 as the LAN IPv6 subnet (again, omitting our assigned prefix)
      • Double-checked that we have IPv4 and v6 allow rules in the firewall for OpenVPN

      What's happening:

      • VPN Client can not complete a connection to any LAN device but can ping the firewall and SSH into it, but not visit the GUI

      What I've tried:

      • Add floating rules to allow any connection from the OpenVPN interface to the LAN net
      • Thanks to a suggestion from friends from strange places, tcpdump the tunnel firewall side and tcpdump the LAN device side
        • The host sees a packet addressed from the VPN client but doesn't make a response, either with ICMP or SSH. This host doesn't have any special firewall configurations and uses ufw so this is unusual.

      What's perplexing is that I have a working IPv4 solution elsewhere with near similar settings that achieves the same end goal and works perfectly fine. And before the IPv6 transition this setup used to work. Returning back to IPv4 doesn't fix the issue either.

      1 Reply Last reply Reply Quote 0
      • J Offline
        jarrodsfarrell
        last edited by

        Edit: Fixed some wording

        1 Reply Last reply Reply Quote 0
        • J Offline
          jarrodsfarrell
          last edited by jarrodsfarrell

          I guess I did forget one other thing. I tried to ping from the LAN host to the VPN client and got a Destination Host Unreachable. So that might explain why I wasn't seeing a response so now it's now a matter of why.

          root@my_host:/XXX/ZZZ# ip r g 192.168.7.2
          192.168.7.2 via 192.168.1.1 dev enp3s0 src 192.168.1.20 uid 0 
              cache 
          

          And this looks fine which adds to the confusion.

          1 Reply Last reply Reply Quote 0
          • J Offline
            jarrodsfarrell
            last edited by

            Oh and routes look okay on the firewall side too.

            IPv4
            +----------------+-------------+-------+-----+------+--------+
            |  Destination   |   Gateway   | Flags | Use | Mtu  | Netif  |
            +----------------+-------------+-------+-----+------+--------+
            | 192.168.7.0/24 | 192.168.7.2 | UGS   | 101 | 1500 | ovpns1 |
            | 192.168.7.2    | link#14     | UH    | 111 | 1500 | ovpns1 |
            +----------------+-------------+-------+-----+------+--------+
            IPv6
            +----------------------------+---------+-------+-----+------+--------+
            |        Destination         | Gateway | Flags | Use | Mtu  | Netif  |
            +----------------------------+---------+-------+-----+------+--------+
            | AAAA:BBBB:CCCC:DDDD:7::/80 | link#14 | U     |   0 | 1500 | ovpns1 |
            +----------------------------+---------+-------+-----+------+--------+
            
            1 Reply Last reply Reply Quote 0
            • J Offline
              jarrodsfarrell
              last edited by jarrodsfarrell

              I did more testing and found that the host I was working with had a bad route. After a reboot it was able to start responding to ICMP and handle a SSH connection, but for some reason a simple HTTP connection cannot be established yet picking a arbitary port like 5001 for netcat was able to establish. I can see the host trying to send a reply both on the host's interface and in the OpenVPN interface, but the client doesn't receive it.

              Still need to do more testing.

              1 Reply Last reply Reply Quote 0
              • J Offline
                jarrodsfarrell
                last edited by

                Solution Found
                It was a MTU issue and most frustratingly it came to me at random. There was no particular reason to it other than me going, "Huh. I've never thought of MTU." and did some Googling to find the right MTU for OpenVPN and found that the default 1500 was too much for my network and had to step it down to around 1160 which fixed all the issues I've had before. I'm sure the routing quirk on the host was a one-off, but finally the VPN works just like how I want it.

                TL;DR: Check if the MTU is too high.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.