[2.5.x] potential Bug: IPv6 tunnel network and gateway
-
Hey all,
we stumbled across a strange behavior today after setting up a site2site OpenVPN tunnel with both IPv4 and IPv6 tunnel networks.
With IPv4 if you use e.g. 10.0.8.0/24 on both ends, the client automatically uses .2 and the server chooses .1.
With IPv6 it seems there's some strange automation in place, as the server takes the ::1 IP6 (which is a natural choice) but the client side uses ::1000 as its IP6.Nothing wrong with that per se but if you then assign the ovpnc/ovpns interfaces so the gateways are created and available for use in rules, the automatically created VPN4 gateway points to the .2 IP correctly but the VPN6 gateway on the server side assumes the IP6 of the client is ::2 and not ::1000.
If you manually change the IP6 tunnel network on the client side to ::2/64 the client connects with :1002 and the gateway on the server side uses ::2. If you setup the client to ::1000 so it would be the correct IP6 gateway on the server, the server sees the client as ::2000 and checks for ::1002.
So it seems somewhere something is adding a +1000 to IP6 addresses on the tunnel interface?
Setup is pfSense 2.5.1, OpenVPN with Site2Site in certificate / CA mode (not tested in S2S with shared key).
Cheers