DNS problems vor connected clients having dual stack ipv4/v6

heiko.ecm4u

Our office pfsense (2.5.1) is connected to the internet with ipv4 only.

OpenVPN clients on win10 have now trouble using the dns thru the tunnel if they have a dual stack connection.
The openvpn tunnel is running on ipv4 only and i checked
Make Windows 10 Clients Block access to DNS servers except across OpenVPN while connected, forcing clients to use only VPN DNS servers. on the server to work around the issue that the win10 systems uses the first dns in the network stack instead of using the openvpn dns.

If now a win10 client having dual stack (ipv4 and ipv6) requests to the ipv4 targets take several seconds (nsookup returns instantly while ping takes ~10 sec). If I disable ipv6 on the windows system everything works as expected. It feels like win10 tries to use ipv6 first and than falls back to ipv4 but that's just a guess. Although nslookup on dual stack is not slow the ping is also as fast as expected if I disable Make Windows 10 Clients Block access to DNS servers except across OpenVPN while connected, forcing clients to use only VPN DNS servers. but windows uses only my local dns on the client side / not from the pfsense server side.

Do others experience the same? Any idea how to fix that?

johnpoz

@heiko-ecm4u said in DNS problems vor connected clients having dual stack ipv4/v6:

It feels like win10 tries to use ipv6 first and than falls back to ipv4

Not a guess.. That is exactly what it does - it prefers ipv6.

heiko.ecm4u

@johnpoz thanks for you prompt feedback!

I just realized that the client gets a ipv6 although the server is configured to provide ipv4 only. Is that also as expected?

disabling ipv6 on the client side openvpn inferface seems to help but I'm still looking for an alternative server side configuration. I thought that is covered by "Gateway creation" --> "IPv4 only" but that seems not to be the case?

johnpoz

@heiko-ecm4u said in DNS problems vor connected clients having dual stack ipv4/v6:

I just realized that the client gets a ipv6 although the server is configured to provide ipv4 only. Is that also as expected?

Gets it where? On the openvpn interface? is it link-local fe80: ?

JKnott

@heiko-ecm4u said in DNS problems vor connected clients having dual stack ipv4/v6:

I just realized that the client gets a ipv6 although the server is configured to provide ipv4 only. Is that also as expected?

Is the tunnel configured to pass IPv6? Is IPv6 running at the server end?

heiko.ecm4u

@johnpoz

on the win10 client if ipv6 is enabled on the windows openvpn interface I get with ipconfig:

Unknown Adapter OpenVPN:

   Verbindungsspezifisches DNS-Suffix: mycompany.intra
   Verbindungslokale IPv6-Adresse  . : fe80::4025:1b99:3c36:2078%3
   IPv4-Adresse  . . . . . . . . . . : 10.0.22.2
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . :

johnpoz

@heiko-ecm4u that is link-local that is something client just creates on its own and really has nothing to do with openvpn.. If your not going to use ipv6 on openvpn - then you can just uncheck that in windows.

But that really shouldn't be causing you any issues..

heiko.ecm4u

@jknott said in DNS problems vor connected clients having dual stack ipv4/v6:

Is the tunnel configured to pass IPv6? Is IPv6 running at the server end?

pfsense is not running ipv6, the openvpn tunnel is configured:
Protocol: TCP on ipv4 only
Gateway creation: IPv4 only

heiko.ecm4u

@johnpoz
that's what I ended up for now, disabling ipv6 on client's openvpn adapter. Once that one is disabled, everything works. I tried to find a solution we could force from the server side but since we have only a few users that's acceptable for now.
I need to make me more familar with ipv6 but since our office has only a ipv4 had no need until now ...

Thanks!

johnpoz

@heiko-ecm4u said in DNS problems vor connected clients having dual stack ipv4/v6:

office has only a ipv4 had no need until now ...

Prob be that way for 10+ more years at least if not longer.. Until such time that major players go IPv6 only - offices have little need of IPv6 to be honest.