ifconfig-ipv6-push appears to be ignored by openvpn
-
I'm using a pfsense machine to make VPN connections to multiple networks, in order to make each of these networks available on a switch port via VLAN attached to the pfsense. This makes is much easier to deploy new PCs in those networks as one can install and prepare them locally rather than having to do that on premise.
Some (most, as people leave their settings to the defaults) of these networks will, by chance, have the same ipv4 subnets. So I'm using a more complicated scheme than letting openVPN mess with routing tables: manually using policy-based routing; each VLAN has a route to the matching VPN client. This requires gateways to be made on the VPN connections. If the VPN is peer to peer, this isn't a problem, the automatic 'default' gateway on each VPN connection is the peer. But if a VPN is peer to multi-peer due to multiple sites or cloud based infrastructure (the certificate based version (akin to this recipe: https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html) then there are multiple gateways. For example, a VPN on 10.16.4.0/29 may give out 10.16.4.1 to the server at customer location A, 10.16.4.2 to customer location B, and 10.16.4.3 at our location, connected via route to our location's VLAN.
Who gets which address is normally a race condition, first come first served. To fix this, client specific overrides can be used. These can also be used to push routes to the networks over for those firewalls that are only connected to one client's network.
It appears to work when overriding an IPv4 address, but I can't seem to get the same setup to work when overriding an IPv6 address. When I input multiple lines into the 'advanced options' dialog of client-specific override, my <return> (0x20) is consumed by the form and not preserved. I tried using a colon ; (0x3B) to separate the statements, but only IPv4 override is obeyed by openVPN, the IPv6 addresses keep assigning for example fd16:a0b0:17f4::1000 and fd16:a0b0:17f4::1001, again on first-come first-serve. If the local router is restarted or there's an interruption in the internet connection, the IP addresses are shuffled around, and v6 routes will break.
I'm using this syntax (which the openVPN instructions seem to point to at https://community.openvpn.net/openvpn/wiki/Concepts-Addressing?__cf_chl_tk=Us9yvIj6TSwPhkFVEFnoOY50cYF93QoQ1GTOm_c4EG4-1716458588-0.0.1.1-1557 and https://forums.openvpn.net/viewtopic.php?t=16293 );
ifconfig-push 10.0.51.3 255.255.255.248;ifconfig-ipv6-push fd16:ac94:4810:18ed::3/64;
ipv4 seems to be pushed, ipv6... not so much. The setting is ignored; this machine keeps taking fd16:ac94:4810:18ed::1000.
-
I've managed to solve this problem.
First, ipv6 was a red herring. I just got lucky that the ipv4's kept being assigned in the right order.
The real issue was that, when there are multiple VPNs, there is a little selection window that allows you to specify which VPNs the client specific override is assigned to. This determines which folder the config file is written to.
I found out the csc was written to the wrong location, because when making a second client override, the configuration will default to selecting the next server, not the one you selected last.