Cannot connect to OpenVPN Server via ipv6 endpoint

Schnubby

As the title says i cannot connect to out OpenVPN Servers on our PFSense from "some" clients that are using ipv6 (some users from mobile, some from homeoffice) at home i recently got an ipv6 address and i cannot connect to our pfsense anymore.

I tried TCP but since switched back to UDP
The clients connect to the ipv4 IP from the interface without DNS or anything.

When i configure my phone to use the ipv4 APN (and whatsymip shows i got an ipv4) from telekom it works. when i change it to ipv6 (and whatsmyip shows i got an ipv6) it doesnt work. (Depending on where i connect to 5G i might get an ipv6 even with the "legacy APN")

I don't really know where to start, do i need to activate ipv6 on the interface?
Is it enough to enable it or do i need an ipv6 address from my provider?
Do i need to route it? Do i need to activate multihome on the OpenVPN Server?

I do not want to break anything by enabling ipv6 on the wan port because i dont really want to use ipv6 internally.

Any help is greatly appreciated.

Gertjan

@Schnubby

Your pfSense WAN firewall rules ?

For example : my rules look fine, but there is an issue :

I only allow IPv4 traffic for my OpenVPN, not IPv6 ^^

I do accept incoming IPv6 traffic - see line 5 from above so i know my IPv6 stack is probably ok.

Ok, fun fact aside, I've tackled one potential issue.
Still a million to test.
Can you start posting the details ?

@Schnubby said in Cannot connect to OpenVPN Server via ipv6 endpoint:

Do i need to activate multihome on the OpenVPN Server?

I guess the third option is somewhat mandatory:

@Schnubby said in Cannot connect to OpenVPN Server via ipv6 endpoint:

I don't really know where to start, do i need to activate ipv6 on the interface?
Is it enough to enable it or do i need an ipv6 address from my provider?
Do i need to route it? Do i need to activate multihome on the OpenVPN Server?

You have set up IPv6 on the pfSense WAN interface correctly, right ?
This is mandatory.
You can't use IPv6 'a bit'. Like IPv4, "no errors" allowed.
(this question by itself opens up another huge rabit hole)

Schnubby

@Gertjan said in Cannot connect to OpenVPN Server via ipv6 endpoint:

You have set up IPv6 on the pfSense WAN interface correctly, right ?
This is mandatory.

Okay, i will start here. I though with dualstack and everything i should be able to just use my ipv4 and still be reachable by ipv6 clients since the traffic and routing is ipv4 anyway.

I am not sure how my provider handles ipv6, i guess i just activate ipv6 dhcp on the wan interface and see what happens, right :)

Thank you so far!

JKnott

Is your pfSense configured to work over both IPv4 and IPv6? I assume you have IPv6 on your WAN.

4G & 5G phones are IPv6 and Android phones use 464XLAT to access IPv4 sites. This is effectively double NAT, which can mess things up. I don't know what iPhones use, but they'd have something similar.

By sticking with IPv4, you are already breaking things. IPv6 is the future, so you'd better get used to it.