OpenVPN server on Dualstack (IPv4 + IPv6)
-
The subject says it: is it possible and useful to set up a ovpn-server that listens both on IPv4 + IPv6?
A customer has issues while traveling by train: he is connected to the office site via ovpn on IPv4 (so far I didn't enable v6). His mobile internet provider sometimes switches him over to v6 only and for sure the VPN connection drops out then.
So he wants me to provide a ovpn-gateway that allows him smooth failover. I am at the very start of researching this and would like to ask if that is even working.
In the recipes I don't see anything popping out.
For sure, at first I have to enable IPv6 in a secure way etc.
That's the first step.I think of setting up a DNS record with both A and AAAA records and coming up with a tunnel config pointing to that.
Thanks for any pointers here, sorry if I missed some FAQ maybe.
-
Set up the basics.
enabled IPv6 on the first of two WAN-interfaces (please let's wait with IPv6-MultiWAN ...), figured out the/a working Prefix Delegation Size ( /61 .. still unsure about that, will browse the forum) and managed to access the first systems in LAN via IPv6 after enabling radvd (unmanaged). Without OpenVPN so far .. sure, IPv6 without NAT let's me access these systems directly as soon as I allow it in the firewall.
I plan to set up a separate ovpn-server-instance for learning, to not crash anything on the productive ovpn-gateway.
Let me ask a basic question, I have issues understanding that:
If I connect from outside and enable a ovpn-connection via IPv6, what about the traffic through the tunnel? Does that have to be IPv6 also or is IPv4 simply tunneled through?
For example so far the customer accesses servers in LAN via IPv4 only. When the new ovpn changes between v4 and v6 in terms of where the gateway is connected to ...
while I type this it gets clearer ;-) at least it makes more sense.
I just wonder if adding IPv6 to the VPN-server setup leads to having to set up all the DNS etc in IPv6 also or not.
thanks for any help here
-
In the server configuration, Endpoint configuration, select UDP IPv4 and IPv6 on all interfaces.
-
-
You mentioned switching to IPv6. Is it available all the time and only IPv4 drops out? If it's one or the other, there may be problems with the switch over, as DNS won't do much at that time to provide the working address.
-
@JKnott As far as I understand, yes. I haven't seen it myself. The assumption is to prioritize connecting via v6 maybe, the mobile data connection seems to provide v6 in a more stable way than v4.
I am already ready to let him test that.
-
I am pulling up this ticket again, as my customer reports issues and I started to debug things today.
I was under the impression that everything works, but it does not ;-)
When I have the OpenVPN server on multihome I get errors like "Connection Attempt write UDPv6: Can't assign requested address (fd=6,code=49) "
And clients fail to connect.
Seems I have something wrong.I have set up 4 port-forwardings:
UDP WAN IPv4 Adress, Port 1196 -> 127.0.0.1:1196
UDP WAN IPv6 Adress, Port 1196 -> ::1:1196analog for WAN2
Is that OK?
I assume my problems come from this situation:
the pfSense runs behind two routers, for the german users well-known: FritzBoxes
I can't talk the customer out of that, it's given by the providers and VOIP and stuff.
So we configured the FBs to forward everything on their WAN to the pfSense behind (so-called "Exposed Host").
Then I had to fiddle with DHCP6(!) to get some IPv6 adress assigned to the 2 WAN-interfaces on the pfSense.
This meant some trial and error with the Prefix Delegation size ... (EDIT: I used /61 on both interfaces ... just for reference)
So that is another question mark in the setup.
The goal is:
One single OpenVPN server providing access via 2 WAN-interfaces, both via v4 and v6. As far as I read the docs, that should be possible.
Can someone point me at what "Connection Attempt write UDPv6: Can't assign requested address (fd=6,code=49)" means?
-
In front of pfSense : 2 upstream routers ? One after the other ?
Wait, no :
@sgw said in OpenVPN server on Dualstack (IPv4 + IPv6):
to get some IPv6 adress assigned to the 2 WAN-interfaces on the pfSense.
So pfSense with a dual WAN .... = 2 ISP access links, right ?
@sgw said in OpenVPN server on Dualstack (IPv4 + IPv6):
I have set up 4 port-forwardings:
UDP WAN IPv4 Adress, Port 1196 -> 127.0.0.1:1196
UDP WAN IPv6 Adress, Port 1196 -> ::1:1196analog for WAN2
Is that OK?
If your VPN server listens (only) on 127.0.0.1 and ::1 (aka localhost) then you have to forward the traffic that comes into your pfSense WAN (interface) to 127.0.0.1 (or ::1 for IPv6).
If you want to access your VPN server over the two WANs, every Fritzbox has to contain a NAT rule for the IPv4 traffic, and a IPv6 pass firewall rule to the coresponding WAN pfSense interface.You could also simplify the pfSense OpenVPN server setup : one click :
and now the pfSense OpenVPN listens on every interface (WANs, LANs, whatever) using both IPv4 and IPv6. No NAT needed, just a a IPv6 and IPv4 "UDP port 1194" pass rule on each pfSense WAN interface.
Up to you to make sure the VPN IPv6 and/or IPv4 traffic reaches these two (or just one ?) pfSense WAN interface(s).
-
@Gertjan thanks at first for your reply!
It's 2 WAN-lines coming in, each with a FB in place.
On each FB the IP of the WAN-interfaces of the pfSense is configured as Exposed Host: everything coming in on the WAN-side of the FB is forwarded to the matching WAN-interface on the pfSense.I have the Endpoint configured as you explain. But I was unsure if an additional Pass-Rule would be needed also, or/and if a NAT-rule is needed.
Normally for the standard OpenVPN-server I have to open Port 1194 on WAN, right?
So I understand that I should remove the Port-Forwardings AND the Pass-Rule for Port 1196 on the 2 WAN-interfaces. I will try that.
Thanks so far!
-
@sgw said in OpenVPN server on Dualstack (IPv4 + IPv6):
But I was unsure if an additional Pass-Rule would be needed also, or/and if a NAT-rule is needed.
For IPv4 and IPv6 : just a pass rule, not a NAT rule.
If your OpenVPN server was a server type device somewhere on your (a) pfSense LAN, then you need a NAT rule. In this case, your openvpn server actually 'listens' on the pfSense WAN interface, but de default rule firewall list on WAN is empty, and the default behavior is : "block", so you need a pass rule like this :
Note : I limit the "Source" somewhat, instead of using "*" which means "all the Internet" my pfSense accepts only 'IPs from Europe' as a source IP.
I use port 1194, and UDP. Please don't tell no one. It's secret
IPv6 : same thing. Create a IPv6 pass rule, same protocol, same port.
Always use the "This firewall" alais as a destination. If your IPv6 WAN GUA changes tomorrow, the rule will still work.@sgw said in OpenVPN server on Dualstack (IPv4 + IPv6):
So I understand that I should remove the Port-Forwardings AND the Pass-Rule for Port 1196 on the 2 WAN-interfaces. I will try that.
Not 'should' or 'you have to'.
Informing your OpenVPN server that it should listen on localhost is fine.
But then you need a IPv4 NAT rule and even an IPv6 NAT rule, because incoming IPv6 and IPv6 (using UDP and port 1149) needs to be redirected to 127.0.0.1 - or ::1.It's ok to have a process listen on a non reachable IP address (127.0.0.1 and ::1 are not reachable from the outside) and then add rules on every interface that needs to have an access to this process.
I tend to think that an OpenVPN server (process) is special here : it's can be on any interface as there is no risk : everybody can connect ... but only those who have credentials can do something meaningful, the other will be thrown of. That's what OpenVPN is all about. -
@Gertjan Thanks again!
I only reply quickly: it seems it even works without pass rules, at least I had the impression. I now adapted my setup according to your suggestions, following rule on both WAN-interfaces:
I have to test through all the variants tomorrow or so (4 remotes in the client.conf now).
Great tip with "This firewall", very handy.
Have a nice evening!
