If OpenVPN Active, IPv6 Tunnel Drops?



  • Hello Everyone,

    I have an OpenVPN client connection to HideMyAss, as well as an IPv6 tunnel to HE.net.

    I have two LAN subnets on the LAN interface, 10.0.0.0/24 and 2001:470:8:699::/64.

    I have a 3rd physical NIC named VPN that has subnet 192.168.50.0/24 assigned to it.

    I only want 192.168.50.0/24 routed across the HMA VPN, so I have turned on Manual Outbound NAT and have the following two rules configured:

    HMA 192.168.50.0/24 * * * * * NO Phone
    WAN any * * * * * NO LAN

    If I start the OpenVPN service, the HMA VPN connection is established and traffic flows as I would like it. However, once the OpenVPN connection is established, the gateway to HE.net goes offline and I am unable route traffic from my LAN to HE.net.

    If I stop the OpenVPN service, the HE.net IPv6 tunnel immediately re-establishes itself.

    I'm stumped and I don't see anything IPv6 related in the logs (unless there is an IPv6 log available via SSH?).

    Help!


  • Rebel Alliance Developer Netgate

    Are they pushing you a default route over OpenVPN? If so your tunnel endpoint traffic would be trying to go over the tunnel as well, so he.net would see it coming from a different IP all of a sudden.



  • @jimp:

    Are they pushing you a default route over OpenVPN? If so your tunnel endpoint traffic would be trying to go over the tunnel as well, so he.net would see it coming from a different IP all of a sudden.

    Ahh ha, brilliant! I have "redirect-gateway def1;" in my OpenVPN config. I just removed it and the VPN still works. The OpenVPN config also reports "Jan 10 13:49:57 openvpn[47169]: ROUTE default_gateway=68.67.x.x" which is my ISPs (WAN) gateway. I don't see any other indication in the logs that they are pushing me a default gateway.

    I am going to reconfigure IPv6 and see if it works now. If I still can't get it working, if I update HE.net with the public IP of my VPN tunnel, then that should work correct? I really don't care if the HE.net traffic has to traverse the VPN, I'm only utilizing IPv6 for learning.


  • Rebel Alliance Developer Netgate

    Yeah if all else fails, giving he.net the vpn public IP would work fine (but would increase latency)



  • @jimp:

    Yeah if all else fails, giving he.net the vpn public IP would work fine (but would increase latency)

    I think they are pushing me a default gateway, as I updated everything and it didn't work. I do see this in the OpenVPN logs: Jan 10 13:49:57 openvpn[47169]: /sbin/route add -net 0.0.0.0 74.115.x.x 128.0.0.0

    That IP is my gateway IP with HMA.

    Regardless, I allowed HE.net to ping my HMA public IP and updated the GIF interface to utilize the HMA interface as the parent interface and bingo, my HE.net tunnel came up. http://test-ipv6.com/ reports a 10/10 on both tests.

    Thanks for your assistance!


  • Rebel Alliance Developer Netgate

    That should work, you might also try "push-reset" in your client config, that should make it stop taking the default gateway from the far side.



  • @jimp:

    That should work, you might also try "push-reset" in your client config, that should make it stop taking the default gateway from the far side.

    I will give that a shot and report back!


Locked