OpenVPN with IPv6 over IPv4 / pfSense 2.1



  • Hi,

    I've already installed pfsense 2.1 (Beta0, Jun 2) for routing my /48. Anything works as expected and I decided to try routing an ipv6 net over ipv4. So I added a ipv6 tunnel net to an existing openvpn config (PKI site-to-site, no client overriding) and let my test client (OpenVPN 2.2.1 i486-linux-gnu with ipv6 patch) reconnects via ipv4, but the ipv6 part failed to initialize.

    client log:
    Sun Jun  3 10:38:42 2012 us=873273 SENT CONTROL [pfsense]: 'PUSH_REQUEST' (status=1)
    WRRWRWRSun Jun  3 10:38:42 2012 us=996742 PUSH: Received control message: 'PUSH_REPLY,route 10.100.1.0 255.255.255.0,route-ipv6 2001:db8:702:3000::/64,route 10.0.10.1,topology net30,ping 10,ping-restart 60,ifconfig 10.0.11.2 10.0.11.1'
    Sun Jun  3 10:38:42 2012 us=996889 OPTIONS IMPORT: timers and/or timeouts modified
    Sun Jun  3 10:38:42 2012 us=997055 OPTIONS IMPORT: –ifconfig/up options modified
    Sun Jun  3 10:38:42 2012 us=997080 OPTIONS IMPORT: route options modified
    Sun Jun  3 10:38:42 2012 us=997829 ROUTE default_gateway=192.168.1.1
    Sun Jun  3 10:38:42 2012 us=998197 ROUTE6: default_gateway=UNDEF
    Sun Jun  3 10:38:42 2012 us=998231 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
    Sun Jun  3 10:38:42 2012 us=998304 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2001:db8:702:3000::/64
    Sun Jun  3 10:38:43 2012 us=3601 TUN/TAP device tun1 opened
    Sun Jun  3 10:38:43 2012 us=3699 TUN/TAP TX queue length set to 100
    Sun Jun  3 10:38:43 2012 us=3757 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0

    The pfsense openvpn logs looks quite normal, but my ipv6 tunnel net (2001:db8:702:1000::/64) won't be displayed in the routing table as I know from the ipv4 tunnel net (10.0.10/24) and it didn't assigned to any openvpn tun device.

    Did I miss something in my openvpn config? Thanks in advance!



  • Perhaps someone is interested in a "works for me" solution. I properly solved the problem by manually added "server-ipv6 2001:db8:702:1000::/64" into the pfSense OpenVPN config, but it didn't works with "Client Specific Override". My client gets now a ipv6 address and know where to route the ipv6 net.

    Mon Jun 11 13:15:34 2012 SENT CONTROL [pfsense]: 'PUSH_REQUEST' (status=1)
    Mon Jun 11 13:15:34 2012 PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 2001:db8:702:1000::1:0 2001:db8:702:1000::1,route 10.100.1.0 255.255.255.0,route-ipv6 2001:db8:702:3000::/64,tun-ipv6,route 10.0.10.1,topology net30,ping 10,ping-restart 60,ifconfig 10.0.10.6 10.0.10.5'
    Mon Jun 11 13:15:34 2012 OPTIONS IMPORT: timers and/or timeouts modified
    Mon Jun 11 13:15:34 2012 OPTIONS IMPORT: –ifconfig/up options modified
    Mon Jun 11 13:15:34 2012 OPTIONS IMPORT: route options modified
    Mon Jun 11 13:15:34 2012 ROUTE default_gateway=x.x.228.1
    Mon Jun 11 13:15:34 2012 ROUTE6: default_gateway=UNDEF
    Mon Jun 11 13:15:34 2012 TUN/TAP device tun1 opened
    Mon Jun 11 13:15:34 2012 TUN/TAP TX queue length set to 100
    Mon Jun 11 13:15:34 2012 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
    Mon Jun 11 13:15:34 2012 /sbin/ifconfig tun1 10.0.10.6 pointopoint 10.0.10.5 mtu 1500
    Mon Jun 11 13:15:34 2012 /sbin/ifconfig tun1 inet6 add 2001:db8:702:1000::1:0/64
    Mon Jun 11 13:15:34 2012 /sbin/route add -net 10.100.1.0 netmask 255.255.255.0 gw 10.0.10.5
    Mon Jun 11 13:15:34 2012 /sbin/route add -net 10.0.10.1 netmask 255.255.255.255 gw 10.0.10.5
    Mon Jun 11 13:15:34 2012 add_route_ipv6(2001:db8:702:3000::/64 -> 2001:db8:702:1000::1 metric 0) dev tun1
    Mon Jun 11 13:15:34 2012 /sbin/route -A inet6 add 2001:db8:702:3000::/64 dev tun1
    Mon Jun 11 13:15:34 2012 Initialization Sequence Completed



  • Tun mode with ipv6 should work. Better support should be forthcoming with the openvpn 2.3 release. It is still heavily under development though.

    We need to take a look at what state it is in before we approach 2.1


  • Rebel Alliance Developer Netgate

    This works for me also (tunneling v6 inside a v4 openvpn) but I only use it on a static key setup, I haven't tried ssl/tls.



  • Works fine on Win7 64 bit with the new OpenVPN 2.3 alpha2 release. Using it sucessfully with local user password and certificate authentication. Finally a reliable way to use IPv6 anywhere I like ;) Many thanks to the pfSense developers for implementing this!


Log in to reply