Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN with IPv6 over IPv4 / pfSense 2.1

    Scheduled Pinned Locked Moved
    2.1 Snapshot Feedback and Problems - RETIRED
    4
    5
    6.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cpm
      last edited by

      Hi,

      I've already installed pfsense 2.1 (Beta0, Jun 2) for routing my /48. Anything works as expected and I decided to try routing an ipv6 net over ipv4. So I added a ipv6 tunnel net to an existing openvpn config (PKI site-to-site, no client overriding) and let my test client (OpenVPN 2.2.1 i486-linux-gnu with ipv6 patch) reconnects via ipv4, but the ipv6 part failed to initialize.

      client log:
      Sun Jun  3 10:38:42 2012 us=873273 SENT CONTROL [pfsense]: 'PUSH_REQUEST' (status=1)
      WRRWRWRSun Jun  3 10:38:42 2012 us=996742 PUSH: Received control message: 'PUSH_REPLY,route 10.100.1.0 255.255.255.0,route-ipv6 2001:db8:702:3000::/64,route 10.0.10.1,topology net30,ping 10,ping-restart 60,ifconfig 10.0.11.2 10.0.11.1'
      Sun Jun  3 10:38:42 2012 us=996889 OPTIONS IMPORT: timers and/or timeouts modified
      Sun Jun  3 10:38:42 2012 us=997055 OPTIONS IMPORT: –ifconfig/up options modified
      Sun Jun  3 10:38:42 2012 us=997080 OPTIONS IMPORT: route options modified
      Sun Jun  3 10:38:42 2012 us=997829 ROUTE default_gateway=192.168.1.1
      Sun Jun  3 10:38:42 2012 us=998197 ROUTE6: default_gateway=UNDEF
      Sun Jun  3 10:38:42 2012 us=998231 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
      Sun Jun  3 10:38:42 2012 us=998304 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2001:db8:702:3000::/64
      Sun Jun  3 10:38:43 2012 us=3601 TUN/TAP device tun1 opened
      Sun Jun  3 10:38:43 2012 us=3699 TUN/TAP TX queue length set to 100
      Sun Jun  3 10:38:43 2012 us=3757 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0

      The pfsense openvpn logs looks quite normal, but my ipv6 tunnel net (2001:db8:702:1000::/64) won't be displayed in the routing table as I know from the ipv4 tunnel net (10.0.10/24) and it didn't assigned to any openvpn tun device.

      Did I miss something in my openvpn config? Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • C
        cpm
        last edited by

        Perhaps someone is interested in a "works for me" solution. I properly solved the problem by manually added "server-ipv6 2001:db8:702:1000::/64" into the pfSense OpenVPN config, but it didn't works with "Client Specific Override". My client gets now a ipv6 address and know where to route the ipv6 net.

        Mon Jun 11 13:15:34 2012 SENT CONTROL [pfsense]: 'PUSH_REQUEST' (status=1)
        Mon Jun 11 13:15:34 2012 PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 2001:db8:702:1000::1:0 2001:db8:702:1000::1,route 10.100.1.0 255.255.255.0,route-ipv6 2001:db8:702:3000::/64,tun-ipv6,route 10.0.10.1,topology net30,ping 10,ping-restart 60,ifconfig 10.0.10.6 10.0.10.5'
        Mon Jun 11 13:15:34 2012 OPTIONS IMPORT: timers and/or timeouts modified
        Mon Jun 11 13:15:34 2012 OPTIONS IMPORT: –ifconfig/up options modified
        Mon Jun 11 13:15:34 2012 OPTIONS IMPORT: route options modified
        Mon Jun 11 13:15:34 2012 ROUTE default_gateway=x.x.228.1
        Mon Jun 11 13:15:34 2012 ROUTE6: default_gateway=UNDEF
        Mon Jun 11 13:15:34 2012 TUN/TAP device tun1 opened
        Mon Jun 11 13:15:34 2012 TUN/TAP TX queue length set to 100
        Mon Jun 11 13:15:34 2012 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
        Mon Jun 11 13:15:34 2012 /sbin/ifconfig tun1 10.0.10.6 pointopoint 10.0.10.5 mtu 1500
        Mon Jun 11 13:15:34 2012 /sbin/ifconfig tun1 inet6 add 2001:db8:702:1000::1:0/64
        Mon Jun 11 13:15:34 2012 /sbin/route add -net 10.100.1.0 netmask 255.255.255.0 gw 10.0.10.5
        Mon Jun 11 13:15:34 2012 /sbin/route add -net 10.0.10.1 netmask 255.255.255.255 gw 10.0.10.5
        Mon Jun 11 13:15:34 2012 add_route_ipv6(2001:db8:702:3000::/64 -> 2001:db8:702:1000::1 metric 0) dev tun1
        Mon Jun 11 13:15:34 2012 /sbin/route -A inet6 add 2001:db8:702:3000::/64 dev tun1
        Mon Jun 11 13:15:34 2012 Initialization Sequence Completed

        1 Reply Last reply Reply Quote 0
        • D
          databeestje
          last edited by

          Tun mode with ipv6 should work. Better support should be forthcoming with the openvpn 2.3 release. It is still heavily under development though.

          We need to take a look at what state it is in before we approach 2.1

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            This works for me also (tunneling v6 inside a v4 openvpn) but I only use it on a static key setup, I haven't tried ssl/tls.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • A
              athurdent
              last edited by

              Works fine on Win7 64 bit with the new OpenVPN 2.3 alpha2 release. Using it sucessfully with local user password and certificate authentication. Finally a reliable way to use IPv6 anywhere I like ;) Many thanks to the pfSense developers for implementing this!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.