OpenVPN Peer to Peer IPv6 Tunnel Network not working

  • Hello,

    I set up a peer to peer OpenVPN Tunnel from one pfSense box to another pfSense box.
    IPv4 Tunnel Network is which is working like expected.

    When I add IPv6 Tunnel Network fe80:192:168:255::/127 OpenVPN is no longer working and System Log is showing the following:

    Dec 22 22:11:54 	openvpn[38380]: Options error: ifconfig-ipv6 parms 'fe80:192:168:255::1' and '127' must be valid addresses
    Dec 22 22:11:54 	openvpn[38380]: Use --help for more information.

    I already tried with fc00 addresses. Same error. Also increased verbosity level to 9 but the error output doesn't change.

    Can anybody tell me what I am doing wrong here?

  • Rebel Alliance Developer Netgate

    Don't use fe80 for those. And use a /64 not a /127.

  • Hey jimp,

    I tried different subnet masks and addresses but it's always the same error message.

    Jan 2 14:40:24	openvpn[98179]: Options error: ifconfig-ipv6 parms 'fc00:192:168:255::1' and '64' must be valid addresses
    Jan 2 14:40:24	openvpn[98179]: Use --help for more information.
    Jan 2 14:41:33	openvpn[32890]: Options error: ifconfig-ipv6 parms '2001:470:7224:255::1' and '64' must be valid addresses
    Jan 2 14:41:33	openvpn[32890]: Use --help for more information.

    Any other ideas?

  • Rebel Alliance Developer Netgate

    Tun mode or tap mode?

  • Tap mode. I want to use this tunnel for emergency situations.
    For example when my hypervisor in the datacenter has a hardware failure I can restore the backups of important VMs on my hypervisor at home and don't need to change anything in the network configuration.

    Seems to have something to do with tap. When I change to tun the server starts without problems.

    //EDIT pfSense version:

    2.1.5-RELEASE (amd64)
    built on Mon Aug 25 07:44:45 EDT 2014
    FreeBSD 8.3-RELEASE-p16

  • Rebel Alliance Developer Netgate

    All mine using IPv6 that work are in tun mode. Haven't tried tap mode. There could be a bug there yet since tap mode wants different parameters to ifconfig.

    Did that work in 2.1.x? Or did you try it there?

    If a tap interface is bridged to a LAN it probably shouldn't have a tunnel network specified anyhow.

  • I am currently having the same issue - with 2.2 and tap.

    I used a HE tunnelbroker to get IPv6 on a server in the datacenter. The server is connected to another pfSense installation at home.

    I allocated a /48, and split it into /64s. One of the /64s was to be used for the home network, and the other /64 was to be used for the rest of the clients on the OpenVPN network.

    Whenever any IPv6 address is added to the TAP interface, the entire interface instantly wipes itself out, removing both IPv4 and IPv4 addresses. As a result, it makes OpenVPN unusable.

Log in to reply