1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

AX11000 as OpenVPN client, not tunneling ipv6

Discussion in 'ASUS Wireless' started by Lylitu, Jul 16, 2019.

  1. Lylitu

    Lylitu New Around Here

    Joined:
    Jul 16, 2019
    Messages:
    4
    I'm going to post some logs and my config files but my initial question is, can this router even tunnel ipv6 traffic as a vpn client?

    My config:
    I have an OpenVPN server setup on Linode with a routed /64 block, no HE tunnel involved. When I setup individual devices as clients, all connect just fine on both ipv4 and ipv6 through the tunnel, no 6in4 or anything like that. Just per the OpenVPN manual.
    My server is running version 2.4.7 on Ubuntu 18.04 and the router is running 2.3.2. According to the manual, both versions are capable of tunneling ipv6.

    Problem:
    I have an .ovpn file and upload it to an individual device, it successfully tunnels both ipv4 and ipv6 simultaneously.
    I upload the same .ovpn file to the router and test the same device, ipv4 is tunneled and ipv6 leaks.

    I've tried several things, including turning off the firewall on the router, which does nothing.

    Router log: (in this particular instance I tried adding my laptop and phone to the exception list on the VPN)

    Routed block to my Server: 2600:3c02:abcd:1234::/64
    OpenVPN Server: 45.33.xxx.xxx

    Code:
    Jul 16 20:03:00 vpnclient5[7917]: Multiple --up scripts defined.  The previously configured script is overridden.
    Jul 16 20:03:00 vpnclient5[7917]: Multiple --down scripts defined.  The previously configured script is overridden.
    Jul 16 20:03:00 vpnclient5[7917]: OpenVPN 2.3.2 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 12 2019
    Jul 16 20:03:00 vpnclient5[7917]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 16 20:03:00 vpnclient5[7917]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
    Jul 16 20:03:00 vpnclient5[7917]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jul 16 20:03:00 vpnclient5[7917]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jul 16 20:03:00 vpnclient5[7917]: Socket Buffers: R=[87380->87380] S=[16384->16384]
    Jul 16 20:03:00 vpnclient5[7918]: Attempting to establish TCP connection with [AF_INET]45.33.xxx.xxx:443 [nonblock]
    Jul 16 20:03:00 dhcp client: bound 75.115.xxx.xxx via 75.115.xxx.xxx during 41365 seconds.
    Jul 16 20:03:01 vpnclient5[7918]: TCP connection established with [AF_INET]45.33.xxx.xxx:443
    Jul 16 20:03:01 vpnclient5[7918]: TCPv4_CLIENT link local: [undef]
    Jul 16 20:03:01 vpnclient5[7918]: TCPv4_CLIENT link remote: [AF_INET]45.33.xxx.xxx:443
    Jul 16 20:03:01 vpnclient5[7918]: TLS: Initial packet from [AF_INET]45.33.xxx.xxx:443, sid=a16b1d70 8ba3013b
    Jul 16 20:03:01 vpnclient5[7918]: VERIFY OK: depth=1, CN=Easy-RSA CA
    Jul 16 20:03:01 vpnclient5[7918]: Validating certificate key usage
    Jul 16 20:03:01 vpnclient5[7918]: ++ Certificate has key usage  00a0, expects 00a0
    Jul 16 20:03:01 vpnclient5[7918]: VERIFY KU OK
    Jul 16 20:03:01 vpnclient5[7918]: Validating certificate extended key usage
    Jul 16 20:03:01 vpnclient5[7918]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Jul 16 20:03:01 vpnclient5[7918]: VERIFY EKU OK
    Jul 16 20:03:01 vpnclient5[7918]: VERIFY OK: depth=0, CN=server
    Jul 16 20:03:01 acsd: selected channel spec: 0xe27a (124/80)
    Jul 16 20:03:01 acsd: Adjusted channel spec: 0xe27a (124/80)
    Jul 16 20:03:01 acsd: selected channel spec: 0xe27a (124/80)
    Jul 16 20:03:01 acsd: acs_set_chspec: 0xe27a (124/80) for reason APCS_INIT
    Jul 16 20:03:01 vpnclient5[7918]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Jul 16 20:03:01 vpnclient5[7918]: Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jul 16 20:03:01 vpnclient5[7918]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Jul 16 20:03:01 vpnclient5[7918]: Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jul 16 20:03:01 vpnclient5[7918]: Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
    Jul 16 20:03:01 vpnclient5[7918]: [server] Peer Connection Initiated with [AF_INET]45.33.xxx.xxx:443
    Jul 16 20:03:04 vpnclient5[7918]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Jul 16 20:03:04 vpnclient5[7918]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.8.0.1,dhcp-option DNS 2600:3c02:abcd:1234::1,sndbuf 0,rcvbuf 0,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,socket-flags TCP_NODELAY,ifconfig-ipv6 2600:3c02:abcd:1234::1000/64 2600:3c02:abcd:1234::1,ifconfig 10.8.0.2 255.255.255.0'
    Jul 16 20:03:04 vpnclient5[7918]: OPTIONS IMPORT: timers and/or timeouts modified
    Jul 16 20:03:04 vpnclient5[7918]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
    Jul 16 20:03:04 vpnclient5[7918]: Socket Buffers: R=[408320->408320] S=[92160->92160]
    Jul 16 20:03:04 vpnclient5[7918]: OPTIONS IMPORT: --socket-flags option modified
    Jul 16 20:03:04 vpnclient5[7918]: OPTIONS IMPORT: --ifconfig/up options modified
    Jul 16 20:03:04 vpnclient5[7918]: OPTIONS IMPORT: route options modified
    Jul 16 20:03:04 vpnclient5[7918]: OPTIONS IMPORT: route-related options modified
    Jul 16 20:03:04 vpnclient5[7918]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Jul 16 20:03:04 vpnclient5[7918]: TUN/TAP device tun15 opened
    Jul 16 20:03:04 vpnclient5[7918]: TUN/TAP TX queue length set to 100
    Jul 16 20:03:04 vpnclient5[7918]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
    Jul 16 20:03:04 vpnclient5[7918]: /sbin/ifconfig tun15 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
    Jul 16 20:03:04 vpnclient5[7918]: /sbin/ifconfig tun15 add 2600:3c02:abcd:1234::1000/64
    Jul 16 20:03:04 vpnclient5[7918]: /etc/openvpn/ovpnc-up 5 tun15 1500 1571 10.8.0.2 255.255.255.0 init
    Jul 16 20:03:04 dnsmasq[7670]: bad address at line 2 of /tmp/resolv.dnsmasq
    Jul 16 20:03:04 vpnclient5[7918]: Initialization Sequence Completed
    Jul 16 20:03:07 dhcp6 client: bound address 2603:9000:dead:beef:xxxx:xxxx:xxxx:xxxx/128, prefix 2603:9000:baba:dada::/64
    Server config:
    Code:
    dev tun
    proto tcp6
    port 443
    persist-key
    persist-tun
    keepalive 10 60
    cipher AES-256-CBC
    auth SHA256
    #remote-cert-tls client
    tls-auth ta.key 0
    server 10.8.0.0 255.255.255.0
    server-ipv6 2600:3c02:abcd:1234::/64
    push "redirect-gateway def1"
    push "route-ipv6 2000::/3"
    push "dhcp-option DNS 10.8.0.1"
    push "dhcp-option DNS 2600:3c02:abcd:1234::1"
    topology subnet
    dh dh.pem
    ca ca.crt
    cert server.crt
    key server.key
    user nobody
    group nogroup
    sndbuf 0
    push "sndbuf 0"
    rcvbuf 0
    push "rcvbuf 0"
    tcp-nodelay
    verb 3
    log-append /var/log/openvpn/openvpn.log
    key-direction 0
    Client config:
    Code:
    client
    dev tun
    proto tcp6
    cipher AES-256-CBC
    auth SHA256
    remote 45.33.xxx.xxx 443
    remote-cert-tls server
    #tls-auth ta.key 1
    nobind
    pull
    key-direction 1
    Thanks for any insight
     
    Last edited: Jul 16, 2019
  2. Lylitu

    Lylitu New Around Here

    Joined:
    Jul 16, 2019
    Messages:
    4
    So I've fixed an error and have a new one that might give more information, but still no ipv6 tunnel.

    I changed
    Code:
    push "dhcp-option DNS 2600:3c02:abcd:1234::1"
    to
    Code:
    push "dhcp-option DNS6 2600:3c02:abcd:1234::1"
    which removed error
    Code:
    Jul 16 20:03:04 dnsmasq[7670]: bad address at line 2 of /tmp/resolv.dnsmasq

    I also changed
    Code:
    remote 45.33.xxx.xxx 443
    to
    Code:
    remote 2600:3c02::6666:3333:ffff:aaa 443
    (the SLAAC IPv6 address assigned to my server) and now receive this in the log upon trying to connect on router
    Code:
    Jul 17 18:18:44 vpnclient5[31119]: Multiple --up scripts defined.  The previously configured script is overridden.
    Jul 17 18:18:44 vpnclient5[31119]: Multiple --down scripts defined.  The previously configured script is overridden.
    Jul 17 18:18:44 vpnclient5[31119]: OpenVPN 2.3.2 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 12 2019
    Jul 17 18:18:44 vpnclient5[31119]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 17 18:18:44 vpnclient5[31119]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
    Jul 17 18:18:44 vpnclient5[31119]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jul 17 18:18:44 vpnclient5[31119]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jul 17 18:18:44 vpnclient5[31119]: Socket Buffers: R=[87380->87380] S=[16384->16384]
    Jul 17 18:18:44 vpnclient5[31120]: Attempting to establish TCP connection with [undef] [nonblock]
    Jul 17 18:18:44 vpnclient5[31120]: TCP: connect to [undef] failed, will try again in 5 seconds: Connection refused
    With this error, I don't even achieve an ipv4 tunnel.
    Looks like I'm not establishing an [AF_INET6] connection like I typically would on my individual devices
     
    Last edited: Jul 18, 2019
  3. Lylitu

    Lylitu New Around Here

    Joined:
    Jul 16, 2019
    Messages:
    4
    Openvpn Server log upon Router connection as client. I changed the connection to UDP/1194, and a few other minor adjustments that haven't made a difference.
    Code:
    Fri Jul 19 00:47:48 2019 75.115.52.231 TLS: Initial packet from [AF_INET6]::ffff:75.115.xxx.xxx:45464, sid=b50b5035 89ecda56
    Fri Jul 19 00:47:49 2019 75.115.52.231 VERIFY OK: depth=1, CN=Easy-RSA CA
    Fri Jul 19 00:47:49 2019 75.115.52.231 VERIFY OK: depth=0, CN=client1
    Fri Jul 19 00:47:49 2019 75.115.52.231 peer info: IV_VER=2.3.2
    Fri Jul 19 00:47:49 2019 75.115.52.231 peer info: IV_PLAT=linux
    Fri Jul 19 00:47:49 2019 75.115.52.231 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
    Fri Jul 19 00:47:49 2019 75.115.52.231 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
    Fri Jul 19 00:47:49 2019 75.115.52.231 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
    Fri Jul 19 00:47:49 2019 75.115.52.231 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
    Fri Jul 19 00:47:49 2019 75.115.52.231 Control Channel: TLSv1, cipher TLSv1.0 ECDHE-RSA-AES256-SHA, 2048 bit RSA
    Fri Jul 19 00:47:49 2019 75.115.52.231 [client1] Peer Connection Initiated with [AF_INET6]::ffff:75.115.xxx.xxx:45464
    Fri Jul 19 00:47:49 2019 client1/75.115.52.231 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=2600:3c02:abcd:1234::1000
    Fri Jul 19 00:47:49 2019 client1/75.115.52.231 MULTI: Learn: 10.8.0.2 -> client1/75.115.xxx.xxx
    Fri Jul 19 00:47:49 2019 client1/75.115.52.231 MULTI: primary virtual IP for client1/75.115.xxx.xxx: 10.8.0.2
    Fri Jul 19 00:47:49 2019 client1/75.115.52.231 MULTI: Learn: 2600:3c02:abcd:1234::1000 -> client1/75.115.xxx.xxx
    Fri Jul 19 00:47:49 2019 client1/75.115.52.231 MULTI: primary virtual IPv6 for client1/75.115.xxx.xxx: 2600:3c02:abcd:1234::1000
    Fri Jul 19 00:47:51 2019 client1/75.115.52.231 PUSH: Received control message: 'PUSH_REQUEST'
    Fri Jul 19 00:47:51 2019 client1/75.115.52.231 SENT CONTROL [client1]: 'PUSH_REPLY,redirect-gateway ipv6 def1,route-ipv6 2000::/3,dhcp-option DNS 10.8.0.1,dhcp-option DNS6 2600:3c02:abcd:1234::1,sndbuf 0,rcvbuf 0,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,socket-flags TCP_NODELAY,ifconfig-ipv6 2600:3c02:abcd:1234::1000/64 2600:3c02:abcd:1234::1,ifconfig 10.8.0.2 255.255.255.0' (status=1)
    Router log
    Code:
    Jul 18 20:47:46 rc_service: httpd 22152:notify_rc restart_vpnc
    Jul 18 20:47:48 vpnclient5[24920]: Multiple --up scripts defined.  The previously configured script is overridden.
    Jul 18 20:47:48 vpnclient5[24920]: Multiple --down scripts defined.  The previously configured script is overridden.
    Jul 18 20:47:48 vpnclient5[24920]: OpenVPN 2.3.2 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 12 2019
    Jul 18 20:47:48 vpnclient5[24920]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 18 20:47:48 vpnclient5[24920]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
    Jul 18 20:47:48 vpnclient5[24920]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jul 18 20:47:48 vpnclient5[24920]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jul 18 20:47:48 vpnclient5[24920]: Socket Buffers: R=[524288->524288] S=[524288->524288]
    Jul 18 20:47:48 vpnclient5[24921]: UDPv4 link local: [undef]
    Jul 18 20:47:48 vpnclient5[24921]: UDPv4 link remote: [AF_INET]45.33.xxx.xxx:1194
    Jul 18 20:47:48 vpnclient5[24921]: TLS: Initial packet from [AF_INET]45.33.xxx.xxx:1194, sid=ade23a6d 14f1e9d0
    Jul 18 20:47:48 vpnclient5[24921]: VERIFY OK: depth=1, CN=Easy-RSA CA
    Jul 18 20:47:48 vpnclient5[24921]: Validating certificate key usage
    Jul 18 20:47:48 vpnclient5[24921]: ++ Certificate has key usage  00a0, expects 00a0
    Jul 18 20:47:48 vpnclient5[24921]: VERIFY KU OK
    Jul 18 20:47:48 vpnclient5[24921]: Validating certificate extended key usage
    Jul 18 20:47:48 vpnclient5[24921]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Jul 18 20:47:48 vpnclient5[24921]: VERIFY EKU OK
    Jul 18 20:47:48 vpnclient5[24921]: VERIFY OK: depth=0, CN=server
    Jul 18 20:47:49 vpnclient5[24921]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Jul 18 20:47:49 vpnclient5[24921]: Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jul 18 20:47:49 vpnclient5[24921]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Jul 18 20:47:49 vpnclient5[24921]: Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jul 18 20:47:49 vpnclient5[24921]: Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
    Jul 18 20:47:49 vpnclient5[24921]: [server] Peer Connection Initiated with [AF_INET]45.33.xxx.xxx:1194
    Jul 18 20:47:51 vpnclient5[24921]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Jul 18 20:47:51 vpnclient5[24921]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway ipv6 def1,route-ipv6 2000::/3,dhcp-option DNS 10.8.0.1,dhcp-option DNS6 2600:3c02:eabcd:1234::1,sndbuf 0,rcvbuf 0,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,socket-flags TCP_NODELAY,ifconfig-ipv6 2600:3c02:abcd:1234::1000/64 2600:3c02:abcd:1234::1,ifconfig 10.8.0.2 255.255.255.0'
    Jul 18 20:47:51 vpnclient5[24921]: Options error: unknown --redirect-gateway flag: ipv6
    Jul 18 20:47:51 vpnclient5[24921]: OPTIONS IMPORT: timers and/or timeouts modified
    Jul 18 20:47:51 vpnclient5[24921]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
    Jul 18 20:47:51 vpnclient5[24921]: Socket Buffers: R=[524288->524288] S=[524288->524288]
    Jul 18 20:47:51 vpnclient5[24921]: OPTIONS IMPORT: --socket-flags option modified
    Jul 18 20:47:51 vpnclient5[24921]: NOTE: setsockopt TCP_NODELAY=1 failed
    Jul 18 20:47:51 vpnclient5[24921]: OPTIONS IMPORT: --ifconfig/up options modified
    Jul 18 20:47:51 vpnclient5[24921]: OPTIONS IMPORT: route options modified
    Jul 18 20:47:51 vpnclient5[24921]: OPTIONS IMPORT: route-related options modified
    Jul 18 20:47:51 vpnclient5[24921]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Jul 18 20:47:51 vpnclient5[24921]: TUN/TAP device tun15 opened
    Jul 18 20:47:51 vpnclient5[24921]: TUN/TAP TX queue length set to 100
    Jul 18 20:47:51 vpnclient5[24921]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
    Jul 18 20:47:51 vpnclient5[24921]: /sbin/ifconfig tun15 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
    Jul 18 20:47:51 vpnclient5[24921]: /sbin/ifconfig tun15 add 2600:3c02:abcd:1234::1000/64
    Jul 18 20:47:51 vpnclient5[24921]: /etc/openvpn/ovpnc-up 5 tun15 1500 1569 10.8.0.2 255.255.255.0 init
    Jul 18 20:47:51 vpnclient5[24921]: Initialization Sequence Completed
    Jul 18 20:48:51 rc_service: httpd 22152:notify_rc restart_default_wan
    Jul 18 20:48:52 rc_service: httpd 22152:notify_rc restart_default_wan
    Jul 18 20:48:53 rc_service: httpd 22152:notify_rc restart_vpnc_dev_policy
     
    Last edited: Jul 18, 2019
  4. Swistheater

    Swistheater Very Senior Member

    Joined:
    Jul 8, 2017
    Messages:
    1,202
    Location:
    Florida
    it is because the firmware does not support IPV6 over OpenVPN client.