Configure OpenVPN for IPv6 on Voxel Orbi

[CrimpOn]

Saw a post on the Netgear forum from a user in Germany who does not have a public IPv4 address. His ISP uses Dual Stack - Lite, which results in customers being assigned private IPs so there is no IPv4 address that cannot be connected to remotely. He wants to set up a VPN host using the Orbi IPv6 address to enable access to LAN from the internet. Stock Netgear OpenVPN does not allow the user to define settings to permit access using IPv6.

The question is whether Voxel firmware for Orbi RBR50 can be set to IPv6.
If not, what about WireGuard?

Thanks

 

[R. Gerrits]

Not sure about the Orbi, but the R7800 with Voxel does not standard support OpenVPN server on IPv6.
The OpenVPN server startup script automatically configures it only for either tcp4 or udp4.
Also the firewall is opened for IPv4 ports.

Probably the Orbi does the same, because they usually are quite similar.

When using Voxel, perhaps it can be enabled. But that would require changing stuff via SSH.
- Flash Voxel firmware
- SSH to the Orbi
- Edit the OpenVPN server startup script to force it to use tcp6 or udp6.
(if it is similar to R7800, then that script is in /etc/init.d/openvpn; find proto ${proto}4 and change it to proto ${proto}6)
- Restart the OpenVPN server via GUI
- Open the OpenVPN ports in IPv6 firewall with ip6tables
(in my case something like:
ip6tables -t filter -I INPUT -i brwan -p tcp --dport 12973 -m state --state NEW -j ACCEPT
ip6tables -t filter -I INPUT -i brwan -p tcp --dport 12974 -m state --state NEW -j ACCEPT
But, on orbi the name of the interface (brwan) might be different; also might need to change tcp into udp; or change the port addresses.

Last, you need to manually alter the .opvn profile to replace the IPv4 address with the IPv6 address; also change proto tcp into proto tcp6 or proto udp into proto udp6; And then import that altered .ovpn into your VPN client.

if everything works, then some other steps are needed to ensure that the config survives a reboot.

I cannot test it myself, because I only have IPv6 at home. My mobile phone 4G connection has no support for IPv6.
But the strange thing is that if I try to connect to IPv6 OpenVPN via WiFi, then it doesn't work.

Also testing via netcat on my macboot:
this works: nc -v <IPv4> 12973
but this gives a connection refused: nc -v <IPv6> 12973
So I'm a bit lost.

EDIT1:
so I found out that for IPv6 the OpenVPN server binds to the "internal" IPv6 address (in my case on br0).
If I put that IPv6 address in the .opvn and import it into OpenVPN on my iPhone then it can connect to OpenVPN over IPv6.

Also tried forcing OpenVPN to bind to the "public IPv6" (on brwan), but that fails...

Perhaps this is something specific to IPv6? (don't have experience with IPv6)
So maybe the equivalent of a port-forward must be made to make the "internal" IPv6 address reachable from the internet.
But I don't know how.
(and thus probably the ip6tables commands I mentioned before are incorrect).



I don't think WireGuard can be easily used. Voxel firmware only has a WireGuard client and no WireGuard server.

 

[CrimpOn]

Thanks for taking the time to research this question. I agree. Once those changes are made to configuration files and ip6tables, OpenVPN should function with IPv6. I am also not in a position to validate this and my ISP (Spectrum) does not deliver this Dual Stack - Lite version of IPv6.

My understanding is that OpenVPN listens only to the WAN port, so attempting to connect from any part of LAN (wired or Ethernet) will fail.

Thanks also for remembering Voxel installed only the Client half of WireGuard. I fixated on the greater efficiency of WireGuard and assumed it was a "drop in" replacement for the OpenVPN host. He added OpenVPN Client to OpenVPN host and I thought WireGuard included both features. The README file is very specific: Client only.

 

[R. Gerrits]

My understanding is that OpenVPN listens only to the WAN port, so attempting to connect from any part of LAN (wired or Ethernet) will fail.

also see my edit:
for IPv4 OpenVPN seems to listen on both IPv4 Public IP and internal IP.
For IPv6 it only seems to listen on "internal IPv6 IP".

 

[CrimpOn]

It appears I know even less about VPN than I realized. One of the issues that came up the Netgear forum regarded someone who wanted to VPN from one Orbi LAN to another Orbi LAN. He ran into trouble because the LAN subnet IP was fixed on both systems. (I don't remember which model it was. My Orbi allows me to set the LAN subnet to anything I want, but his was fixed.) So the computer he was using was confused about which network he wanted. Local computers were on the same subnet as the remote LAN and his computer could not tell them apart.)

I would think the same thing would happen when connecting a device on the LAN to OpenVPN pointing at the same LAN. Does the iPhone send data (a) out the regular WiFi connection, or (b) through the VPN tunnel?

 

[R. Gerrits]

He ran into trouble because the LAN subnet IP was fixed on both systems.

Perhaps those orbi's where in AP mode? In that case I think the main router determines which IP-range is used.

I would think the same thing would happen when connecting a device on the LAN to OpenVPN pointing at the same LAN. Does the iPhone send data (a) out the regular WiFi connection, or (b) through the VPN tunnel?

In principle the iPhone will send all the packets through the VPN tunnel.
Unless the VPN client has defined split tunnel routing to route traffic for certain destinations directly via the WiFi.
(And of course the traffic of the tunnel itself goes directly via WiFi.)

Another exception in some cases can be IPv6. If your phone also has an IPv6 address but the OpenVPN tunnel has no support for IPv6, then traffic to IPv6 websites might be routed outside of the tunnel.
(so a bit of a security risk. You think your traffic is encrypted, but potentially this is only the case for IPv6.)

Something that I might need to look into myself. But it is impossible to test at home.