Help: OpenVPN Server IPv6 configuration

i82register

New Around Here
TL/DR:
Had an OpenVPN server configuration working fine on IPv4.
ISP switched my modem, and now I can't connect to the VPN.
Decided to try it on IPv6, and having trouble with it. After several weeks of fighting it alone, I turn to the pros of the forum.

Details:
Previous config had a 3rd-party modem (Arris TG-1652S) set to DMZ the Asus router, with a NAT option enabled (I don't remember which option specifically, but it worked great).
Why this config? Setting bridge mode created random disconnects of internet that required a power plug-out-plug-in reset, so I avoided that config although it would be preferable.

New config - some obscure 3rd-party modem ("HotBox 4") supplied by the same ISP that I set to bridge mode, which surprisingly works OK now without any disconnects. The modem has a private 100.*.*.* IPv4.
There aren't too many options to play with as this is a closed-garden type of a modem, but there is a "ROUTER-NAT" option that can bind to a MAC. I don't understand what it does as the built-in help provides conflicting information.

Help provided regarding this "Router NAT" option (yes, its not a mistake that is flipped, hence my confusion):
Bridge mode: Enter the MAC address of the WAN device to bridge in the "MAC Address" and click "Apply Changes".

And regarding Bridge Mode:
Router mode: Select to activate the router.
NAT mode : Clear the NAT to switch if you are using a router as other equipment.

For the life of me I don't understand it, looks like someone made a mistake in translation or just a bad UI.
Regardless, turning on both Bridge and binding via NAT mode to the MAC of the router yields a catastrophe (no internet) that requires a modem reset via the hardware button.

Behind the modem is an Asus AC-3100, with the new firmware released yesterday. I'm not sure what the IPv4 is, as checking online provides different address:
https://www.showmyip.com/ - 5.29.*.*
https://www.myip.com/ - 141.101.*.*
https://mxtoolbox.com/whatismyip/ - 77.137.*.*
https://www.purevpn.com/what-is-my-ip - 172.74.*.*

I think the 77.137.*.* is the actual right one, but regardless trying to connect via OpenVPN to any of those IPs yields nothings. Error logs provide no information.

Turning IPv6 on the AC-3100 works great (native mode), all supported devices on the network get an IPv6 which is cool, I couldn't do that with the previous modem.
Testing the router via IPv4 on the OpenVPN port gives nothing ("Filtered"). Testing via IPv6 shows that its open. (https://www.ipvoid.com/port-scan/). I can confirm that if I change the port the status changes accordingly, so its not a coincidence.

But I still can't connect, even after going through tutorials and changing the Asus config file to point to IPv6 connection (dev tun-ipv6, proto tcp6....).

Checking the client side (Windows, v3.3.4) logs shows:
2021 EXCEPTION
tun_win_util: GetBestGateway: 2a00.*.*.*.*.*.*.* is not a valid IPv4 address

That seems like a big client error, thinking it is still trying to connect to IPv4 although I specified IPv6. Googling that error I got nothing useful.

The ISP is unhelpful to say the least, they barely know what IPv6 is or what an open port means.
Before I escalate with the ISP I want to make sure I'm not missing anything on my end, as it seems its a config issue that I should be able to resolve without them, given that IPv6 works fine and the 1194 port is open.

Any tips will be appreciated.

PS. The OpenVPN profile generated by the router (before I made any changes):

client
dev tun
proto tcp-client
remote (IPv4 address that doesn't work) 1194
resolv-retry infinite
nobind
float
ncp-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server
 

eibgrad

Part of the Furniture
Two things come to mind.

You said you've been at this for several weeks using IPv6, but until this most recent Merlin release (386.4), IPv6 wasnt even supported w/ OpenVPN! And even now w/ 386.4, I don't know how well it works.

Also, if your IPv4 connection is 100.*.*.*, it could be CGNAT, which means a private IP, which makes remote access impossible.

So it appears to me that in the process of changing your modem, your ISP ended up moving you from a public IPv4 IP to a private IPv4 IP. If it was me, I'd asked the ISP to please provide me w/ what I had before; a public IPv4 IP. But if you or they insist on an IPv6 IP, then you'll need the latest Merlin 386.4 release if you expect OpenVPN to support IPv6 as well. Again, being so new, that's an unknown quantity at this point.
 

AurelM

Occasional Visitor
Hi,
Using firmware AsusWRT-Merlin 386.4_0 on the router (which has OpenVPN version 2.5.5) and OpenVPN 2.5.5 Windows 64bit client from https://openvpn.net/community-downloads/, I'm able to connect to the server using the WAN IPv6 Address (from WebUI -> System Log -> IPv6) , as well as using a IPv6 DDNS name that points to the same address.
Here are my server settings:

OpenVPN-server.png

Here is my client configuration, edited to remove sensitive information:
Code:
client
dev tun
proto udp6
remote [IPv6_address or ddns_name] 1194
float
data-ciphers CHACHA20-POLY1305
data-ciphers-fallback AES-128-GCM
auth SHA1
keepalive 15 60
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
resolv-retry infinite
nobind
As you can see. I use UDP instead of TCP and authentication is done by certificate, not user/password.
And here is the OpenVPN GUI with the connection to this server:
OpenVPN-GUI.png

As you can see, the connection is successful and the client received both IPv4 and IPv6 addresses from the server.

Hope this helps.
 

SomeWhereOverTheRainBow

Part of the Furniture
Hi,
Using firmware AsusWRT-Merlin 386.4_0 on the router (which has OpenVPN version 2.5.5) and OpenVPN 2.5.5 Windows 64bit client from https://openvpn.net/community-downloads/, I'm able to connect to the server using the WAN IPv6 Address (from WebUI -> System Log -> IPv6) , as well as using a IPv6 DDNS name that points to the same address.
Here are my server settings:

View attachment 38482
Here is my client configuration, edited to remove sensitive information:
Code:
client
dev tun
proto udp6
remote [IPv6_address or ddns_name] 1194
float
data-ciphers CHACHA20-POLY1305
data-ciphers-fallback AES-128-GCM
auth SHA1
keepalive 15 60
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
resolv-retry infinite
nobind
As you can see. I use UDP instead of TCP and authentication is done by certificate, not user/password.
And here is the OpenVPN GUI with the connection to this server:
View attachment 38483
As you can see, the connection is successful and the client received both IPv4 and IPv6 addresses from the server.

Hope this helps.
It doesn't actually route ipv6 internet from my understanding. It only allows you to connect to your home network over ipv6.
 

AurelM

Occasional Visitor
TL/DR:
Had an OpenVPN server configuration working fine on IPv4.
ISP switched my modem, and now I can't connect to the VPN.
Decided to try it on IPv6, and having trouble with it.
[...]
It doesn't actually route ipv6 internet from my understanding. It only allows you to connect to your home network over ipv6.
I thought this is the problem needed to be solved.
As I see it, if i82register's use case was good before, using IPv4, and now isn't, using IPv6, he should be able to get the configuration back as long as he can connect to the server. Instead of assuming what he wants to do and suggest things I didn't try, I just showed him my simple configuration that works, in hopes he can use parts of it to make a successful connection. After this he can make more changes, like routing the router's lan, or even keep the previous configuration that worked.

Anyway, this is my use case, I want to connect to this vpn server just to manage the router, I don't want to access the internet or the router's lan through it.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top