Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN IPV6 support

Discussion in 'Asuswrt-Merlin' started by Rooby, Feb 18, 2015.

  1. Rooby

    Rooby Occasional Visitor

    Joined:
    May 2, 2013
    Messages:
    40
    Hello

    short question. Is IPV6 supported on OpenVPN (ac66u and ac87u router)?
     
  2. nonolk

    nonolk New Around Here

    Joined:
    Jan 31, 2015
    Messages:
    7
  3. Rooby

    Rooby Occasional Visitor

    Joined:
    May 2, 2013
    Messages:
    40
    ok so the IPV6 OpenVPN binaries are compiled and available on the router.
     
  4. nonolk

    nonolk New Around Here

    Joined:
    Jan 31, 2015
    Messages:
    7
    I'm using it, so yes.... At least on AC68u.
     
  5. Rooby

    Rooby Occasional Visitor

    Joined:
    May 2, 2013
    Messages:
    40
    How do I enable it on the server and client to get the IPV6 support n server/client?
    Can I just add in the custom config GUI:

    proto tcp6-client
    proto tcp6-server

    But it does not overwrite the auto generated entry
    client
    proto tcp

    it will jus append it. Is then the first config statment overwritten?

    I want that the clients are talking to a IPV6 OpenVPN server (via 6in4 tunneling provider).
     
  6. nonolk

    nonolk New Around Here

    Joined:
    Jan 31, 2015
    Messages:
    7
    Hello Rooby,

    That's a pretty good question, in fact I'm using vpn site to site routed, with IPV6 inside the vpn Tunnel, not outside, so to be honest I really don't know.

    I think the last statement is the one used, but this is just my guess.
    It might be the server will listen on both IPV4 and IPV6 address.

    So try and report back.

    Best regards,
    --
    Nonolk.
     
  7. Rooby

    Rooby Occasional Visitor

    Joined:
    May 2, 2013
    Messages:
    40
    I have now tried to get OpenVPN running through IPV6 (outside the tunnel) with two Asus Merlin Routers
    using TCP as the protocol and TUN as interface.
    On IPV4 I get connection and everything works well.

    For IPV6 I have set on the server in the custom config:
    Code:
    proto tcp6
    
    Additionally I have opened on the IPV6 firewall the port 1194. (maybe not needed, maybe already done by OpenVPN)

    On the clients I have set in the custom config:
    Code:
    remote <my IPV6 DynDNS address> 1194 tcp6
    
    When I make the GUI entry in the client for the IPV4 server address invalid
    the client tries to connect to the server via IPV6:
    Code:
    Feb 26 15:16:35 openvpn[19763]: Attempting to establish TCP connection with [AF_INET6]2003:66:xxxx:xxxx::1:1194 [nonblock]
    Feb 26 15:16:45 openvpn[19763]: TCP: connect to [AF_INET6]2003:66:xxxx:xxxx::1:1194 failed, will try again in 5 seconds: Connection timed out
    Feb 26 15:16:45 openvpn[19763]: SIGUSR1[soft,init_instance] received, process restarting
    Feb 26 15:16:45 openvpn[19763]: Restart pause, 5 second(s)
    
    For me it looks like the server is not answering.
    But I can ping the my IPV6 2003:66:xxxx:xxxx::1.
    If I do a port scan (http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php) the 1194 seems not to be opened.

    Is there anything I forget to configure on the server?
     
  8. nonolk

    nonolk New Around Here

    Joined:
    Jan 31, 2015
    Messages:
    7
    Hello Rooby,

    For it's clearly a firewall issue. Your firewall don't let client connect the 1194 port on the router.

    The important word here is on the router.

    For instance in my scenario to allow ssh from the tunnel to the router endpoint I had to had the following rule:
    ip6tables -I INPUT -i tun11 -j ACCEPT

    Don't use it like that it won't work in your scenario.

    I think you can first try to temporary disable the ipv6 firewall to see if it work. If yes the problem is the firewall, and you will have to insert a rule matching your environment.

    By default the IPV6 firewall from Merlin firmware allow the ping to all addresses.

    But right now there are no rules to allow openvpn.

    Best regards,
    --
    Nonolk.
     
  9. Rooby

    Rooby Occasional Visitor

    Joined:
    May 2, 2013
    Messages:
    40
    I was wondering why the ping was working. Now it is clear.
    But unfortunately when I disable the IPV6 firewall the problem is the same. I get no connection.
     
  10. Rooby

    Rooby Occasional Visitor

    Joined:
    May 2, 2013
    Messages:
    40
    So I got it running by adding a command in the shell
    Code:
    ip6tables -I INPUT -p tcp -j ACCEPT
    
    I guess with that I opened everything with tcp, not good way of doing.
    Is there a better way to just open TCP for port 1194?

    Should this not be done on the IPV6 firewall when I open TCP and port 1194?
    But this was not working even if I disable the IPV6 firewall at all.
    Is the IPV6 firewall working in the 378.50 ?
    Additionally to allow ping to all clients per default is also quite bad for a firewall.
     
  11. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,571
    Location:
    Canada
    Allowing ICMP pings is required as per the IPv6 RFCs.
     
  12. Rooby

    Rooby Occasional Visitor

    Joined:
    May 2, 2013
    Messages:
    40
    Ok I did not know that. But personally I think it is not good to reply on pings if not really necessary.

    RMerlin can you check if the IPV6 firewall is working correctly?
    I have now added the following in the firewall-start script
    Code:
    ip6tables -I INPUT -i ppp0 -p tcp --dport 1194 -j ACCEPT
    
    I guess this is the correct setting for open only the port 1194 for OpenVPN and IPV6
    But shouldn't it be done by the firewall when I open the port 1194 or even automatically when I enable OpenVPN?
     
  13. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,571
    Location:
    Canada
    Why? Not responding to pings is just silly paranoia. Beside, who would scan 2^128 IPs through pings to find out systems that actually respond to pings? That would require someone willing to die of old age before he can find a valid target.

    I didn't implement IPv6 support for OpenVPN, so I wasn't expecting it to work.
     
  14. Rooby

    Rooby Occasional Visitor

    Joined:
    May 2, 2013
    Messages:
    40
    This is quite easy it will show a potential hacker yes there is a target which is alive and waiting to get hacked. Maybe the reply will also show the operating system. But I do not know much about TCP/IP packets. A good firewall will just drop everything which is not configured and does not reply. A stupid ping search over all possible address of course is not practicable. I fully agree.

    Yes it seems to work so I can connect to my server (server and client both are RT-AC66U with your SW). I can see the IPV6 client address in the VPN server overview.
    To make it more convenient I would suggest to add
    UDP6/TCP6 as drop down menu to the GUI of of server and client.
    and on the client if UDP6 or TCP6 is selected add just one additional line for the IPV6 server address which results in two remote statements in the OpenVPN config file with the IPV6 one first. Then when IPV6 is not working it falls down to IPV4 connection.
    What do you think ?

    For the firewall to open port 1194 for IPV6 I don't really know how to handle. Maybe open it automatically if UDP6 or TCP6 is chosen or just give a hint to open it manually.
     
    Last edited: Feb 27, 2015
  15. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,571
    Location:
    Canada
    Adding IPv6 support is not a priority right now (it'd be tricky for me to test it) but I will possibly eventually take a look at it to see how doable it would be. For now I can least take a look at the firewall part of it, since this is something normally handled automatically on the IPv4 side of things, so I'd do the same thing for IPv6 - should be rather simple to implement.
     
  16. Rooby

    Rooby Occasional Visitor

    Joined:
    May 2, 2013
    Messages:
    40
    Ok if not possible/no priority maybe you can put it in the pipe. In Germany we have an important cable provider which uses IPV6 and DS-light which means you have only a native IPV6 connection. So IPV6 is becoming more important, at least here ...
    But nevertheless thank you for your work. Without your work I would miss important features like OpenVPN.
     
  17. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    4,738
    Location:
    United States
    Just a little tweak for your work queue (the firewall part) :) I took a look at it and there were a couple of things I wasn't sure of. Thanks!
     
  18. Chrysalis

    Chrysalis Senior Member

    Joined:
    Jan 11, 2013
    Messages:
    473
    Location:
    UK
    blocking pings is 1990s style security.

    its no real security concern.
     
  19. Hunny Puppy

    Hunny Puppy Occasional Visitor

    Joined:
    Sep 11, 2017
    Messages:
    10
    So following up on this thread, does Asus Merlin have support for OpenVPN IPv6 now with the 380 and newer firmware?
    I'm trying to address an issue of IPv6 leaking. What's happening is some of my clients are connecting through a network which have IPv6. So some of the packets are leaking into the internet directly without going through the VPN (as Windows prefers IPv6 to IPv4). I'm trying to figure out a way to tell the VPN client to redirect ALL traffic to the OpenVPN server and through one way to do that would be to setup a ipv6 tunnel. @RMerlin any advise on this to get all traffic routed to the VPN (IPv6 and IPv4). I can't disable the IPv6 protocol in the remote clients in all cases hence trying to handle this through the OpenVPN Server/Client configs
     
  20. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,571
    Location:
    Canada
    No.
     

Share This Page