Tunneling IPv6 over IPv4 with OpenVPN

[amtino]

I am attempting to give my OpenVPN clients IPv6 connectivity with addresses from my Hurricane Electric /48. I'm running Merlin's 378.54_1 on an Asus RT-AC66U. Clients on my LAN are getting IPv6 addresses and connectivity without a problem from my 2001:xxxx:xxxx:xxx1::/64 subnet, and my OpenVPN tunnel works perfectly with IPv4 only, but adding IPv6 support on the server breaks both IPv4 and IPv6 connectivity.

Here is my working server config:

Client config:

client
dev tun
proto udp
remote net.(myhost).com 1194
cipher bf-cbc
float
comp-lzo adaptive
keepalive 15 60
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
ns-cert-type server
resolv-retry infinite
nobind

Server log:

Jun 27 23:10:51 openvpn[2935]: ::ffff:184.xxx.xxx.xxx TLS: Initial packet from [AF_INET6]::ffff:184.xxx.xxx.xxx:60925, sid=546333ee 91fea058
Jun 27 23:10:52 openvpn[2935]: ::ffff:184.xxx.xxx.xxx VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=net.(mydomain).com, name=changeme, emailAddress=mail@host.domain
Jun 27 23:10:52 openvpn[2935]: ::ffff:184.xxx.xxx.xxx VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=(client), name=changeme, emailAddress=mail@host.domain
Jun 27 23:10:52 openvpn[2935]: ::ffff:184.xxx.xxx.xxx Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jun 27 23:10:52 openvpn[2935]: ::ffff:184.xxx.xxx.xxx Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 27 23:10:52 openvpn[2935]: ::ffff:184.xxx.xxx.xxx Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jun 27 23:10:52 openvpn[2935]: ::ffff:184.xxx.xxx.xxx Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 27 23:10:52 openvpn[2935]: ::ffff:184.xxx.xxx.xxx Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jun 27 23:10:52 openvpn[2935]: ::ffff:184.xxx.xxx.xxx [(client)] Peer Connection Initiated with [AF_INET6]::ffff:184.xxx.xxx.xxx:60925
Jun 27 23:10:52 openvpn[2935]: (client)/::ffff:184.xxx.xxx.xxx MULTI_sva: pool returned IPv4=10.100.93.2, IPv6=(Not enabled)
Jun 27 23:10:52 openvpn[2935]: (client)/::ffff:184.xxx.xxx.xxx MULTI: Learn: 10.100.93.2 -> (client)/::ffff:184.xxx.xxx.xxx
Jun 27 23:10:52 openvpn[2935]: (client)/::ffff:184.xxx.xxx.xxx MULTI: primary virtual IP for (client)/::ffff:184.xxx.xxx.xxx: 10.100.93.2
Jun 27 23:10:55 openvpn[2935]: (client)/::ffff:184.xxx.xxx.xxx PUSH: Received control message: 'PUSH_REQUEST'
Jun 27 23:10:55 openvpn[2935]: (client)/::ffff:184.xxx.xxx.xxx send_push_reply(): safe_cap=940
Jun 27 23:10:55 openvpn[2935]: (client)/::ffff:184.xxx.xxx.xxx SENT CONTROL [(client)]: 'PUSH_REPLY,route 10.100.92.0 255.255.255.0,dhcp-option DNS 10.100.92.1,redirect-gateway def1,route-gateway 10.100.93.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.100.93.2 255.255.255.0' (status=1)

But then, when I add this to my OpenVPN custom config...

server-ipv6 2001:xxxx:xxxx:xxx2::/64

(with my actual subnet in place of the x's, of course) my client is assigned an IPv4 and IPv6 address, but there is no connectivity to the Internet or to destinations within the VPN using either IPv4 or IPv6.

The server log:

Jun 27 23:22:03 openvpn[2999]: ::ffff:184.xxx.xxx.xxx TLS: Initial packet from [AF_INET6]::ffff:184.xxx.xxx.xxx:52396, sid=a878a21c d800441d
Jun 27 23:22:04 openvpn[2999]: ::ffff:184.xxx.xxx.xxx VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=net.(mydomain).com, name=changeme, emailAddress=mail@host.domain
Jun 27 23:22:04 openvpn[2999]: ::ffff:184.xxx.xxx.xxx VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=client, name=changeme, emailAddress=mail@host.domain
Jun 27 23:22:05 openvpn[2999]: ::ffff:184.xxx.xxx.xxx Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jun 27 23:22:05 openvpn[2999]: ::ffff:184.xxx.xxx.xxx Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 27 23:22:05 openvpn[2999]: ::ffff:184.xxx.xxx.xxx Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jun 27 23:22:05 openvpn[2999]: ::ffff:184.xxx.xxx.xxx Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 27 23:22:05 openvpn[2999]: ::ffff:184.xxx.xxx.xxx Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jun 27 23:22:05 openvpn[2999]: ::ffff:184.xxx.xxx.xxx [client] Peer Connection Initiated with [AF_INET6]::ffff:184.xxx.xxx.xxx:52396
Jun 27 23:22:05 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx MULTI_sva: pool returned IPv4=10.100.93.2, IPv6=2001:xxxx:xxxx:xxxx::1000
Jun 27 23:22:05 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx MULTI: Learn: 10.100.93.2 -> client/::ffff:184.xxx.xxx.xxx
Jun 27 23:22:05 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx MULTI: primary virtual IP for client/::ffff:184.xxx.xxx.xxx: 10.100.93.2
Jun 27 23:22:05 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx MULTI: Learn: 2001:xxxx:xxxx:xxx2::1000 -> client/::ffff:184.xxx.xxx.xxx
Jun 27 23:22:05 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx MULTI: primary virtual IPv6 for client/::ffff:184.xxx.xxx.xxx: 2001:xxxx:xxxx:xxxx::1000
Jun 27 23:22:07 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx PUSH: Received control message: 'PUSH_REQUEST'
Jun 27 23:22:07 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx send_push_reply(): safe_cap=940
Jun 27 23:22:07 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx SENT CONTROL [client]: 'PUSH_REPLY,ifconfig-ipv6 2001:xxxx:xxxx:xxx2::1000/64 2001:xxxx:xxxx:xxx2::1,route 10.100.92.0 255.255.255.0,dhcp-option DNS 10.100.92.1,redirect-gateway def1,tun-ipv6,route-gateway 10.100.93.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.100.93.2 255.255.255.0' (status=1)
Jun 27 23:22:17 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx write to TUN/TAP : Invalid argument (code=22)
Jun 27 23:22:18 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx write to TUN/TAP : Invalid argument (code=22)
Jun 27 23:22:19 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx write to TUN/TAP : Invalid argument (code=22)
Jun 27 23:22:20 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx write to TUN/TAP : Invalid argument (code=22)
……….
Jun 27 23:22:42 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx write to TUN/TAP : Invalid argument (code=22)
Jun 27 23:23:29 openvpn[2999]: event_wait : Interrupted system call (code=4)
Jun 27 23:23:29 openvpn[2999]: TITLE,OpenVPN 2.3.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun  8 2015
Jun 27 23:23:29 openvpn[2999]: TIME,Sat Jun 27 23:23:29 2015,1435461809
Jun 27 23:23:29 openvpn[2999]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username
Jun 27 23:23:29 openvpn[2999]: CLIENT_LIST,client,::ffff:184.xxx.xxx.xxx,10.100.93.2,19473,4985,Sat Jun 27 23:22:03 2015,1435461723,UNDEF
Jun 27 23:23:29 openvpn[2999]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
Jun 27 23:23:29 openvpn[2999]: ROUTING_TABLE,2001:xxxx:xxxx:xxx2::1000,client,::ffff:184.xxx.xxx.xxx,Sat Jun 27 23:22:05 2015,1435461725
Jun 27 23:23:29 openvpn[2999]: ROUTING_TABLE,10.100.93.2,client,::ffff:184.xxx.xxx.xxx,Sat Jun 27 23:22:42 2015,1435461762
Jun 27 23:23:29 openvpn[2999]: GLOBAL_STATS,Max bcast/mcast queue length,0
Jun 27 23:23:29 openvpn[2999]: END
Jun 27 23:24:42 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx [client] Inactivity timeout (--ping-restart), restarting
Jun 27 23:24:42 openvpn[2999]: client/::ffff:184.xxx.xxx.xxx SIGUSR1[soft,ping-restart] received, client-instance restarting

I imagine the "Invalid argument (code=22)" error is the cause of my problems, but most things I've read indicate this is often caused by the lack of a defined comp-lzo setting. I have comp-lzo adaptive set on both ends of the tunnel. Yes, my internal network and OpenVPN tunnel are using two different /64s. And yes, the same outcome happens when I push a route to my internal IPv6 from my OpenVPN IPv6.

Does anyone have an idea of what I may be doing wrong?

TL;DR: OpenVPN server returns "write to TUN/TAP : Invalid argument (code=22)" error when I try to push IPv6 through my IPv4 tunnel.

 

[amtino]

This problem persists with Asuswrt-Merlin 378.55. The "server-ipv6" command triggers the
"write to TUN/TAP : Invalid argument (code=22)" error, killing IPv4 connectivity...

 

[kvic]

Did it ever work in a prior firmware version?

 

[amtino]

Did it ever work in a prior firmware version?

No. I only tried this configuration with 378.54_1 and 378.55

 

[kvic]

Doing ipv6 over vpn is not efficient. For vpn, ipv4 packets are tunnelled over vpn (which add some overhead). Now ipv6 packets tunnel over ipv4 (which in term tunnelled over vpn). oh mine...

May I ask what is your intended use?

 

[amtino]

I use my VPN to tunnel my web traffic when I'm traveling and using public networks, so I'd like to be able to route IPv6 traffic through the tunnel as well. As of now, IPv4 traffic goes through the tunnel but IPv6 traffic goes through the local network.

 

[kvic]

I followed this guide, https://community.openvpn.net/openvpn/wiki/IPv6 and managed to get ipv6 inside vpn tunnel working* on AC56U with 378.55. I didn't get the write to tun/tap error.

Also on Hurricane /48. One /64 subnet for LAN, and another /64 subnet for OpenVpn. Btw, both /64 subnets are public IP. So I couldn't figure how this actually work in OpenVpn**. Here comes the asterisk.

Ipv4 traffic works perfectly. Ipv6 inside vpn kind of working. Passed test-ipv6 dot com (but it's showing my WAN ipv6 address...referring back to **). Connect to pure Ipv6 site fails. Connect to a site with both Ipv4 and Ipv6 OK and shows Ipv6 version of the site..

If your purpose is to stop ipv6 leakage on the client side once OpenVpn up, seems this works.

 

[kvic]

The ipv6 connection issue is caused by missing the following rules for TUN interface(s).

ip6tables -A INPUT -i tun21 -j ACCEPT
ip6tables -A FORWARD -i tun21 -j ACCEPT

where tun21 is my active TUN. With these added, ipv6 is fully functional inside OpenVpn tunnel.

 

[wood]

I am trying to get ipv6 working out the internet within my VPN tunnel.

adding:
server-ipv6 2602:43:492:4800::/64
push "route-ipv6 2000::/3"

...to my VPN server config gives my VPN client an ipv6 address, but it is not visible/accessible to the web.

To add the ip6tables in the previous post, do I need to enable JFFS custom scripts and configs and SSH in? Or is there another way to input this?

Thanks in advance!