Unable to connect to OpenVPN over IPv6

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

hillbeast

New Around Here
Hi! I'm trying to set up openvpn server to let clients connect using the router's ipv6 address, but failing. My openvpn server is working fine over ipv4, but my ISP in the UK uses carrier-grade NAT, and I don't want to keep paying for a static IP address. Any help or clues regarding what I could be missing would be greatly appreciated!! Below is more info and what I've tried so far. The thing I don't understand right now is why the WAN IPv6 address (2a01:4b00:efgh:...) looks so different to the LAN IPv6 prefix (2a01:4b00:abcd:1200::1/56) my router gets to manage.

Router: Asus RT-AC68U
Firmware: MerlinWRT 384.19

IPv6 Connection TypeNative with DHCP-PD
WAN IPv6 Address2a01:4b00:efgh:xxxx:xxxx:xxxx:xxxx:eff5
WAN IPv6 Gatewayfe80::a208:6fff:fe9d:5b5b
LAN IPv6 Address2a01:4b00:abcd:1200::1/56
DHCP-PDEnabled
LAN IPv6 Prefix2a01:4b00:abcd:1200::/56


Custom VPN Server configuration (in addition to basic IPv4 settings on the UI):
proto udp6
server-ipv6 2a01:4b00:abcd:1200:123::/80
push "route-ipv6 2a01:4b00:abcd:1200::/56"
push "route-ipv6 2000::/3"
push "dhcp-option DNS6 2a01:4b00:abcd:1200::1"

OpenVPN Client config:
client
dev tun
remote 2a01:4b00:abcd:1200::1 1194 udp6 ;; <- this doesn't work
;remote 2a01:4b00:efgh:xxxx:xxxx:xxxx:xxxx:eff5 1194 udp6 ;; <- this doesn't work
;remote 123.0.456.789 1194 udp ;; <- this works
resolv-retry infinite
nobind
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
compress lz4-v2
keepalive 15 60
auth-user-pass
remote-cert-tls server
...

Any help is greatly appreciated!! Thanks in advance :)
 
Last edited:

hillbeast

New Around Here
I've also tried enabling and disabling the firewall, but no luck. The IPv6 connection just gets stuck in this state:

2021-04-22 09:20:44.471208 UDPv6 link local: (not bound)
2021-04-22 09:20:44.471220 UDPv6 link remote: [AF_INET6]{remote ipv6 address from client config}
2021-04-22 09:20:44.471244 MANAGEMENT: >STATE:1619079644,WAIT,,,,,,


As for the ipv4 connection, I am able to connect successfully and even get allotted a virtual ipv6 address, but it always ends up using UDPv4, and the IPv6 routing never works (when I check on ipv6-test.com). Just to clarify, my client network does support ipv6 and everything looks fine on ipv6-test.com. Here's the client connection logs when I use the ipv4 connection: https://gist.github.com/shivanker/0f28d4fd471943642222907b4abeb009
 

hillbeast

New Around Here
Oh, that would be slightly surprising. Because I do get an ipv6 address when I connect over ipv4, and I see everything going fine in the ovpn-server initialization logs:

Apr 21 20:42:44 ovpn-server1[942]: ovpn-up 1 server tun21 1500 1622 10.8.0.1 255.255.255.0 init
Apr 21 20:42:44 ovpn-server1[942]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Apr 21 20:42:44 ovpn-server1[942]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr 21 20:42:44 ovpn-server1[942]: setsockopt(IPV6_V6ONLY=0)
Apr 21 20:42:44 ovpn-server1[942]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Apr 21 20:42:44 ovpn-server1[942]: UDPv6 link remote: [AF_UNSPEC]
Apr 21 20:42:44 ovpn-server1[942]: MULTI: multi_init called, r=256 v=256
Apr 21 20:42:44 ovpn-server1[942]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Apr 21 20:42:44 ovpn-server1[942]: Initialization Sequence Completed


Any way to confirm if IPv6 support is indeed lacking? I tried checking the port status on netstat, and it seems like openvpn is receiving udp packets over the ipv6 address:

$ [email protected]:/tmp/home/root# netstat -putan | grep 1194
udp 0 0 :::1194 :::* 14078/vpnserver1
 

ColinTaylor

Part of the Furniture
Merlin has stated many times that IPv6 is not supported for the OpenVPN server.

This thread might suggest there's "an issue" when IPv6 is enabled on the WAN.
 
Last edited:

hillbeast

New Around Here
Sorry, I'm pretty new around here.. Is this a hardware issue, or does MerlinWRT not support VPN-over-IPv6 on any model? Is this something I could contribute to the community? Or is it really beyond any hope to get this working?
 

ColinTaylor

Part of the Furniture
It's not a hardware issue. It's just that stock Asus firmware doesn't support it and neither does Merlin. I don't see any realistic chance of IPv6 VPN support being added by Merlin as he has frequently said that as he doesn't have an IPv6 connection himself he has no way of developing, testing and supporting IPv6 applications.
 

AurelM

Occasional Visitor
I've posted a tutorial about this, not two weeks ago: IPv6 DDNS (noip.com) and VPN server for CG-NAT IPv4 . Did it not show in your search results or did it not help you?

Keep in mind that the firmware I use is the newer 386 branch with openvpn 2.5.x, but it should work on the older firmware as well. The newer version supports the CHACHA20-POLY1305 cipher for data encryption which is faster than AES-128-CBC on processors that don't have AES hardware acceleration like the one the Asus RT-AC68U router uses, so if not for a really good reason for sticking with the older firmware, I would upgrade and use this cipher.

AsusWRT-Merlin firmware does not support setting a IPv6 OpenVPN server through the WebUI, but it can be done through scripts.

I would disable compression, see The VORACLE attack vulnerability for more information.
At first I would let the Custom Configuration field empty and make sure the tunnel works (by trying to access the router's WebUI from the client using the router's LAN IP Address) and then add to it as necessary.

I don't see the proto statement in your client config. It should be like this:
Code:
client
dev tun
proto udp6
remote 2a01:4b00:efgh:xxxx:xxxx:xxxx:xxxx:eff5 1194
resolv-retry infinite
[...]
So use the router's WAN IPv6 Address for the remote statement or a IPv6 host name that resolves to it.
 

hillbeast

New Around Here
Did it not show in your search results or did it not help you?
It did not show up. :) Let me give it a read now! Thanks!!

if not for a really good reason for sticking with the older firmware, I would upgrade and use this cipher.
That's really cool, thanks for letting me know. I'm not physically near my router right now (only 2500 miles away). But I do plan to upgrade when I get back and have some time on my hands.

I would disable compression, see The VORACLE attack vulnerability for more information.
Yeah, that's a calculated risk on my part -- given that I was struggling with HD streaming given my ISP's upload speed.

I don't see the proto statement in your client config.
I've actually inlined the protocol into the remote line. It's just another syntax for the same thing -
remote 2a01:4b00:abcd:1200::1 1194 udp6
 

hillbeast

New Around Here
Doesn't seem to work for me. :( I tried running the script manually as well. Verified the nvram vpnserver proto was set to udp6. Verified the changes in ip6tables. Still couldn't connect to the VPN with the ipv6 address (ddns is a separate issue, and I don't care much about it). One question though - with your script, do I still need the additional lines in vpn server config?
Custom VPN Server configuration (in addition to basic IPv4 settings on the UI):
proto udp6
server-ipv6 2a01:4b00:abcd:1200:123::/80
push "route-ipv6 2a01:4b00:abcd:1200::/56"
push "route-ipv6 2000::/3"
push "dhcp-option DNS6 2a01:4b00:abcd:1200::1"


As for the LAN IPv6 address vs the WAN IPv6 address, I enabled SSH from WAN, and verified that the LAN IPv6 is indeed my router's publicly visible IP address, not the WAN IPv6 address. Next up, I'm thinking of logging if the router receives any UDP packet on the ipv6 address at all (using ip6tables).

EDIT: ^ Yeah the packets processed by the INPUT rule do go up when I try to connect (with LAN ipv6 address).
In addition to the INPUT rule, I also added a FORWARD rule for tun21 as indicated in this post - https://www.snbforums.com/threads/openvpn-ipv6.40549/#post-340077. But still no luck. :(

Code:
[email protected]:/tmp/home/root# ip6tables -L -v | grep -E '(tun21|1194|Chain INPUT|Chain FORWARD)'
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
   17  1054 ACCEPT     udp      any    any     anywhere             anywhere             udp dpt:1194
Chain FORWARD (policy DROP 0 packets, 0 bytes)
  456 64184 ACCEPT     all      tun21  any     anywhere             anywhere
 
Last edited:

AurelM

Occasional Visitor
I've actually inlined the protocol into the remote line. It's just another syntax for the same thing -
I actually saw this, but did not know it works like this so I suggested a way that I know works. But after checking the manual, I now know this works too.
do I still need the additional lines in vpn server config?
There shouldn't need to be anything there to make the client connect. As I said, I would leave it empty at first to make sure it works and then add to it. I don't have anything there, but I only use that server to reach the router.
The script is there to add the ip6tables rule in case the router reboots and it also makes sure that the protocol is set to udp6 in case any changes are made in the WebUI.
As for the LAN IPv6 address vs the WAN IPv6 address, I enabled SSH from WAN, and verified that the LAN IPv6 is indeed my router's publicly visible IP address, not the WAN IPv6 address. Next up, I'm thinking of logging if the router receives any UDP packet on the ipv6 address at all (using ip6tables).
I just tried using the LAN IPv6 Address in the client config and it won't connect. Switched to the WAN IPv6 Address and it connects like before. So definitely use the WAN IPv6 Address.

As for the SSH working, remember that IPv6 is meant to give all hosts a internet routable address (or publicly visible to use your words), so it makes sense you are able to connect to both WAN and LAN IPv6 addresses. Have you tried connecting to the WAN IPv6 Address using SSH and it actually didn't work (after enabling access from WAN also) ?
In addition to the INPUT rule, I also added a FORWARD rule for tun21 as indicated in this post - https://www.snbforums.com/threads/openvpn-ipv6.40549/#post-340077.
I don't have this rule set, but I've added it and it makes no difference as far as client being able to connect. From what I can tell, this rule is there for allowing IPv6 requests from vpn clients to go to another interface of the router, like to a host in LAN through br0 interface.
 

hillbeast

New Around Here
There shouldn't need to be anything there to make the client connect. As I said, I would leave it empty at first to make sure it works and then add to it. I don't have anything there, but I only use that server to reach the router.
Tried clearing out the additional options.. Still doesn't work for me..

Have you tried connecting to the WAN IPv6 Address using SSH and it actually didn't work (after enabling access from WAN also) ?
Yes, I tried with the WAN IPv6 address and unable to ssh using it.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top