Errors in script to request IPv6 prefix

[Hardware: Protectli VP2420 – Intel Celeron J6412 / WiFi module: M.2 2230 E-Key PCIe (chipset: Qualcomm Atheros QCA6174A-5) / Firmware: OpenWrt 23.05.3 r23809-234f1a2efa / LuCI openwrt-23.05 branch git-24.073.29889-cd7e519 / kernel version: 5.15.150]

Hi,

Being a complete noob with respect to OpenWrt (or Linux in general, for that matter), last weekend I flashed my x86/64 system with OpenWrt. Having had to re-start from scratch only once, I succeeded to have my system function as a router and wireless access point. With a little more effort, I also succeeded to set up OpenVPN and make a IPv4 connection with one of the servers of my VPN provider.

What I still didn’t succeed in, however, is establishing IPv6 connectivity with said VPN server. I am pretty sure this has to do with the outdated procedure that is outlined at the website of my provider - when I follow it, I am encountering a couple of errors that I am not able to solve.

The procedure I am to follow as per the advise of my provider is as follows:

Create script to request an IPv6 prefix from the VPN server (works only with one OpenVPN client):

cat << EOF > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d" \
| ip6tables-restore -T nat
EOF

Execute each of the following commands separately:

uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
service firewall restart

Carrying out this procedure resulted in the following errors:

Section nat6 option 'reload' is not supported by fw4
Automatically including '/usr/share/nftables.d/table-post/30-pbr.nft'
Automatically including '/usr/share/nftables.d/chain-post/mangle_forward/30-pbr.nft'
Automatically including '/usr/share/nftables.d/chain-post/mangle_input/30-pbr.nft'
Automatically including '/usr/share/nftables.d/chain-post/mangle_output/30-pbr.nft'
Automatically including '/usr/share/nftables.d/chain-post/mangle_postrouting/30-pbr.nft'
Automatically including '/usr/share/nftables.d/chain-post/mangle_prerouting/30-pbr.nft'
sh: /etc/firewall.nat6: line 1: iptables-save: not found
sh: /etc/firewall.nat6: line 1: ip6tables-restore: not found
Include '/etc/firewall.nat6' failed with exit code 127

From a bit of Googling I understand that the current firmware no longer supports the dependencies iptables-save and ip6tables-restore. Like written, however, I am not able to solve these errors by writing an updated script myself. Any help you may be able to provide me with will hence be greatly appreciated!

For completeness sake I add the following information:

root@OpenWrt:/etc# uci show network; uci show firewall
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdea:d717:8d56::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ip6assign='60'
network.lan.broadcast='192.168.1.255'
network.lan.ipaddr='192.168.1.1/24' '10.200.0.1/24'
network.wan=interface
network.wan.device='eth1'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='8.8.8.8' '8.8.4.4' '185.253.5.9' '193.110.81.9'
network.wan6=interface
network.wan6.device='eth1'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='force'
network.wan6.reqprefix='auto'
network.wan6.peerdns='0'
network.wan6.dns='2001:4860:4860::8888' '2001:4860:4860::8844' '2a0f:fc80::9' '2a0f:fc81::9'
network.PP_VPN=interface
network.PP_VPN.proto='none'
network.PP_VPN.device='tun0'
network.PP_VPN.type='bridge'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].device='tun0'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='PP_FW'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='PP_VPN'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].device='tun0'
firewall.pbr=include
firewall.pbr.fw4_compatible='1'
firewall.pbr.type='script'
firewall.pbr.path='/usr/share/pbr/pbr.firewall.include'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'
root@OpenWrt:/etc# uci show network; uci show firewall; uci show openvpn
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdea:d717:8d56::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ip6assign='60'
network.lan.broadcast='192.168.1.255'
network.lan.ipaddr='192.168.1.1/24' '10.200.0.1/24'
network.wan=interface
network.wan.device='eth1'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='8.8.8.8' '8.8.4.4' '185.253.5.9' '193.110.81.9'
network.wan6=interface
network.wan6.device='eth1'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='force'
network.wan6.reqprefix='auto'
network.wan6.peerdns='0'
network.wan6.dns='2001:4860:4860::8888' '2001:4860:4860::8844' '2a0f:fc80::9' '2a0f:fc81::9'
network.PP_VPN=interface
network.PP_VPN.proto='none'
network.PP_VPN.device='tun0'
network.PP_VPN.type='bridge'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].device='tun0'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='PP_FW'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='PP_VPN'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].device='tun0'
firewall.pbr=include
firewall.pbr.fw4_compatible='1'
firewall.pbr.type='script'
firewall.pbr.path='/usr/share/pbr/pbr.firewall.include'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'
openvpn.custom_config=openvpn
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh2048.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.verb='3'
openvpn.PP_Amsterdam=openvpn
openvpn.PP_Amsterdam.config='/etc/openvpn/PP_Amsterdam.ovpn'
openvpn.PP_Amsterdam.enabled='1'
openvpn.PP_Copenhagen=openvpn
openvpn.PP_Copenhagen.config='/etc/openvpn/PP_Copenhagen.ovpn'
openvpn.PP_Hamburg=openvpn
openvpn.PP_Hamburg.config='/etc/openvpn/PP_Hamburg.ovpn'
openvpn.PP_Malmoe=openvpn
openvpn.PP_Malmoe.config='/etc/openvpn/PP_Malmoe.ovpn'
openvpn.PP_Oslo=openvpn
openvpn.PP_Oslo.config='/etc/openvpn/PP_Oslo.ovpn'
openvpn.PP_Paris=openvpn
openvpn.PP_Paris.config='/etc/openvpn/PP_Paris.ovpn'
openvpn.PP_Rotterdam=openvpn
openvpn.PP_Rotterdam.config='/etc/openvpn/PP_Rotterdam.ovpn'
openvpn.PP_Stockholm=openvpn
openvpn.PP_Stockholm.config='/etc/openvpn/PP_Stockholm.ovpn'

Better support of NAT6 is now built in so really you should not need to do any custom scripts to bring up NAT6.

Nothing you posted answers the question of what address to NAT into (which the VPN holds on the other end) though.

2 Likes

Your interface should look like this (remove the option bridge):

config interface 'tun0'
	option proto 'none'
	option device 'tun0'

The corresponding firewall rule with option masq6 which can be set on the Advanced tab of the firewall zone:

config zone
	option name 'ovpn_client'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option masq6 '1'
	list network 'tun0'

config forwarding
	option src 'lan'
	option dest 'ovpn_client'

Note remove list network 'tun0' from other zones!

2 Likes

That is no longer necessary since support to refer to a device directly (list device) has been added to the firewall.
/etc/config/firewall

config zone
    list device 'tun0'
...

In previous versions the "dummy" network interface associated a UCI network name to the kernel device name which is managed by OpenVPN.

1 Like

Thank you very much for your reply! As to your question, as far as I am aware I am not supposed to specifically provide an IPv6 address to NAT into. This is what my VPN provider (Perfect Privacy) has to say about this:

In order to connect over IPv6, I am supposed to follow the procedure that I outlined in my opening post. From then on, the moment I am connected to one of their VPN servers, I am supposed to receive an IPv6 address as well (and this is exactly how it works with the Vilfo VPN router of my brother, who is also a subscriber of Perfect Privacy). Given the failure to run said script, I am now not receiving an IPv6 connection while being connected with a VPN server over IPv4.

So, apparently, doing this custom script is necessary, but how do I get rid of the errors the current script generates?

You do not need a script but just try my suggestions.
That worked for me.

You indeed get an ip4 and ip6 address from your provider. By masquerading you do not need to know the address (in contrast to SNAT)

True unless you start using e.g. PBR which seems to need a logical interface.

@egc: thank you very much for your suggestions, but unfortunately they didn't solve the problem:

While connecting over IPv4, an additional IPv6 connection is also supposed to be established, which still is not the case. So I am afraid it is back to my original question, how to update the script to the extend that it no longer depends on iptables-save and ip6tables-restore and the error Section nat6 option 'reload' is not supported by fw4 no longer occurs? MTIA!

I'm not an expert onOpenVPN but I assume that your IPv6 address and routes will be pushed to the client by the service's server. You can check this by using ip addr show to confirm that the tun0 interface has an IPv6 address, and ip -6 route show to confirm that tun0 is the default v6 route.

At this point you should be able to from the router ping6 and traceroute6 a site that is on the v6 Internet (such as openwrt.org). The traceroute should show that it is connecting via VPN not by your ISP (if your ISP has v6).

Getting v6 connectivity to your LAN requires additional work. The LAN must issue local v6 addresses to the laptop etc. I usually use the 2001:db8:: block for this since endpoints treat it like a public IP though it is reserved and will never actually be assigned to anything on the Internet. In /etc/config/network, set the lan ipv6 static to something like 2001:db8::1/64 and make sure that under DHCP at least the RA service is turned on.

1 Like

IPv6 and IPv4 addresses and routes should be pushed by the VPN server indeed.
But your lan clients and router must already be IPv6 ready.

Lets see some configs and logs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip -6 route show
ip -6 route show table all
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
logread | grep openvpn

@egc: here's the output that you requested, I hope this gives you some further insights.

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "Intel(R) Celeron(R) J6412 @ 2.00GHz",
	"model": "Protectli VP2420",
	"board_name": "protectli-vp2420",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "x86/64",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdea:d717:8d56::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	option broadcast '192.168.1.255'
	list ipaddr '192.168.1.1/24'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '185.253.5.9'
	list dns '193.110.81.9'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'
	list dns '2a0f:fc80::9'
	list dns '2a0f:fc81::9'

config interface 'PP_VPN'
	option proto 'none'
	option device 'tun0'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'PP_VPN'
	option interface 'PP_VPN'
	option ignore '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list device 'tun0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'PP_FW'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'PP_VPN'
	option masq '1'
	option masq6 '1'
	option mtu_fix '1'
	list device 'tun0'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'lan'
	option dest 'wan'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config forwarding
	option src 'PP_FW'
	option dest 'lan'

root@OpenWrt:~# ip route show
0.0.0.0/1 via 10.4.71.1 dev tun0 
default via 192.168.188.1 dev eth1 proto static src 192.168.188.48 
10.4.71.0/24 dev tun0 proto kernel scope link src 10.4.71.245 
37.48.94.1 via 192.168.188.1 dev eth1 
128.0.0.0/1 via 10.4.71.1 dev tun0 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.188.0/24 dev eth1 proto kernel scope link src 192.168.188.48 
root@OpenWrt:~# ip route show table all
0.0.0.0/1 via 10.4.71.1 dev tun0 
default via 192.168.188.1 dev eth1 proto static src 192.168.188.48 
10.4.71.0/24 dev tun0 proto kernel scope link src 10.4.71.245 
37.48.94.1 via 192.168.188.1 dev eth1 
128.0.0.0/1 via 10.4.71.1 dev tun0 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.188.0/24 dev eth1 proto kernel scope link src 192.168.188.48 
local 10.4.71.245 dev tun0 table local proto kernel scope host src 10.4.71.245 
broadcast 10.4.71.255 dev tun0 table local proto kernel scope link src 10.4.71.245 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.188.48 dev eth1 table local proto kernel scope host src 192.168.188.48 
broadcast 192.168.188.255 dev eth1 table local proto kernel scope link src 192.168.188.48 
default from 2a02:a464:c5d0:1::/64 via fe80::2e91:abff:fe45:f3b5 dev eth1 proto static metric 512 pref medium
::/3 dev tun0 metric 1024 pref medium
2a02:a464:c5d0::/48 from 2a02:a464:c5d0:1::/64 via fe80::2e91:abff:fe45:f3b5 dev eth1 proto static metric 512 pref medium
2a02:a464:c5d0:1::/64 dev eth1 proto static metric 256 pref medium
unreachable 2a02:a464:c5d0:1::/64 dev lo proto static metric 2147483647 pref medium
2000::/4 dev tun0 metric 1024 pref medium
3000::/4 dev tun0 metric 1024 pref medium
2000::/3 dev tun0 metric 1024 pref medium
fdbf:1d37:bbe0:0:68:7::/112 dev tun0 proto kernel metric 256 pref medium
fdea:d717:8d56::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdea:d717:8d56::/48 dev lo proto static metric 2147483647 pref medium
fc00::/7 dev tun0 metric 1024 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2a02:a464:c5d0:1:: dev eth1 table local proto kernel metric 0 pref medium
local 2a02:a464:c5d0:1:6662:66ff:fe22:d598 dev eth1 table local proto kernel metric 0 pref medium
anycast fdbf:1d37:bbe0:0:68:7:: dev tun0 table local proto kernel metric 0 pref medium
local fdbf:1d37:bbe0:0:68:7:0:f5 dev tun0 table local proto kernel metric 0 pref medium
anycast fdea:d717:8d56:: dev br-lan table local proto kernel metric 0 pref medium
local fdea:d717:8d56::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
anycast fe80:: dev phy0-ap0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
local fe80::215:61ff:fe23:d3ac dev phy0-ap0 table local proto kernel metric 0 pref medium
local fe80::6662:66ff:fe22:d597 dev br-lan table local proto kernel metric 0 pref medium
local fe80::6662:66ff:fe22:d598 dev eth1 table local proto kernel metric 0 pref medium
local fe80::fec2:4315:2d9f:deca dev tun0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy0-ap0 table local proto kernel metric 256 pref medium
root@OpenWrt:~# ip -6 route show
default from 2a02:a464:c5d0:1::/64 via fe80::2e91:abff:fe45:f3b5 dev eth1 proto static metric 512 pref medium
::/3 dev tun0 metric 1024 pref medium
2a02:a464:c5d0::/48 from 2a02:a464:c5d0:1::/64 via fe80::2e91:abff:fe45:f3b5 dev eth1 proto static metric 512 pref medium
2a02:a464:c5d0:1::/64 dev eth1 proto static metric 256 pref medium
unreachable 2a02:a464:c5d0:1::/64 dev lo proto static metric 2147483647 pref medium
2000::/4 dev tun0 metric 1024 pref medium
3000::/4 dev tun0 metric 1024 pref medium
2000::/3 dev tun0 metric 1024 pref medium
fdbf:1d37:bbe0:0:68:7::/112 dev tun0 proto kernel metric 256 pref medium
fdea:d717:8d56::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdea:d717:8d56::/48 dev lo proto static metric 2147483647 pref medium
fc00::/7 dev tun0 metric 1024 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
root@OpenWrt:~# ip -6 route show table all
default from 2a02:a464:c5d0:1::/64 via fe80::2e91:abff:fe45:f3b5 dev eth1 proto static metric 512 pref medium
::/3 dev tun0 metric 1024 pref medium
2a02:a464:c5d0::/48 from 2a02:a464:c5d0:1::/64 via fe80::2e91:abff:fe45:f3b5 dev eth1 proto static metric 512 pref medium
2a02:a464:c5d0:1::/64 dev eth1 proto static metric 256 pref medium
unreachable 2a02:a464:c5d0:1::/64 dev lo proto static metric 2147483647 pref medium
2000::/4 dev tun0 metric 1024 pref medium
3000::/4 dev tun0 metric 1024 pref medium
2000::/3 dev tun0 metric 1024 pref medium
fdbf:1d37:bbe0:0:68:7::/112 dev tun0 proto kernel metric 256 pref medium
fdea:d717:8d56::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdea:d717:8d56::/48 dev lo proto static metric 2147483647 pref medium
fc00::/7 dev tun0 metric 1024 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2a02:a464:c5d0:1:: dev eth1 table local proto kernel metric 0 pref medium
local 2a02:a464:c5d0:1:6662:66ff:fe22:d598 dev eth1 table local proto kernel metric 0 pref medium
anycast fdbf:1d37:bbe0:0:68:7:: dev tun0 table local proto kernel metric 0 pref medium
local fdbf:1d37:bbe0:0:68:7:0:f5 dev tun0 table local proto kernel metric 0 pref medium
anycast fdea:d717:8d56:: dev br-lan table local proto kernel metric 0 pref medium
local fdea:d717:8d56::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
anycast fe80:: dev phy0-ap0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
local fe80::215:61ff:fe23:d3ac dev phy0-ap0 table local proto kernel metric 0 pref medium
local fe80::6662:66ff:fe22:d597 dev br-lan table local proto kernel metric 0 pref medium
local fe80::6662:66ff:fe22:d598 dev eth1 table local proto kernel metric 0 pref medium
local fe80::fec2:4315:2d9f:deca dev tun0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy0-ap0 table local proto kernel metric 256 pref medium
root@OpenWrt:~# for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; 
echo;done
/etc/openvpn/PP_Amsterdam.ovpn
auth-user-pass /etc/openvpn/PP_Amsterdam.auth
client
dev tun
hand-window 120
inactive 604800
mute-replay-warnings
nobind
persist-key
persist-remote-ip
persist-tun
ping 5
ping-restart 120
redirect-gateway def1
remote-random
reneg-sec 3600
script-security 2
tls-cipher TLS_CHACHA20_POLY1305_SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS_AES_256_GCM_SHA384:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
verb 4

route-delay 2
resolv-retry 60
route-method exe


tun-mtu  1500

proto udp
fragment 1300
mssfix

comp-lzo
key-direction 1


remote 95.168.167.236 148 

remote 95.168.167.236 149 

remote 95.168.167.236 150 

remote 95.168.167.236 151 

remote 95.168.167.236 1148 

remote 95.168.167.236 1149 

remote 95.168.167.236 1150 

remote 95.168.167.236 1151 

remote 95.211.95.233 148 

remote 95.211.95.233 149 

remote 95.211.95.233 150 

remote 95.211.95.233 151 

remote 95.211.95.233 1148 

remote 95.211.95.233 1149 

remote 95.211.95.233 1150 

remote 95.211.95.233 1151 

remote 95.211.95.244 148 

remote 95.211.95.244 149 

remote 95.211.95.244 150 

remote 95.211.95.244 151 

remote 95.211.95.244 1148 

remote 95.211.95.244 1149 

remote 95.211.95.244 1150 

remote 95.211.95.244 1151 

remote 37.48.94.1 148 

remote 37.48.94.1 149 

remote 37.48.94.1 150 

remote 37.48.94.1 151 

remote 37.48.94.1 1148 

remote 37.48.94.1 1149 

remote 37.48.94.1 1150 

remote 37.48.94.1 1151 



data-ciphers AES-128-CBC
auth SHA512


remote-cert-tls server

<ca>
-----BEGIN CERTIFICATE-----
MIIGgzCCBGugAwIBAgIJAPoRtcSqaa9pMA0GCSqGSIb3DQEBDQUAMIGHMQswCQYD
VQQGEwJDSDEMMAoGA1UECBMDWnVnMQwwCgYDVQQHEwNadWcxGDAWBgNVBAoTD1Bl
{redacted}
PRcKXEPxzswHChAWeRG8nU4hRLVvuLdwN08AIV3T1P+ycTOIM8+RFJgiouyCNuw8
UpIngQ4XIBteVNISnQHvuqACJWXJat3CnMekksqTIcCgAtk5F8rw
-----END CERTIFICATE-----

</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIG4zCCBMugAwIBAgIJAOahPfvarO6HMA0GCSqGSIb3DQEBDQUAMIGHMQswCQYD
VQQGEwJDSDEMMAoGA1UECBMDWnVnMQwwCgYDVQQHEwNadWcxGDAWBgNVBAoTD1Bl
{redacted}
3nhKERRAx7s/GcPLbuqRyqoywX16Nh/c51eB2yDptreyV0UTF3XpJXKE8duWdrRv
blPViFVx/NTZjvt95LiEUgoyLP++vBQmHmWCEPurU6zeqlVT3RbW
-----END CERTIFICATE-----

</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDFTJL89Z78c0Jk
aDaPq+sL3YEf+EWhReZRfbw5RBywLpMP1qc+IrDD+OxenGttX086XHe1cYlVCPTn
{redacted
q568GZOHewAYRL+V+kwwKs31pXzUf9JuzhjMMzDvVY5p/zYfORJk64AhVtB5j43E
e6SP7fz1PhVYpwXsUQts+n++D0pRt1A=
-----END PRIVATE KEY-----

</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
8639991ad6c846ca4c0e8bef909d6acb
ab79cc6e243c93298bb63fff4040661d
{redacted}
5745b7dbfe754e50c509c6d64bead9a3
e1152ee143d4dc70a0186deef93a19f8
-----END OpenVPN Static key V1-----

</tls-auth>


log /var/log/openvpn.log
log-append /var/log/openvn.log
up /etc/openvpn/up.sh
down /etc/openvpn/down.sh

root@OpenWrt:~# logread | grep openvpn
Fri Jun 28 18:38:54 2024 daemon.warn openvpn(PP_Amsterdam)[2490]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

Network: Since your ISP supports IPv6, your LAN computers should already be using GUAs from the ISP, although since the routing table has been changed by OpenVPN, they will actually be NATd into the ULA that the VPN provider pushed to you. If your ISP did not have v6 you'd need to set up a psuedo-GUA local address.
It's a good idea (almost always) to remove ula_prefix as ULAs on your end are not needed in this setup. This will reduce clutter when you look at IP assignments and routing tables.
Firewall: Remove everything related to the obsolete iptables script. I also see a mention of pbr, it would be best to remove that until you have the basic "all Internet via VPN" operation working.
As others said, add option masq6 '1' to the wan zone.
Then try the test I suggested to see if a traceroute6 originated within the router goes through the VPN. Also running ifstatus tun0 while the tunnel is up would be informative.

1 Like

I fully agree with mk24.

In addition remove `list device 'tun0', better not list devices in more than one zone.

Furthermore you can remove list device 'tun0' in the PP_FW zone as that is already taken care of by list network 'PP_VPN'

Reboot afterwards.

Furthermore you are using up and down script for the VPN I would disable this, test with only basic setup.

There are no logs as the logs look to be written elsewhere.
Is this on purpose, if not remove these lines:

And after a reboot lets see : logread -e openvpn or let see the logs from the new location.

I hope this is an (almost) free provider as the client setup with compression and AES-128-CBC is really outdated.
Compression is deprecated and it could be the reason you can have connections but no traffic. But without the logs we cannot tell.
We should see the logs also when compression is disabled, simply remove

1 Like

@ mk24, egc: my sincere thanks again for your interest in my topic. Please bear in mind that, like written in my first post, I am a noob when it comes to OpenWrt or Linux in general. If I do not immediately seem to follow your advise, this isn't because of stubborness on my part, but because of a lack of knowledge or understanding. And to clear up a possible misunderstanding: when I wrote that I didn't succeed in establishing IPv6 connectivity, this wasn't meant do mean that I do not have access to the internet. The contrary is true: I do in fact have connectivity with a VPN server over IPv4 and full access to the internet. So, the problem is not that I am not able to reach the internet while connected to a server of my VPN provider, but that I do not also have IPv6 connectivity.

That said, in the meantime I have done the following:

  • de-installed package 'pbr' in LuCi
  • remove ula_prefix via Network > Interfaces > Global network options in LuCi. Rebooted system, everything still allright and still access to the internet via the selected VPN server over IPv4
  • added option masq6 '1' to the wan zone via nano /etc/config/firewall (didn't find where to do it in LuCi). Rebooted system, everything still allright and still access to the internet via the selected VPN server over IPv4
  • removed list device ‘tun0' from the wan zone via nano /etc/config/firewall (didn't immediately see how to do it in LuCi). Rebooted system, everything still allright and still access to the internet via the selected VPN server over IPv4
  • removed list device ‘tun0' from the PP_FW zone via nano /etc/config/firewall. Rebooted system, everything still allright and still access to the internet via the selected VPN server over IPv4
  • removed the lines up /etc/openvpn/up.sh and down /etc/openvpn/down.shfrom the OpenVPN configuration file for the VPN server in Amsterdam. Rebooted system, everything still allright and still access to the internet via the selected VPN server over IPv4

With the tunnel up I carried out the following:

ping6:

PING openwrt.org (2a03:b0c0:3:d0::1a51:c001): 56 data bytes
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=0 ttl=52 time=15.122 ms
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=1 ttl=52 time=14.804 ms
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=2 ttl=52 time=14.029 ms
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=3 ttl=52 time=14.960 ms
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=4 ttl=52 time=14.156 ms

--- openwrt.org ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 14.029/14.614/15.122 ms

and:

traceroute6:

traceroute to openwrt.org (2a03:b0c0:3:d0::1a51:c001), 30 hops max, 72 byte packets
 1  fdbf:1d37:bbe0:0:93:4:0:1  6.880 ms
 2  2001:1af8:5000:a026::2  7.197 ms
 3  2001:1af8::81:17:35:201  7.716 ms
 4  2a03:2280:38::66  7.915 ms
 5  *
 6  2001:7f8:1::a501:4061:3  9.189 ms
 7  2a03:b0c0:fffe::48  9.672 ms
 8  *
 9  *
10  *
11  *
12  2a03:b0c0:3:d0::1a51:c001  20.464 ms

and:

root@OpenWrt:~# ifstatus tun0
Interface tun0 not found

The latter is pretty surprising to me, since I do have an active connection with a VPN server of my VPN provider, and tun0 is also selectable as a device and shows active traffic:

@egc: as regards your remark about the OpenVPN logs, the location these are written to is not something I made up myself, but is part of the OpenVPN configuration script that was downloaded from the site of my VPN provider. If another location for such files seems appropriate, I'd be glad to hear. With respect to my VPN provider, this is a paid service, and while this a rather small outfit, they used to be pretty advanced when they entered the market. They were the first to provide full ad filtering, and if I am not mistaken also the first to offer 'NeuroRouting'. Over the last couple of years though, they seem to have lost traction, and this shows by the outdated scripts and downloads at their website.

With respect to the logs:

root@OpenWrt:/var/log# cat openvpn.log
2024-06-29 12:40:55 Multiple --up scripts defined.  The previously configured script is overridden.
2024-06-29 12:40:55 Multiple --down scripts defined.  The previously configured script is overridden.
2024-06-29 12:40:55 us=921370 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-06-29 12:40:55 us=923394 OpenVPN 2.5.8 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-06-29 12:40:55 us=923425 library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
2024-06-29 12:40:55 us=924430 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-06-29 12:40:55 us=925987 No valid translation found for TLS cipher 'TLS_CHACHA20_POLY1305_SHA256'
2024-06-29 12:40:55 us=926035 No valid translation found for TLS cipher 'TLS_AES_256_GCM_SHA384'
2024-06-29 12:40:55 us=929512 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 12:40:55 us=929544 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 12:40:55 us=929566 LZO compression initializing
2024-06-29 12:40:55 us=929662 Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
2024-06-29 12:40:55 us=929729 Data Channel MTU parms [ L:1626 D:1300 EF:126 EB:407 ET:0 EL:3 AF:14/126 ]
2024-06-29 12:40:55 us=929749 Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 AF:14/126 ]
2024-06-29 12:40:55 us=929782 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1590,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
2024-06-29 12:40:55 us=929797 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1590,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
2024-06-29 12:40:55 us=929816 TCP/UDP: Preserving recently used remote address: [AF_INET]95.211.95.233:148
2024-06-29 12:40:55 us=929839 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-06-29 12:40:55 us=929855 UDP link local: (not bound)
2024-06-29 12:40:55 us=929870 UDP link remote: [AF_INET]95.211.95.233:148
2024-06-29 12:40:55 us=929946 Network unreachable, restarting
2024-06-29 12:40:55 us=930012 TCP/UDP: Closing socket
2024-06-29 12:40:55 us=930054 SIGUSR1[soft,network-unreachable] received, process restarting
2024-06-29 12:40:55 us=930149 Restart pause, 5 second(s)
2024-06-29 12:41:00 us=930435 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-06-29 12:41:00 us=930628 Re-using SSL/TLS context
2024-06-29 12:41:00 us=930875 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 12:41:00 us=930944 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 12:41:00 us=931006 LZO compression initializing
2024-06-29 12:41:00 us=931272 Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
2024-06-29 12:41:00 us=931462 TCP/UDP: Preserving recently used remote address: [AF_INET]95.211.95.233:148
2024-06-29 12:41:00 us=931527 Data Channel MTU parms [ L:1626 D:1300 EF:126 EB:407 ET:0 EL:3 AF:14/126 ]
2024-06-29 12:41:00 us=931579 Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 AF:14/126 ]
2024-06-29 12:41:00 us=931684 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1590,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
2024-06-29 12:41:00 us=931728 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1590,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
2024-06-29 12:41:00 us=931779 TCP/UDP: Preserving recently used remote address: [AF_INET]95.211.95.233:148
2024-06-29 12:41:00 us=931859 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-06-29 12:41:00 us=931909 UDP link local: (not bound)
2024-06-29 12:41:00 us=931958 UDP link remote: [AF_INET]95.211.95.233:148
2024-06-29 12:41:00 us=940180 TLS: Initial packet from [AF_INET]95.211.95.233:148, sid=a8d8c20e 2d3d522a
2024-06-29 12:41:00 us=940602 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-06-29 12:41:00 us=976559 VERIFY OK: depth=1, C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy, emailAddress=admin@perfect-privacy.com
2024-06-29 12:41:00 us=977845 VERIFY KU OK
2024-06-29 12:41:00 us=977911 Validating certificate extended key usage
2024-06-29 12:41:00 us=977959 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-06-29 12:41:00 us=978001 VERIFY EKU OK
2024-06-29 12:41:00 us=978043 VERIFY OK: depth=0, C=CH, ST=Zug, O=Perfect Privacy, CN=Server_amsterdam.perfect-privacy.com, emailAddress=admin@perfect-privacy.com
2024-06-29 12:41:01 us=47696 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1590', remote='link-mtu 1606'
2024-06-29 12:41:01 us=48341 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2024-06-29 12:41:01 us=49318 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2024-06-29 12:41:01 us=49408 [Server_amsterdam.perfect-privacy.com] Peer Connection Initiated with [AF_INET]95.211.95.233:148
2024-06-29 12:41:01 us=561493 PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1 ipv6,sndbuf 131072,rcvbuf 131072,route-ipv6 2000::/3,comp-lzo no,route-gateway 10.0.55.1,ping 10,ping-restart 60,dhcp-option DNS 95.211.199.144,dhcp-option DNS 37.48.94.55,ifconfig-ipv6 fdbf:1d37:bbe0:0:3:7:0:f5/112 fdbf:1d37:bbe0:0:3:7:0:1,ifconfig 10.0.55.245 255.255.255.0,peer-id 5,cipher AES-128-CBC'
2024-06-29 12:41:01 us=561656 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2024-06-29 12:41:01 us=561892 OPTIONS IMPORT: timers and/or timeouts modified
2024-06-29 12:41:01 us=561934 OPTIONS IMPORT: compression parms modified
2024-06-29 12:41:01 us=561986 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2024-06-29 12:41:01 us=562030 Socket Buffers: R=[212992->262144] S=[212992->262144]
2024-06-29 12:41:01 us=562060 OPTIONS IMPORT: --ifconfig/up options modified
2024-06-29 12:41:01 us=562086 OPTIONS IMPORT: route options modified
2024-06-29 12:41:01 us=562112 OPTIONS IMPORT: route-related options modified
2024-06-29 12:41:01 us=562137 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-06-29 12:41:01 us=562162 OPTIONS IMPORT: peer-id set
2024-06-29 12:41:01 us=562189 OPTIONS IMPORT: adjusting link_mtu to 1629
2024-06-29 12:41:01 us=562216 OPTIONS IMPORT: data channel crypto options modified
2024-06-29 12:41:01 us=562247 Data Channel: using negotiated cipher 'AES-128-CBC'
2024-06-29 12:41:01 us=562319 Data Channel MTU parms [ L:1609 D:1300 EF:109 EB:407 ET:0 EL:3 AF:14/126 ]
2024-06-29 12:41:01 us=562363 Fragmentation MTU parms [ L:1626 D:1300 EF:105 EB:407 ET:1 EL:3 AF:14/126 ]
2024-06-29 12:41:01 us=562686 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2024-06-29 12:41:01 us=562744 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 12:41:01 us=562785 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2024-06-29 12:41:01 us=562838 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 12:41:01 us=562978 net_route_v4_best_gw query: dst 0.0.0.0
2024-06-29 12:41:01 us=563143 net_route_v4_best_gw result: via 192.168.188.1 dev eth1
2024-06-29 12:41:01 us=563257 GDG6: remote_host_ipv6=n/a
2024-06-29 12:41:01 us=563299 net_route_v6_best_gw query: dst ::
2024-06-29 12:41:01 us=563372 sitnl_send: rtnl: generic error (-101): Network unreachable
2024-06-29 12:41:01 us=564208 TUN/TAP device tun0 opened
2024-06-29 12:41:01 us=564263 do_ifconfig, ipv4=1, ipv6=1
2024-06-29 12:41:01 us=564316 net_iface_mtu_set: mtu 1500 for tun0
2024-06-29 12:41:01 us=564411 net_iface_up: set tun0 up
2024-06-29 12:41:01 us=564685 net_addr_v4_add: 10.0.55.245/24 dev tun0
2024-06-29 12:41:01 us=565366 net_iface_mtu_set: mtu 1500 for tun0
2024-06-29 12:41:01 us=565470 net_iface_up: set tun0 up
2024-06-29 12:41:01 us=565546 net_addr_v6_add: fdbf:1d37:bbe0:0:3:7:0:f5/112 dev tun0
2024-06-29 12:41:01 us=566339 /usr/libexec/openvpn-hotplug up PP_Amsterdam tun0 1500 1609 10.0.55.245 255.255.255.0 init
udhcpc: started, v1.36.1
udhcpc: broadcasting discover
udhcpc: no lease, failing
2024-06-29 12:41:06 us=75441 net_route_v4_add: 95.211.95.233/32 via 192.168.188.1 dev [NULL] table 0 metric -1
2024-06-29 12:41:06 us=75770 net_route_v4_add: 0.0.0.0/1 via 10.0.55.1 dev [NULL] table 0 metric -1
2024-06-29 12:41:06 us=75881 net_route_v4_add: 128.0.0.0/1 via 10.0.55.1 dev [NULL] table 0 metric -1
2024-06-29 12:41:06 us=75993 add_route_ipv6(2000::/3 -> fdbf:1d37:bbe0:0:3:7:0:1 metric -1) dev tun0
2024-06-29 12:41:06 us=76047 net_route_v6_add: 2000::/3 via :: dev tun0 table 0 metric -1
2024-06-29 12:41:06 us=76185 add_route_ipv6(::/3 -> fdbf:1d37:bbe0:0:3:7:0:1 metric -1) dev tun0
2024-06-29 12:41:06 us=76244 net_route_v6_add: ::/3 via :: dev tun0 table 0 metric -1
2024-06-29 12:41:06 us=76359 add_route_ipv6(2000::/4 -> fdbf:1d37:bbe0:0:3:7:0:1 metric -1) dev tun0
2024-06-29 12:41:06 us=76413 net_route_v6_add: 2000::/4 via :: dev tun0 table 0 metric -1
2024-06-29 12:41:06 us=76525 add_route_ipv6(3000::/4 -> fdbf:1d37:bbe0:0:3:7:0:1 metric -1) dev tun0
2024-06-29 12:41:06 us=76579 net_route_v6_add: 3000::/4 via :: dev tun0 table 0 metric -1
2024-06-29 12:41:06 us=76679 add_route_ipv6(fc00::/7 -> fdbf:1d37:bbe0:0:3:7:0:1 metric -1) dev tun0
2024-06-29 12:41:06 us=76725 net_route_v6_add: fc00::/7 via :: dev tun0 table 0 metric -1
2024-06-29 12:41:06 us=86335 Initialization Sequence Completed
2024-06-29 13:41:01 us=1030 TLS: soft reset sec=3600/3600 bytes=17900472/-1 pkts=33835/0
2024-06-29 13:41:01 us=41324 VERIFY OK: depth=1, C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy, emailAddress=admin@perfect-privacy.com
2024-06-29 13:41:01 us=42557 VERIFY KU OK
2024-06-29 13:41:01 us=42657 Validating certificate extended key usage
2024-06-29 13:41:01 us=42708 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-06-29 13:41:01 us=42749 VERIFY EKU OK
2024-06-29 13:41:01 us=42791 VERIFY OK: depth=0, C=CH, ST=Zug, O=Perfect Privacy, CN=Server_amsterdam.perfect-privacy.com, emailAddress=admin@perfect-privacy.com
2024-06-29 13:41:01 us=117198 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1590', remote='link-mtu 1606'
2024-06-29 13:41:01 us=117815 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2024-06-29 13:41:01 us=118364 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2024-06-29 13:41:01 us=118448 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 13:41:01 us=118507 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2024-06-29 13:41:01 us=118566 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 13:41:01 us=118723 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
root@OpenWrt:/var/log# 

After this, I rebooted the router and removed comp-lzo from the OpenVPN configuration file for the server in Amsterdam:

root@OpenWrt:/var/log# cat openvpn.log
root@OpenWrt:/var/log# cat openvpn.log
2024-06-29 15:28:28 us=882736 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-06-29 15:28:28 us=884680 OpenVPN 2.5.8 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-06-29 15:28:28 us=884709 library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
2024-06-29 15:28:28 us=885646 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-06-29 15:28:28 us=887230 No valid translation found for TLS cipher 'TLS_CHACHA20_POLY1305_SHA256'
2024-06-29 15:28:28 us=887271 No valid translation found for TLS cipher 'TLS_AES_256_GCM_SHA384'
2024-06-29 15:28:28 us=890511 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 15:28:28 us=890542 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 15:28:28 us=890639 Control Channel MTU parms [ L:1625 D:1140 EF:110 EB:0 ET:0 EL:3 ]
2024-06-29 15:28:28 us=890712 Data Channel MTU parms [ L:1625 D:1300 EF:125 EB:406 ET:0 EL:3 AF:14/125 ]
2024-06-29 15:28:28 us=890733 Fragmentation MTU parms [ L:1625 D:1300 EF:125 EB:406 ET:0 EL:3 AF:14/125 ]
2024-06-29 15:28:28 us=890769 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1589,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir 1,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
2024-06-29 15:28:28 us=890785 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1589,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir 0,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
2024-06-29 15:28:28 us=890805 TCP/UDP: Preserving recently used remote address: [AF_INET]95.168.167.236:1150
2024-06-29 15:28:28 us=890832 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-06-29 15:28:28 us=890849 UDP link local: (not bound)
2024-06-29 15:28:28 us=890867 UDP link remote: [AF_INET]95.168.167.236:1150
2024-06-29 15:28:28 us=890940 Network unreachable, restarting
2024-06-29 15:28:28 us=891003 TCP/UDP: Closing socket
2024-06-29 15:28:28 us=891047 SIGUSR1[soft,network-unreachable] received, process restarting
2024-06-29 15:28:28 us=891140 Restart pause, 5 second(s)
2024-06-29 15:28:33 us=891245 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-06-29 15:28:33 us=891300 Re-using SSL/TLS context
2024-06-29 15:28:33 us=891384 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 15:28:33 us=891406 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 15:28:33 us=891507 Control Channel MTU parms [ L:1625 D:1140 EF:110 EB:0 ET:0 EL:3 ]
2024-06-29 15:28:33 us=891573 TCP/UDP: Preserving recently used remote address: [AF_INET]95.168.167.236:1150
2024-06-29 15:28:33 us=891595 Data Channel MTU parms [ L:1625 D:1300 EF:125 EB:406 ET:0 EL:3 AF:14/125 ]
2024-06-29 15:28:33 us=891612 Fragmentation MTU parms [ L:1625 D:1300 EF:125 EB:406 ET:0 EL:3 AF:14/125 ]
2024-06-29 15:28:33 us=891648 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1589,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir 1,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
2024-06-29 15:28:33 us=891665 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1589,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir 0,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
2024-06-29 15:28:33 us=891682 TCP/UDP: Preserving recently used remote address: [AF_INET]95.168.167.236:1150
2024-06-29 15:28:33 us=891703 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-06-29 15:28:33 us=891720 UDP link local: (not bound)
2024-06-29 15:28:33 us=891737 UDP link remote: [AF_INET]95.168.167.236:1150
2024-06-29 15:28:33 us=902290 TLS: Initial packet from [AF_INET]95.168.167.236:1150, sid=bfaedc31 d8902200
2024-06-29 15:28:33 us=902497 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-06-29 15:28:33 us=920975 VERIFY OK: depth=1, C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy, emailAddress=admin@perfect-privacy.com
2024-06-29 15:28:33 us=921665 VERIFY KU OK
2024-06-29 15:28:33 us=921701 Validating certificate extended key usage
2024-06-29 15:28:33 us=921726 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-06-29 15:28:33 us=921748 VERIFY EKU OK
2024-06-29 15:28:33 us=921771 VERIFY OK: depth=0, C=CH, ST=Zug, O=Perfect Privacy, CN=Server_amsterdam.perfect-privacy.com, emailAddress=admin@perfect-privacy.com
2024-06-29 15:28:33 us=988338 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1589', remote='link-mtu 1606'
2024-06-29 15:28:33 us=988829 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2024-06-29 15:28:33 us=989320 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2024-06-29 15:28:33 us=989879 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2024-06-29 15:28:33 us=989968 [Server_amsterdam.perfect-privacy.com] Peer Connection Initiated with [AF_INET]95.168.167.236:1150
2024-06-29 15:28:34 us=390518 SENT CONTROL [Server_amsterdam.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
2024-06-29 15:28:34 us=390773 PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1 ipv6,sndbuf 131072,rcvbuf 131072,route-ipv6 2000::/3,comp-lzo no,route-gateway 10.5.212.1,ping 10,ping-restart 60,dhcp-option DNS 212.7.210.184,dhcp-option DNS 185.17.184.3,ifconfig-ipv6 fdbf:1d37:bbe0:0:93:4:0:23/112 fdbf:1d37:bbe0:0:93:4:0:1,ifconfig 10.5.212.35 255.255.255.0,peer-id 3,cipher AES-128-CBC'
2024-06-29 15:28:34 us=390877 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2024-06-29 15:28:34 us=391105 OPTIONS IMPORT: timers and/or timeouts modified
2024-06-29 15:28:34 us=391145 OPTIONS IMPORT: compression parms modified
2024-06-29 15:28:34 us=391175 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2024-06-29 15:28:34 us=391216 Socket Buffers: R=[212992->262144] S=[212992->262144]
2024-06-29 15:28:34 us=391244 OPTIONS IMPORT: --ifconfig/up options modified
2024-06-29 15:28:34 us=391270 OPTIONS IMPORT: route options modified
2024-06-29 15:28:34 us=391296 OPTIONS IMPORT: route-related options modified
2024-06-29 15:28:34 us=391322 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-06-29 15:28:34 us=391349 OPTIONS IMPORT: peer-id set
2024-06-29 15:28:34 us=391376 OPTIONS IMPORT: adjusting link_mtu to 1628
2024-06-29 15:28:34 us=391403 OPTIONS IMPORT: data channel crypto options modified
2024-06-29 15:28:34 us=391432 Data Channel: using negotiated cipher 'AES-128-CBC'
2024-06-29 15:28:34 us=391501 Data Channel MTU parms [ L:1608 D:1300 EF:108 EB:406 ET:0 EL:3 AF:14/125 ]
2024-06-29 15:28:34 us=391544 Fragmentation MTU parms [ L:1625 D:1300 EF:105 EB:406 ET:0 EL:3 AF:14/125 ]
2024-06-29 15:28:34 us=391841 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2024-06-29 15:28:34 us=391896 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 15:28:34 us=391935 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2024-06-29 15:28:34 us=391989 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-29 15:28:34 us=392124 net_route_v4_best_gw query: dst 0.0.0.0
2024-06-29 15:28:34 us=392295 net_route_v4_best_gw result: via 192.168.188.1 dev eth1
2024-06-29 15:28:34 us=392404 GDG6: remote_host_ipv6=n/a
2024-06-29 15:28:34 us=392443 net_route_v6_best_gw query: dst ::
2024-06-29 15:28:34 us=392510 sitnl_send: rtnl: generic error (-101): Network unreachable
2024-06-29 15:28:34 us=393345 TUN/TAP device tun0 opened
2024-06-29 15:28:34 us=393415 do_ifconfig, ipv4=1, ipv6=1
2024-06-29 15:28:34 us=393467 net_iface_mtu_set: mtu 1500 for tun0
2024-06-29 15:28:34 us=393574 net_iface_up: set tun0 up
2024-06-29 15:28:34 us=393768 net_addr_v4_add: 10.5.212.35/24 dev tun0
2024-06-29 15:28:34 us=393939 net_iface_mtu_set: mtu 1500 for tun0
2024-06-29 15:28:34 us=394024 net_iface_up: set tun0 up
2024-06-29 15:28:34 us=394098 net_addr_v6_add: fdbf:1d37:bbe0:0:93:4:0:23/112 dev tun0
2024-06-29 15:28:34 us=394432 /usr/libexec/openvpn-hotplug up PP_Amsterdam tun0 1500 1608 10.5.212.35 255.255.255.0 init
2024-06-29 15:28:36 us=221304 net_route_v4_add: 95.168.167.236/32 via 192.168.188.1 dev [NULL] table 0 metric -1
2024-06-29 15:28:36 us=221601 net_route_v4_add: 0.0.0.0/1 via 10.5.212.1 dev [NULL] table 0 metric -1
2024-06-29 15:28:36 us=221714 net_route_v4_add: 128.0.0.0/1 via 10.5.212.1 dev [NULL] table 0 metric -1
2024-06-29 15:28:36 us=221828 add_route_ipv6(2000::/3 -> fdbf:1d37:bbe0:0:93:4:0:1 metric -1) dev tun0
2024-06-29 15:28:36 us=221882 net_route_v6_add: 2000::/3 via :: dev tun0 table 0 metric -1
2024-06-29 15:28:36 us=222018 add_route_ipv6(::/3 -> fdbf:1d37:bbe0:0:93:4:0:1 metric -1) dev tun0
2024-06-29 15:28:36 us=222078 net_route_v6_add: ::/3 via :: dev tun0 table 0 metric -1
2024-06-29 15:28:36 us=222198 add_route_ipv6(2000::/4 -> fdbf:1d37:bbe0:0:93:4:0:1 metric -1) dev tun0
2024-06-29 15:28:36 us=222255 net_route_v6_add: 2000::/4 via :: dev tun0 table 0 metric -1
2024-06-29 15:28:36 us=222367 add_route_ipv6(3000::/4 -> fdbf:1d37:bbe0:0:93:4:0:1 metric -1) dev tun0
2024-06-29 15:28:36 us=222421 net_route_v6_add: 3000::/4 via :: dev tun0 table 0 metric -1
2024-06-29 15:28:36 us=222523 add_route_ipv6(fc00::/7 -> fdbf:1d37:bbe0:0:93:4:0:1 metric -1) dev tun0
2024-06-29 15:28:36 us=222569 net_route_v6_add: fc00::/7 via :: dev tun0 table 0 metric -1
2024-06-29 15:28:36 us=232092 Initialization Sequence Completed

After all this, I still do not have IPv6 connectivity - but like written, I do have IPv4 connectivity through a VPN tunnel and access to the internet.

I hope the above information provides you further insight in where my problem may reside. Any additional assistance will be warmly welcomed!

First you can set comp-lzo back in the OpenVPN config, your provider still uses it (deprecated but so be it)

Here you see that your IPv6 via the VPN is working

fdbf:1d37:bbe0:0: is the VPN subnet

So the good news your VPN is OK and is setup and working for IPv6 with IPv6 default routing via the VPN.

So I suspect that your local LAN clients are not setup adequately to use IPv6.

I am not that much of an IPv6 expert, but if you disable the VPN and reboot the router do you have working IPv6 from your local LAN clients?
I just test from my local LAN clients with: //http://test-ipv6.com/ and https://ipv6-test.com/ and

I thought one of your configs had tun0 in the wan zone. Since you're using a separate zone, masq6 belongs in the PP_VPN zone. In LuCI it is a check box on the Advanced tab of the edit zone page.

Also I see now that ifstatus needs a UCI network name (PP_VPN) instead of the kernel name. However it is clear that v6 works from the router. Assuming your LAN clients have a v6 GUA and a v6 reachable DNS server, the only remaining problem is likely lack of NAT.

I adjusted the OpenVPN config by setting comp-lzo back into it.

Unfortunately I don't, which is odd because my Macbook is configured to handle IPv6 connections automatically.

I found the checkbox this time, and activated masq6 in the PP_VPN zone.

Checking ifstatus for PP_VPN resulted in the following:

root@OpenWrt:~# ifstatus PP_VPN
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 403,
	"l3_device": "tun0",
	"proto": "none",
	"device": "tun0",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}

You're starting to lose me here :grinning:, but if you mean whether the computer I am configuring my OpenWrt router from is assigned a IPv6 address, it seems it is, but correct me if I am wrong:

Pinging a IPv6 reachable server doesn't seem to be a problem:

ping6 IPv6 DNS Server Google: 2001:4860:4860::8888

PING 2001:4860:4860::8888 (2001:4860:4860::8888): 56 data bytes
64 bytes from 2001:4860:4860::8888: seq=0 ttl=114 time=6.087 ms
64 bytes from 2001:4860:4860::8888: seq=1 ttl=114 time=7.362 ms
64 bytes from 2001:4860:4860::8888: seq=2 ttl=114 time=7.369 ms
64 bytes from 2001:4860:4860::8888: seq=3 ttl=114 time=5.442 ms
64 bytes from 2001:4860:4860::8888: seq=4 ttl=114 time=7.875 ms

--- 2001:4860:4860::8888 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 5.442/6.827/7.875 ms

With respect to your remark about the likely lack of NAT, I did a bit of Googling and read that IPv6 doesn't need NAT. Hence my question whether you could explain this point and also if there's anything I could do about it. TIA!

Unfortunately your network has no proper IPv6 setup.
and fe80:: address is a LLA (link-local address) equivalent to 169.254
That is the reason you do not have IPv6 on the clients.

As said your VPN is working also with IPv6.
The VPN interface needs NAT6 because it does not use GUA (global unique address) but a ULA (unique local address e.g. fd::slight_smile:

So you have to setup IPv6 on your network first.
If possible proper GUA, if that is not possible you can use ULA addresses this can give you IPv6 internet access if you do NAT6 on the WAN interface but proper GUA is the preferred way

1 Like

Correct. The Macbook etc must have a GUA address (starts with 2 or 3) before it will attempt to originate a connection to the v6 Internet. Check the network status on the Macbook.
I thought this was already the case since you have a v6 ISP apparently properly configured. If you shut down OpenVPN, does the Macbook use IPv6 via your ISP?

1 Like

If I disconnect from my Protectli OpenWrt router and circumvent it by connecting my Macbook directly to my FritzBox 7590 modem/router (one of the LAN ports of which is connected to WAN port of the Protectli OpenWrt router) and check the network status, I am seeing this:

When I log in into the management console of my modem/router I also see it is assigned an IPv6 prefix, ending in ::/48 (which you probably already guessed from the screenshot above :smiley:). Am I correct to conclude that both my modem/router as my Macbook are assigned IPv6 addresses and that the latter uses IPv6 via my ISP? If so, how would I proceed from here?