Find out router GUA IPv6 address to use OpenVPN

lfalonso · December 31, 2024, 10:36pm

Hi. I'm trying to use OpenVPN server to connect to my lan from internet. My ISP assigns me /56 address range that I delegate to 2 /64 subnets (lan and guest), configured as explained in IPv6 docs. All my clients are receiving unique IPv6 GUA address and they have connectivity and passed IPv6 tests.

My problem is when i try to config OpenVPN: I configured a firewall rule to open 1194 udp port and if i test that port with my PC GUA, appears open/filtered (as expected), but i cannot figure out what GUA address belongs to router: I tried IPv6 address shown on wan6 interface (network/interfaces) but port scanner reports it closed (and that address doesn't belong to IP assigned pool - wan6 /124 address begins with 2800:485:0 and PD block began with 2800:484:7XXX). I triead also with /64 address asigned to lan but with same result. When I check IPv6 routing in LuCi, I obtained a bunch of asigned GUAs on lan space, but i don't know how to figure it what of them could be router GUA address to use it on OpenVPN.

Any help? any idea?

Thanks,

slh · January 1, 2025, 1:07am

ifstatus wan, ifstatus wan6, ifstatus wan_6, one of them should provide your answer.

mk24 · January 1, 2025, 1:33am

For a service hosted on the router you would use the wan interface's GUA. This should (with an ISP following recommended practices) be outside the /56 that is delegated to your LAN(s). Make sure to write the firewall rule as a simple allow input (only src wan is specified, no dest) and not a forward.

lfalonso · January 5, 2025, 12:03pm

I don't see anything in particular...
ifstatus wan:

{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 88247,
        "l3_device": "eth0.2",
        "proto": "dhcp",
        "device": "eth0.2",
        "metric": 0,
        "dns_metric": 0,
        "delegation": false,
        "ipv4-address": [
                {
                        "address": "181.55.15X.XX",
                        "mask": 22
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "0.0.0.0",
                        "mask": 0,
                        "nexthop": "181.55.15X.1",
                        "source": "181.55.15X.XX/32"
                }
        ],
        "dns-server": [
                "8.8.8.8",
                "8.8.4.4"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [
                        "190.157.8.101",
                        "190.157.8.100"
                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "dhcpserver": "100.70.133.84",
                "leasetime": 86400
        }
}

ifstatus wan6:

{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 86617,
        "l3_device": "eth0.2",
        "proto": "dhcpv6",
        "device": "eth0.2",
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2800:485:0:1d:21d2:XXXX:XXXX:a741",
                        "mask": 128,
                        "preferred": 441853,
                        "valid": 1046653
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2800:484:777b:XXXX::",
                        "mask": 56,
                        "preferred": 441853,
                        "valid": 1046653,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": "2800:484:777b:XXXX::",
                                        "mask": 64
                                },
                                "OPVN": {
                                        "address": "2800:484:777b:XXXX::",
                                        "mask": 64
                                },
                                "guest": {
                                        "address": "2800:484:777b:XXXX::",
                                        "mask": 64
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::201:5cff:fe70:c8bd",
                        "metric": 512,
                        "valid": 1579,
                        "source": "2800:484:777b:XXXX::/56"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::201:5cff:fe70:c8bd",
                        "metric": 512,
                        "valid": 1579,
                        "source": "2800:485:0:1d:21d2:XXXX:XXXX:a741/128"
                }
        ],
        "dns-server": [
                "2001:4860:4860::8844",
                "2001:4860:4860::8888"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [
                        "2800:481:300::4",
                        "2800:481:2300::4"
                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "passthru": "001700202800048103000000000000000000000428000481230000000000000000000004"
        }
}

egc · January 5, 2025, 12:13pm

this looks like the correct address, you can use DDNS to make sure you always have the correct address in case it changes, I use dynv6.net which works like a charm

lfalonso · January 5, 2025, 12:13pm

Thanks... so my ISP is following guidelines... if i change my 1194 rule to this:

my 1194 port is open and listening:

but it messes openvpn connection:

2025-01-05 06:48:00 TCP/UDP: Preserving recently used remote address: [AF_INET]181.55.156.70:1194
2025-01-05 06:48:00 Socket Buffers: R=[65536->65536] S=[65536->65536]
2025-01-05 06:48:00 UDPv4 link local: (not bound)
2025-01-05 06:48:00 UDPv4 link remote: [AF_INET]181.55.156.70:1194
2025-01-05 06:48:00 MANAGEMENT: >STATE:1736077680,WAIT,,,,,,
2025-01-05 06:49:00 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2025-01-05 06:49:00 TLS Error: TLS handshake failed
2025-01-05 06:49:00 SIGUSR1[soft,tls-error] received, process restarting
2025-01-05 06:49:00 MANAGEMENT: >STATE:1736077740,RECONNECTING,tls-error,,,,,
2025-01-05 06:49:00 Restart pause, 1 second(s)
2025-01-05 06:49:01 TCP/UDP: Preserving recently used remote address: [AF_INET]181.55.156.70:1194
2025-01-05 06:49:01 Socket Buffers: R=[65536->65536] S=[65536->65536]
2025-01-05 06:49:01 UDPv4 link local: (not bound)
2025-01-05 06:49:01 UDPv4 link remote: [AF_INET]181.55.156.70:1194
2025-01-05 06:49:01 MANAGEMENT: >STATE:1736077741,WAIT,,,,,,

I think because changing to any zone behaves like a forward.
If i change back to input, openvpn works, but 1194 port is closed to wan6:

egc · January 5, 2025, 12:16pm

/etc/config/firewall:

config rule
	option name 'Allow-ovpn-1194'
	option src 'wan'
	option dest_port '1194'
	option target 'ACCEPT'
	list proto 'udp'

Note if you use tcp change accordingly

lfalonso · January 5, 2025, 12:22pm

I'm using tun in openvpn, configured to udp port. My rule in /etc/config/firewall is
like yours:

config rule
        option name 'Allow-Openvpn-Inbound'
        list proto 'udp'
        option src 'wan'
        option dest_port '1194'
        option target 'ACCEPT'

with this rule i can use openvpn with IPv4, but doesn't listen IPv6 connection. (i'm making these checks because my ISP is implementing CGNAT, so i could need migrating openvpn to ipv6 only connection).

egc · January 5, 2025, 12:24pm

the Advanced tab in the GUI has the address family and default should be IPv4 and IPv6.
That is how it works for me at least, I have IPv4 and IPv6 fully implemented

lfalonso · January 5, 2025, 12:30pm

Yes, I already checked that:

but with this rule my router opens 1194 port for ipv4, but not for ipv6...
this is my entire firewall config:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'lan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'QBitTorrent'
        option src 'wan'
        option src_dport '63353'
        option dest_ip '192.168.11.2'
        option dest_port '63353'
        option enabled '0'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Guest'
        list proto 'udp'
        option src 'guest'
        option dest_port '67'
        option target 'ACCEPT'

config zone
        option name 'openvpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'OPVN'
        option masq '1'

config rule
        option name 'Allow-Openvpn-Inbound'
        list proto 'udp'
        option src 'wan'
        option dest_port '1194'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'openvpn'

config forwarding
        option src 'openvpn'
        option dest 'lan'

config forwarding
        option src 'openvpn'
        option dest 'wan'

I'm using tun0 device for openvpn connection, and OVPN interface with 192.168.13.0 pool.

_bernd · January 5, 2025, 12:37pm

lfalonso:

config zone
        option name 'openvpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'OPVN'
        option masq '1'

I would also remove the masquerade. You only need it on wan.

_bernd · January 5, 2025, 12:40pm

Add family any to cover ipv4 and IPv6.

mk24 · January 5, 2025, 12:50pm

lfalonso:

2025-01-05 06:48:00 UDPv4 link remote: [AF_INET]181.55.156.70:1194
2025-01-05 06:48:00 MANAGEMENT: >STATE:1736077680,WAIT,,,,,,
2025-01-05 06:49:00 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2025-01-05 06:49:00 TLS Error: TLS handshake failed

I'm not an OpenVPN expert but this looks like it is running in client mode and trying to connect to a remote server using v4. Make sure that OpenVPN is properly configured in server mode.

UDP ports cannot be readily scanned, since unlike TCP there is no standard "initiate connection" packet that is guaranteed to elicit a response no matter the type of service. Suggest running the server temporarily in TCP mode to make troubleshooting easier. Another important troubleshooting step would be to capture packets on the wan port to see if any connection attempts are reaching your router. Run netstat -lpn to confirm the server process is listening on v6 port 1194.

Another note about nmap based port scanning is that a result of "open/filtered" means that a reply was received, but it was a REJECT. This may have been generated by the endpoint device (as is standard for a Linux kernel with no process having opened the port) or an intervening firewall.

egc · January 5, 2025, 12:52pm

Both server an client must be setup for IPv6 meaning use udp6 instead of udp4 and add on the server side things like:

#ipv6
server-ipv6  fddb:c50f:f9bc:4bb3::/64
#push "route-ipv6 ::/1"
#push "route-ipv6 8000::/1"
push "redirect-gateway ipv6 def1"
#proto udp4
proto udp6

For me it works

>STATE:1736081358,CONNECTED,SUCCESS,10.8.0.2,2001:1c03:adcd:2222::6,1194,,,fddb:c50f:f9bc:4bb3::1000

lfalonso · January 5, 2025, 12:53pm

done... thanks...

lfalonso · January 5, 2025, 12:59pm

Thanks... i would try directly to ipv6 full implementation of my openvpn server... i was trying to step by step check before full implementation to reduce possible problems so i tried to check ipv6 udp open port, but could be that ipv6 behaves different...

lfalonso · January 5, 2025, 1:16pm

I'm new, but i think that router is listening 1194 udp to all interfaces... this is netstat dump:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.11.1:22         0.0.0.0:*               LISTEN      2630/dropbear
tcp        0      0 192.168.11.1:53         0.0.0.0:*               LISTEN      3999/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      3999/dnsmasq
tcp        0      0 192.168.12.1:53         0.0.0.0:*               LISTEN      3999/dnsmasq
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1952/uhttpd
tcp        0      0 181.55.15X.XX:53        0.0.0.0:*               LISTEN      3999/dnsmasq
tcp        0      0 192.168.13.1:53         0.0.0.0:*               LISTEN      3999/dnsmasq
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1952/uhttpd
tcp        0      0 fe80::b2a7:b9ff:XXXX:XXXX:53 :::*                    LISTEN      3999/dnsmasq
tcp        0      0 fe80::b2a7:b9ff:XXXX:XXXX:53 :::*                    LISTEN      3999/dnsmasq
tcp        0      0 fe80::b2a7:b9ff:XXXX:XXXX:53 :::*                    LISTEN      3999/dnsmasq
tcp        0      0 2800:485:0:1d:21d2:XXXX:XXXX:a741:53 :::*                    LISTEN      3999/dnsmasq
tcp        0      0 fe80::b2a7:b9ff:XXXX:XXXX:53 :::*                    LISTEN      3999/dnsmasq
tcp        0      0 fe80::3bf4:7928:d16:56b4:53 :::*                    LISTEN      3999/dnsmasq
tcp        0      0 2800:484:777b:XXX0::1:53 :::*                    LISTEN      3999/dnsmasq
tcp        0      0 :::443                  :::*                    LISTEN      1952/uhttpd
tcp        0      0 2800:484:777b:XXX2::1:53 :::*                    LISTEN      3999/dnsmasq
tcp        0      0 2800:484:777b:XXX1::1:53 :::*                    LISTEN      3999/dnsmasq
tcp        0      0 :::80                   :::*                    LISTEN      1952/uhttpd
tcp        0      0 fe80::b0a7:b9ff:fe17:f88a:53 :::*                    LISTEN      3999/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      3999/dnsmasq
tcp        0      0 fe80::b2a7:b9ff:fe17:f88a:53 :::*                    LISTEN      3999/dnsmasq
tcp        0      0 fe80::b0a7:b9ff:fe17:f88b:53 :::*                    LISTEN      3999/dnsmasq
tcp        0      0 fe80::b0a7:b9ff:fe17:f88b:53 :::*                    LISTEN      3999/dnsmasq
udp        0      0 0.0.0.0:16720           0.0.0.0:*                           2002/usteerd
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           18062/openvpn
udp        0      0 192.168.12.1:53         0.0.0.0:*                           3999/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           3999/dnsmasq
udp        0      0 192.168.13.1:53         0.0.0.0:*                           3999/dnsmasq
udp        0      0 192.168.11.1:53         0.0.0.0:*                           3999/dnsmasq
udp        0      0 181.55.15X.XX:53        0.0.0.0:*                           3999/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           3999/dnsmasq
udp        0      0 :::546                  :::*                                4984/odhcp6c
udp        0      0 :::547                  :::*                                1826/odhcpd
udp        0      0 :::547                  :::*                                1826/odhcpd
udp        0      0 :::547                  :::*                                1826/odhcpd
udp        0      0 2800:484:777b:XXX1::1:53 :::*                                3999/dnsmasq
udp        0      0 fe80::3bf4:7928:d16:56b4:53 :::*                                3999/dnsmasq
udp        0      0 2800:484:777b:XXX0::1:53 :::*                                3999/dnsmasq
udp        0      0 2800:484:777b:XXX2::1:53 :::*                                3999/dnsmasq
udp        0      0 2800:485:0:1d:21d2:XXXX:XXXX:a741:53 :::*                                3999/dnsmasq
udp        0      0 fe80::b0a7:b9ff:fe17:f88a:53 :::*                                3999/dnsmasq
udp        0      0 fe80::b2a7:b9ff:fe17:f88a:53 :::*                                3999/dnsmasq
udp        0      0 ::1:53                  :::*                                3999/dnsmasq
udp        0      0 fe80::b2a7:b9ff:fe17:f88b:53 :::*                                3999/dnsmasq
udp        0      0 fe80::b0a7:b9ff:fe17:f88b:53 :::*                                3999/dnsmasq
udp        0      0 fe80::b2a7:b9ff:fe17:f88b:53 :::*                                3999/dnsmasq
udp        0      0 fe80::b2a7:b9ff:fe17:f88c:53 :::*                                3999/dnsmasq
udp        0      0 fe80::b2a7:b9ff:fe17:f88b:53 :::*                                3999/dnsmasq
udp        0      0 fe80::b0a7:b9ff:fe17:f88b:53 :::*                                3999/dnsmasq
raw        0      0 ::%161:58               ::%4239517:*            58          1826/odhcpd
raw        0      0 ::%161:58               ::%4239517:*            58          1826/odhcpd
raw        0      0 ::%161:58               ::%4239517:*            58          1826/odhcpd
raw        0      0 ::%160:58               ::%4239517:*            58          4984/odhcp6c
raw        0      0 ::%159:58               ::%4239517:*            58          1826/odhcpd
raw        0      0 ::%159:58               ::%4239517:*            58          1826/odhcpd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING        297 528/ubusd           /var/run/ubus/ubus.sock

about reject, also reviewing this discussion, could be that because i didn't configure openvpn to ipv6, it doesn't receive ipv6 packets, so udp appears closed... I also though that could be ISP firewall filtering 1194 udp port, but with your suggestion I made a temporal change in my firewall to "any zone" and port changed from closed to open, so is not ISP firewall.

mk24 · January 5, 2025, 2:55pm

It is not listening for v6. You have 0.0.0.0:1194 which is v4, but not :::1194.

lfalonso · January 5, 2025, 3:06pm

ummm.... any idea how could I enable it? I though that 1194 rule that is defined should do the work...

mk24 · January 5, 2025, 3:13pm

From what @egc said, I think you need to configure the OpenVPN server instance itself to run udp6 proto instead of udp.

The firewall only sets whether a particular traffic is allowed to flow. Other parts of the system dictate what will attempt to be done.