Odd IPv6 Routing Problem with OpenVPN Tunnel

publiusrgj · January 20, 2024, 12:24am

I have two routers, Linksys wrt3200acm and wrt32x at two places, my house, and my mother's running OpenWRT for some time. I've had a Open VPN tunnel set up between them to allow remote management, remote desktop and all that. It was working fine. I was still at version 19.07 on both, and decided it was time to upgrade. I decided to do baby steps and just jump up to 21.02.7, see how that went, then move on up. At any rate, I got 21.02 installed and set up and everything was working as normal, including the tunnel. But then I noticed an odd routing problem.

 The tunnel is a tcp6-server set up. Internally, both IPv4 and IPv6 are set up. One the LAN side of both routers, there is a public 60 bit prefix delegated, as well as the ULA 48 bit prefix. Machines then get both ULA and Global (2600:xxxx:etc) addresses.

I set the tunnel up to route both of those IPv6 prefix subnets over the tunnel. It was working fine with the old versions. But now, the Global 2600:xxxx:... addresses will not route over the tunnel. Ping does not work.

However, the ULA addresses will route just fine, as well as IPv4. The only problem is, Windows machines prefer IPv4 over ULA, so this was making all connections go over IPv4. Playing around, I changed the prefix policies with netsh to make it prefer ULA over the global and that works fine. I'm not too comfortable with that, as I don't know what any side effects of the prefix preference change will be for other things.

   I've stared at the route tables on both ends and everything looks fine. There are entries to forward the 2600:xxxx: prefix to the "tun0" interface that look just like the ULA entries which work fine.  I was searching around and enabled "allow invalid traffic" in the firewall settings, but to no avail.

Traceroute doesn't seem to work, seems to hang on the routers in an ssh session. It hangs with Windows and Linux machines sometimes as well, lots "* * *" hops. But sometimes something come back. I don't know for sure, but I think the packets are dying at the client side tunnel interface. But I'm not sure.

 I have no idea where to go from here. Thanks for any help.

publiusrgj · January 27, 2024, 4:21am

Well, I finally figured it out. It was a silly typo in the public route prefix in the OpenVPN configuration file. When I upgraded both routers, one public prefix obviously changed, but the other prefix looked the same.

That second prefix wasn't the same, it just looked very close. The only difference was the last block was "f570" vs the previous "5f60". They looked about the same to me, and I only spotted the difference due to another problem with a firewall. That's all the problem was. Fixed now.

system · February 6, 2024, 4:24am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.