OpenVPN and IPV6

aj78 · November 11, 2017, 10:24pm

Hi,

I run LEDE 17.01.04 on a BT Homehub 5a and I'm having a bit of trouble setting up my device as an OpenVPN server. It works fine for IPV4 but not IPV6. I have configured a 6in4 tunnel with HEnet to provide connectivity between the Homehub and the internet.

Here are parts of my ifconfig (with bits of the global IPV6 IPs replaces with letters):

6in4-henet Link encap:IPv6-in-IPv4  
          inet6 addr: 2001:470:yyyy:2a3::2/64 Scope:Global
          inet6 addr: fe80::4f4b:e527/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1280  Metric:1
          RX packets:3092185 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2249214 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:3145159083 (2.9 GiB)  TX bytes:839895459 (800.9 MiB)
br-lan    Link encap:Ethernet  HWaddr 90:72:82:8D:A5:3E  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2001:470:xxxx:10::1/60 Scope:Global
          inet6 addr: fe80::9272:wwww:fe8d:a53e/64 Scope:Link
          inet6 addr: fd89:22a7:zzzz:10::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:25697103 errors:0 dropped:70 overruns:0 frame:0
          TX packets:49129289 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2915352321 (2.7 GiB)  TX bytes:70512475419 (65.6 GiB)
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.240
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:208 errors:0 dropped:0 overruns:0 frame:0
          TX packets:195 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:34747 (33.9 KiB)  TX bytes:51214 (50.0 KiB)

Here is my OpenVPN server config: (the formatting looks a bit odd but the headings are just prefixed with #)

config openvpn 'myvpn'
        option enabled '1'

# Protocol #
        option dev 'tun'
        option dev 'tun0'
        option topology 'subnet'
        option proto 'udp'
        option port '3976'

# Routes #
        option server '10.8.0.0 255.255.255.240'
        option ifconfig '10.1.0.1 255.255.255.240'

# IPV6 config #
       option server-ipv6 '2001:470:xxxx:20::/64'
       list push 'route-ipv6 2001:470:xxxx:20::/64'
       list push 'route-ipv6 2000::/3'

# Client Config #
       option ifconfig_pool_persist '/tmp/openvpn-ipp.txt'

# Pushed Routes #
        list push 'route 192.168.1.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        list push 'dhcp-option WINS 192.168.1.1'
        list push 'dhcp-option NTP 192.168.1.1'

# Encryption #
        option dh 'none'
        option ecdh-curve secp521r1
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option cipher AES-256-GCM
        option auth SHA512
        option tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
        option tls_auth '/etc/openvpn/ta.key 0'                          
        option tls_server 1                                              
        option tls_version_min 1.2                                       
                                                                         
# Logging #                                                              
        option log_append '/tmp/openvpn.log'                             
        option status '/tmp/openvpn-status.log'                          
        option verb 4                                                    
                                                                         
# Connection Options #                                                   
        option fast_io                                                   
        option keepalive '1800 3600'                                     
        option compress 'lz4'                                  
        list push 'compress lz4'                               
                                                               
# Connection Reliability #                                     
#       option client_to_client 1                              
        option persist_tun 1                                   
        option persist_key 1                                   
                                                               
# Connection Speed #                                           
        option sndbuf 393216                                   
        option rcvbuf 393216                                   
        option fragment 0                                      
        option mssfix 0                                        
        option tun_mtu 1500                                    
                                                               
# Pushed Buffers #                                             
        list push 'sndbuf 393216'                              
        list push 'rcvbuf 393216'                              
                                                               
# Permissions #                                                
        option user 'nobody'                                   
        option group 'nogroup'

And here's the server log when starting up:

Sat Nov 11 22:05:46 2017 us=657315 OpenVPN 2.4.3 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Nov 11 22:05:46 2017 us=657686 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Sat Nov 11 22:05:46 2017 us=693054 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Nov 11 22:05:46 2017 us=693592 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Nov 11 22:05:46 2017 us=698193 TLS-Auth MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Sat Nov 11 22:05:46 2017 us=703559 TUN/TAP device tun0 opened
Sat Nov 11 22:05:46 2017 us=704026 TUN/TAP TX queue length set to 100
Sat Nov 11 22:05:46 2017 us=704468 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Nov 11 22:05:46 2017 us=705046 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.240 mtu 1500 broadcast 10.8.0.15
Sat Nov 11 22:05:46 2017 us=731887 Data Channel MTU parms [ L:1622 D:1622 EF:122 EB:406 ET:0 EL:3 ]
Sat Nov 11 22:05:46 2017 us=732591 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Nov 11 22:05:46 2017 us=733034 Socket Buffers: R=[163840->327680] S=[163840->327680]
Sat Nov 11 22:05:46 2017 us=733495 UDPv4 link local (bound): [AF_INET][undef]:3976
Sat Nov 11 22:05:46 2017 us=733894 UDPv4 link remote: [AF_UNSPEC]
Sat Nov 11 22:05:46 2017 us=734447 GID set to nogroup
Sat Nov 11 22:05:46 2017 us=734881 UID set to nobody
Sat Nov 11 22:05:46 2017 us=735285 MULTI: multi_init called, r=256 v=256
Sat Nov 11 22:05:46 2017 us=735874 IFCONFIG POOL: base=10.8.0.2 size=12, ipv6=0
Sat Nov 11 22:05:46 2017 us=736323 ifconfig_pool_read(), in='rohan,10.8.0.2', TODO: IPv6
Sat Nov 11 22:05:46 2017 us=736733 succeeded -> ifconfig_pool_set()
Sat Nov 11 22:05:46 2017 us=737137 IFCONFIG POOL LIST
Sat Nov 11 22:05:46 2017 us=737545 rohan,10.8.0.2
Sat Nov 11 22:05:46 2017 us=746639 Initialization Sequence Completed

And when I connect a client the log continues:

Sat Nov 11 22:07:36 2017 us=764561 MULTI: multi_create_instance called
Sat Nov 11 22:07:36 2017 us=765400 192.168.1.169:1194 Re-using SSL/TLS context
Sat Nov 11 22:07:36 2017 us=765868 192.168.1.169:1194 LZ4 compression initializing
Sat Nov 11 22:07:36 2017 us=767663 192.168.1.169:1194 Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Sat Nov 11 22:07:36 2017 us=768132 192.168.1.169:1194 Data Channel MTU parms [ L:1622 D:1622 EF:122 EB:406 ET:0 EL:3 ]
Sat Nov 11 22:07:36 2017 us=768947 192.168.1.169:1194 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-dig
est],keysize 256,tls-auth,key-method 2,tls-server'
Sat Nov 11 22:07:36 2017 us=769342 192.168.1.169:1194 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-GCM,auth
 [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
Sat Nov 11 22:07:36 2017 us=769993 192.168.1.169:1194 TLS: Initial packet from [AF_INET]192.168.1.169:1194, sid=c34181f2 061641e0
Sat Nov 11 22:07:37 2017 us=107139 192.168.1.169:1194 VERIFY OK: depth=1, C=ZZ, ST=ZZ, L=Server, O=My CA, OU=Home CA, CN=xxxx.yyyy.com, name=My VPN, emailAddress=z@z.z
Sat Nov 11 22:07:37 2017 us=115571 192.168.1.169:1194 VERIFY OK: depth=0, C=ZZ, ST=ZZ, L=Android, O=Android, OU=Android, CN=rohan, name=Rohan, emailAddress=z@z.z
Sat Nov 11 22:07:37 2017 us=153840 192.168.1.169:1194 peer info: IV_VER=2.5_master
Sat Nov 11 22:07:37 2017 us=154355 192.168.1.169:1194 peer info: IV_PLAT=android
Sat Nov 11 22:07:37 2017 us=154776 192.168.1.169:1194 peer info: IV_PROTO=2
Sat Nov 11 22:07:37 2017 us=155186 192.168.1.169:1194 peer info: IV_NCP=2
Sat Nov 11 22:07:37 2017 us=155600 192.168.1.169:1194 peer info: IV_LZ4=1
Sat Nov 11 22:07:37 2017 us=156120 192.168.1.169:1194 peer info: IV_LZ4v2=1

Can anyone point out what I'm doing wrong? The server-ipv6 config option is documented in the OpenVPN man page and various examples online but it seems to be having no effect whatsoever.

mikma · November 11, 2017, 11:31pm

do_ifconfig, tt->did_ifconfig_ipv6_setup=0

I think it should be "1" not "0" when ipv6 is enabled inside the tunnel.

aj78 · November 12, 2017, 11:31am

Yes I think so too - but I'm not sure why ipv6 isn't being enabled, I've got what I think should be the right config option but for some reason it doesn't seem to be working.