OpenVPN doesn't work over IPv6

Raldun · June 22, 2020, 11:37am

Hi again,

I run an OpenVPN server on OpenWrt which is behind another router, using these instructions. I did port forwarding to the VPN-Server on both IPv4 and IPv6, the OpenWrt router has it's own IPv6 address as well to connect to. However, the VPN client only connects over IPv4. There is no issue in using IPv6 from where I'm trying to connect the client from.

Did I miss anything on the OpenVPN server to connect via IPv6?

aboaboit · June 22, 2020, 2:01pm

Does the other router have IPV6?
Does your router with OpenVPN have it, too?
Did you tell openvpn about IPV6?

Raldun · June 22, 2020, 2:07pm

Both the OpenWrt router and the router, facing the internet have IPv6. The router facing the internet also was able to find OpenWrt in both IPv4 and IPv6 for port-forwarding.
I only copied the instructions 1:1, but I have both the "wan" and "wan6"-interface in the "wan"-zone.

aboaboit · June 22, 2020, 2:31pm

I had to add a "option server_ipv6" to the config and also push the routes.

Anyway, at the end of that page there is a list of diagnostic commands to run, please post the output here (remember to block-quote it)

Raldun · June 22, 2020, 2:47pm

Idk where I could have placed "option server_ipv6" but this is the output:

root@OpenWrt:~# /etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10
root@OpenWrt:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn
Mon Jun 22 14:39:29 2020 daemon.err openvpn(server)[2757]: event_wait : Interrupted system call (code=4)
Mon Jun 22 14:39:29 2020 daemon.notice openvpn(server)[2757]: /sbin/ifconfig tun0 0.0.0.0
Mon Jun 22 14:39:29 2020 daemon.warn openvpn(server)[2757]: Linux ip addr del failed: external program exited with error status: 1
Mon Jun 22 14:39:29 2020 daemon.notice openvpn(server)[2757]: SIGTERM[hard,] received, process exiting
Mon Jun 22 14:39:29 2020 daemon.notice openvpn(server)[30345]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jun 22 14:39:29 2020 daemon.notice openvpn(server)[30345]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Mon Jun 22 14:39:29 2020 daemon.warn openvpn(server)[30345]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Mon Jun 22 14:39:29 2020 daemon.notice openvpn(server)[30345]: TUN/TAP device tun0 opened
Mon Jun 22 14:39:29 2020 daemon.notice openvpn(server)[30345]: /sbin/ifconfig tun0 192.168.8.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.8.255
Mon Jun 22 14:39:29 2020 daemon.warn openvpn(server)[30345]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Jun 22 14:39:29 2020 daemon.notice openvpn(server)[30345]: UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Jun 22 14:39:29 2020 daemon.notice openvpn(server)[30345]: UDPv4 link remote: [AF_UNSPEC]
Mon Jun 22 14:39:29 2020 daemon.notice openvpn(server)[30345]: GID set to nogroup
Mon Jun 22 14:39:29 2020 daemon.notice openvpn(server)[30345]: UID set to nobody
Mon Jun 22 14:39:29 2020 daemon.notice openvpn(server)[30345]: Initialization Sequence Completed
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           30345/openvpn
root@OpenWrt:~# pgrep -f -a openvpn
30345 /usr/sbin/openvpn --syslog openvpn(server) --status /var/run/openvpn.server.status --cd /etc/openvpn --config /etc/openvpn/server.conf
root@OpenWrt:~# ip address show; ip route show; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether cc:32:e5:7c:2c:e9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ce32:e5ff:fe7c:2ce9/64 scope link 
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether cc:32:e5:7c:2c:e9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd11:b7a:8788::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::ce32:e5ff:fe7c:2ce9/64 scope link 
       valid_lft forever preferred_lft forever
7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether cc:32:e5:7c:2c:e9 brd ff:ff:ff:ff:ff:ff
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether cc:32:e5:7c:2c:e9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.211/24 brd 192.168.1.255 scope global wlan1
       valid_lft forever preferred_lft forever
    inet6 2a01:c22:8870:f500:ce32:e5ff:fe7c:2ce9/64 scope global dynamic 
       valid_lft 210288sec preferred_lft 123888sec
    inet6 2a01:c22:8875:500:ce32:e5ff:fe7c:2ce9/64 scope global deprecated dynamic 
       valid_lft 6922sec preferred_lft 0sec
    inet6 fe80::ce32:e5ff:fe7c:2ce9/64 scope link 
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether cc:32:e5:7c:2c:e8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ce32:e5ff:fe7c:2ce8/64 scope link 
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534] 
    inet 192.168.8.1/24 brd 192.168.8.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::180d:8f1:1529:81bb/64 scope link 
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wlan1  src 192.168.1.211 
192.168.1.0/24 dev wlan1 scope link  src 192.168.1.211 
192.168.8.0/24 dev tun0 scope link  src 192.168.8.1 
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1 
0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
# Generated by iptables-save v1.8.3 on Mon Jun 22 14:40:15 2020
*nat
:PREROUTING ACCEPT [8569:774508]
:INPUT ACCEPT [4846:307222]
:OUTPUT ACCEPT [3764:252074]
:POSTROUTING ACCEPT [885:60921]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i wlan1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o wlan1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Mon Jun 22 14:40:15 2020
# Generated by iptables-save v1.8.3 on Mon Jun 22 14:40:15 2020
*mangle
:PREROUTING ACCEPT [878607:772264611]
:INPUT ACCEPT [24983:2157749]
:FORWARD ACCEPT [852266:769908182]
:OUTPUT ACCEPT [24897:4134439]
:POSTROUTING ACCEPT [877019:774035145]
-A FORWARD -o wlan1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jun 22 14:40:15 2020
# Generated by iptables-save v1.8.3 on Mon Jun 22 14:40:15 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wlan1 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wlan1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wlan1 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o wlan1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o wlan1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o wlan1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i wlan1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Jun 22 14:40:15 2020
root@OpenWrt:~# ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::ce32:e5ff:fe7c:2ce9/64 scope link 
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd11:b7a:8788::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::ce32:e5ff:fe7c:2ce9/64 scope link 
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:c22:8870:f500:ce32:e5ff:fe7c:2ce9/64 scope global dynamic 
       valid_lft 210286sec preferred_lft 123886sec
    inet6 2a01:c22:8875:500:ce32:e5ff:fe7c:2ce9/64 scope global deprecated dynamic 
       valid_lft 6920sec preferred_lft 0sec
    inet6 fe80::ce32:e5ff:fe7c:2ce9/64 scope link 
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::ce32:e5ff:fe7c:2ce8/64 scope link 
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fe80::180d:8f1:1529:81bb/64 scope link 
       valid_lft forever preferred_lft forever
default from 2a01:c22:8870:f500::/64 via fe80::1eb0:44ff:fe19:a834 dev wlan1  metric 512 
default from 2a01:c22:8875:500::/64 via fe80::1eb0:44ff:fe19:a834 dev wlan1  metric 512 
2a01:c22:8870:f500::/56 from 2a01:c22:8870:f500::/64 via fe80::1eb0:44ff:fe19:a834 dev wlan1  metric 512 
2a01:c22:8870:f500::/56 from 2a01:c22:8875:500::/64 via fe80::1eb0:44ff:fe19:a834 dev wlan1  metric 512 
2a01:c22:8870:f500::/64 dev wlan1  metric 256 
2a01:c22:8875:500::/64 dev wlan1  metric 256 
fd11:b7a:8788::/64 dev br-lan  metric 1024 
unreachable fd11:b7a:8788::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev tun0  metric 256 
anycast 2a01:c22:8870:f500:: dev wlan1  metric 0 
anycast 2a01:c22:8875:500:: dev wlan1  metric 0 
anycast fd11:b7a:8788:: dev br-lan  metric 0 
anycast fe80:: dev eth0  metric 0 
anycast fe80:: dev br-lan  metric 0 
anycast fe80:: dev wlan1  metric 0 
anycast fe80:: dev wlan0  metric 0 
anycast fe80:: dev tun0  metric 0 
ff00::/8 dev br-lan  metric 256 
ff00::/8 dev eth0  metric 256 
ff00::/8 dev wlan0  metric 256 
ff00::/8 dev wlan1  metric 256 
ff00::/8 dev tun0  metric 256 
0:      from all lookup local 
32766:  from all lookup main 
4200000001:     from all iif lo lookup unspec 12
4200000006:     from all iif br-lan lookup unspec 12
4200000008:     from all iif wlan1 lookup unspec 12
4200000008:     from all iif wlan1 lookup unspec 12
# Generated by ip6tables-save v1.8.3 on Mon Jun 22 14:40:17 2020
*mangle
:PREROUTING ACCEPT [7638:727920]
:INPUT ACCEPT [4957:428706]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5159:447403]
:POSTROUTING ACCEPT [5159:447403]
-A FORWARD -o wlan1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jun 22 14:40:17 2020
# Generated by ip6tables-save v1.8.3 on Mon Jun 22 14:40:17 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wlan1 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wlan1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wlan1 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o wlan1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o wlan1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o wlan1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i wlan1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Jun 22 14:40:17 2020
root@OpenWrt:~# uci show network; uci show firewall; uci show openvpn
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd11:0b7a:8788::/48'
network.lan=interface
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.10.1'
network.lan.type='bridge'
network.wan=interface
network.wan.proto='dhcp'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr='cc:32:e5:7c:2c:ea'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.wwan=interface
network.wwan.proto='dhcp'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan'
firewall.lan.device='tun0'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan wan6 wwan'
firewall.lan_wan=forwarding
firewall.lan_wan.src='lan'
firewall.lan_wan.dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'
openvpn.custom_config=openvpn
openvpn.custom_config.enabled='0'
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.enabled='0'
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh1024.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.enabled='0'
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.compress='lzo'
openvpn.sample_client.verb='3'
root@OpenWrt:~# head -n -0 /etc/openvpn/*.conf
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
redacted
</dh>
<tls-crypt>
redacted
</tls-crypt>
<key>
redacted
</key>
<cert>
redacted
</cert>
<ca>
-redacted
</ca>

aboaboit · June 22, 2020, 7:15pm

If you're using the GUI, manual editing of /etc/config/openvpn, since the GUI does not support all possible keywords. Otherwise, just place it in the config you're feeding to openvpn.

Just like mine, however I have not tried to connect over IPV6 because I don't yet have another tunnel set up to test vpn over IPV6. Plus I am not even sure netstat knows about IPV6 on OpenWRT: I'm sure my router is listening at least on port 80 also on IPV6 but it is not shown. Yup, I have tried connecting with the literal IP in '[...]' notation and it works.

A specific "proto udp6" keyword is needed. Try replacing it in the line above and see if it changes.
EDIT: I'm curious to know if "udp6" implies "udp4" or not, in which case you'd probably need two configs.

Raldun · June 22, 2020, 7:34pm

I haven't touched the file /etc/config/openvpn. There are only sample configs with some stuff uncommented. Does it make sense to place "option server_ipv6" in /etc/openvpn/server.conf?

And does it make sense to have both "proto udp" and "proto udp6" in the client and server config? Because I want to access the VPN from both

aboaboit · June 22, 2020, 7:46pm

If that's the one you're using, yes.

I don't know, that's why I suggested trying first with only "udp6".

mpratt14 · June 22, 2020, 7:50pm

proto udp is actually an automatic selection. It will attempt IPv4 and if that fails, attempt IPv6 or vice-versa. IPv4 is forced with proto udp4

proto udp and proto udp6 are directly conflicting options. a single openvpn instance can only connect to the remote using one address/protocol combination at a time. The last one you put in the config will overwrite the first one.

If you want the VPN to connect over both IPv4 and IPv6 you will need two separate instances of Openvpn running, and (I think) each device would also therefore have two VPN addresses, and you have to split up the VPN subnet somehow so that assigned VPN addresses don't conflict as well.

Another alternative is to have the VPN run on only IPv4 or only IPv6, but have a VPN subnet for both addresses.

https://community.openvpn.net/openvpn/wiki/IPv6

see option tun-ipv6

Raldun · June 22, 2020, 8:04pm

I'm not completely sure how to set up that one VPN Server for ipv6 but should I just copy the code-highlights of this section into the server config?

mpratt14 · June 22, 2020, 8:08pm

Actually you don't need tun-ipv6

server-ipv6 2001:db8:0:123::/64 might be enough
You can change the subnet if you want too
like server-ipv6 2001:1234:0:0::/64

Raldun · June 22, 2020, 8:13pm

Does anything need to be changed at the firewall as well? I can't test the VPN right now

mpratt14 · June 22, 2020, 8:18pm

Remember this way, there is still only 1 tunnel, on either IPv4 OR IPv6, but it will be able to route traffic on BOTH. Assuming the TUN device is tun0, as long as tun0 is set to LAN then you are good to go.

In my firewall its like this:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun0'
        option network 'lan'

Also, I don't know your usage, but like @aboaboit said, you would have to push a route if you are redirecting traffic.

If you are trying to push all traffic through the tunnel for IPv6 that would be
push "route-ipv6 2000::/3"
on the server
or
route-ipv6 2000::/3
on a client

(from the wiki)

Raldun · June 22, 2020, 8:44pm

I think I'm getting less and less familiar with ipv6 as it seems.

I've set up the router as described here and here, using almost only the openwrt wiki and the vpn server must most likely be on the lan interface.

I only expect the lan network and the internet to be accessible from the vpn server.

Does push "route-ipv6 2000::/3" mean an IP-range that includes 2001:db8:0:123::/64 for example?

mpratt14 · June 22, 2020, 8:58pm

When you put push "route-ipv6 2000::/3" on a server that means:

Clients will recieve the option route-ipv6 2000::/3 upon connecting
Any (general) outgoing traffic from clients on IPv6 will go through tun0 instead of eth0 or wlan

Yes 2000::/3 includes 2001:db8:0:123::/64
It includes all /64 subnets up to 3fff:ffff: ... : ... ...
https://www.mediawiki.org/wiki/Help:Range_blocks/IPv6#Range_table

However the route to the server will be added automatically as a part of the option server-ipv6