OpenVPN IPv6 - Desperate request

Installing and Using OpenWrt
1

Dear Friends and LEDE Enthusiasts,

I know this doesn't belong here in LEDE. But to my surprise I found here a very potent community with a lot of helpful people that share their great wisdom which always proved very helpful to me in finding a solution to my problems.

Although for years I've been using openVPN on IPv4 networks and thus know my way around I find it impossible in IPv6 to get a connection. The port forward is open and the client is trying to to connect to the openVPN server obviously, so tells me the openVPN Server.

But there's a TLS handshake issue.

Since I have no idea how to use the IPv6 properly I hope someone here knows to help me. Google isn't helpful either and I been looking over the internet for 6 hours straight what's the problem. Would post non-LEDE question here if I weren't so desperate. (fact is, soon IPv6 is my only way to connect to the world!!!)

VPN Server:
config openvpn 'Server_IPV6' option enabled '1' option _description 'Server configuration for IPv6 Networking' option _role 'server' option tls_server '1' option port '1198' option proto 'udp6' option dev 'tap1' option tun_mtu '1500' option tun_mtu_extra '32' option ca '/etc/openvpn/server/ca.crt' option cert '/etc/openvpn/server/s-server-ipv6.crt' option key '/etc/openvpn/server/s-server-ipv6.key' option dh '/etc/openvpn/server/dh2048.pem' option tls_crypt '/etc/openvpn/server/ta.key' option remote_cert_tls 'client' option tls_version_min '1.2' option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384' option cipher 'AES-256-GCM' option auth 'SHA384' option keepalive '10 60' option comp_lzo 'no' option persist_key '1' option persist_tun '1' option status '/etc/openvpn/server/status 5' option log '/etc/openvpn/server/log' option verb '5'

Client
config openvpn 'IPv6' option enabled '1' option tls_client '1' option remote 'domain.com' option port '1198' option proto 'udp6' option dev 'tap0' option tun_mtu '1500' option tun_mtu_extra '32' option ca '/etc/openvpn/ca.crt' option cert '/etc/openvpn/client-ipv6.crt' option key '/etc/openvpn/client-ipv6.key' option tls_crypt '/etc/openvpn/ta.key' option remote_cert_tls 'server' option verify_x509_name 'S-SERVER name' option tls_version_min '1.2' option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384' option cipher 'AES-256-GCM' option auth 'SHA384' option comp_lzo 'no' option persist_key '1' option persist_tun '1' option resolv_retry 'infinite' option status '/etc/openvpn/status 5' option log '/etc/openvpn/log' option verb '5'

Client log:
> indent preformatted text by 4 spaces
Fri Apr 7 18:32:08 2017 us=715019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Apr 7 18:32:08 2017 us=715040 OpenVPN 2.4.0 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Apr 7 18:32:08 2017 us=715050 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10
Fri Apr 7 18:32:08 2017 us=715462 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr 7 18:32:08 2017 us=715481 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr 7 18:32:08 2017 us=715488 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr 7 18:32:08 2017 us=715496 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr 7 18:32:08 2017 us=715538 Control Channel MTU parms [ L:1582 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Fri Apr 7 18:32:08 2017 us=717580 TUN/TAP device tap0 opened
Fri Apr 7 18:32:08 2017 us=719813 TUN/TAP TX queue length set to 100
Fri Apr 7 18:32:08 2017 us=719878 Data Channel MTU parms [ L:1582 D:1450 EF:50 EB:399 ET:32 EL:3 ]
Fri Apr 7 18:32:08 2017 us=719912 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1582,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Fri Apr 7 18:32:08 2017 us=719919 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1582,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Fri Apr 7 18:32:08 2017 us=719939 TCP/UDP: Preserving recently used remote address: [AF_INET6]2003:xx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1198
Fri Apr 7 18:32:08 2017 us=719949 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr 7 18:32:08 2017 us=719964 setsockopt(IPV6_V6ONLY=0)
Fri Apr 7 18:32:08 2017 us=719988 UDPv6 link local (bound): [AF_INET6][undef]:1198
Fri Apr 7 18:32:08 2017 us=719997 UDPv6 link remote: [AF_INET6]2003:xx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1198
WrrrrrrrrrrrrrrrrrrrrrrrrrWrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrWrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrWrrrrrrrrrrrrrrrrrrrrWrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrFri
Fri Apr 7 18:33:08 2017 us=157033 TLS Error: TLS handshake failed
Fri Apr 7 18:33:08 2017 us=157082 TCP/UDP: Closing socket
Fri Apr 7 18:33:08 2017 us=157101 SIGUSR1[soft,tls-error] received, process restarting
Fri Apr 7 18:33:08 2017 us=157113 Restart pause, 5 second(s)
Fri Apr 7 18:33:13 2017 us=162402 Re-using SSL/TLS context

Server log:
> Fri Apr 7 18:50:54 2017 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Apr 7 18:50:54 2017 OpenVPN 2.4.0 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Apr 7 18:50:54 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10
Fri Apr 7 18:50:54 2017 Diffie-Hellman initialized with 2048 bit key
Fri Apr 7 18:50:54 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr 7 18:50:54 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr 7 18:50:54 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr 7 18:50:54 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr 7 18:50:54 2017 TUN/TAP device tap1 opened
Fri Apr 7 18:50:54 2017 TUN/TAP TX queue length set to 100
Fri Apr 7 18:50:54 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr 7 18:50:54 2017 setsockopt(IPV6_V6ONLY=0)
Fri Apr 7 18:50:54 2017 UDPv6 link local (bound): [AF_INET6][undef]:1198
Fri Apr 7 18:50:54 2017 UDPv6 link remote: [AF_UNSPEC]
Fri Apr 7 18:51:54 2017 [UNDEF] Inactivity timeout (--ping-restart), restarting
Fri Apr 7 18:51:54 2017 SIGUSR1[soft,ping-restart] received, process restarting
Fri Apr 7 18:51:54 2017 Restart pause, 5 second(s)
Fri Apr 7 18:51:59 2017 Preserving previous TUN/TAP instance: tap1
Fri Apr 7 18:51:59 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr 7 18:51:59 2017 setsockopt(IPV6_V6ONLY=0)
Fri Apr 7 18:51:59 2017 UDPv6 link local (bound): [AF_INET6][undef]:1198
Fri Apr 7 18:51:59 2017 UDPv6 link remote: [AF_UNSPEC]
Fri Apr 7 18:52:38 2017 TLS: Initial packet from [AF_INET6]2003:xx:xxxx:xxxx:xxxx:xxx:xxxx:xxx:1198, sid=4788178c 27594943
Fri Apr 7 18:53:38 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Apr 7 18:53:38 2017 TLS Error: TLS handshake failed
Fri Apr 7 18:53:38 2017 SIGUSR1[soft,tls-error] received, process restarting
Fri Apr 7 18:53:38 2017 Restart pause, 5 second(s)

2

You can by pass /etc/config/openvpn and put openvpn config and certificate files under /etc/openvpn

3

Found the solution myself.

Since I'm using 2 openVPN instances (client and server)
openVPN mixes up which interface to bind to on the 2nd oVPN instance.

For this you have to use the "local" option and define the IP.

The "Interface" as written in the manpages of openVPN is not correct. They haven't implemented this.

Also you can use name address instead of IP. That also works as openVPN will try to resolve the IP from the public DNS.

Hope this info helps people if they look for oVPN 2 instances.