Dear Friends and LEDE Enthusiasts,
I know this doesn't belong here in LEDE. But to my surprise I found here a very potent community with a lot of helpful people that share their great wisdom which always proved very helpful to me in finding a solution to my problems.
Although for years I've been using openVPN on IPv4 networks and thus know my way around I find it impossible in IPv6 to get a connection. The port forward is open and the client is trying to to connect to the openVPN server obviously, so tells me the openVPN Server.
But there's a TLS handshake issue.
Since I have no idea how to use the IPv6 properly I hope someone here knows to help me. Google isn't helpful either and I been looking over the internet for 6 hours straight what's the problem. Would post non-LEDE question here if I weren't so desperate. (fact is, soon IPv6 is my only way to connect to the world!!!)
VPN Server:
config openvpn 'Server_IPV6' option enabled '1' option _description 'Server configuration for IPv6 Networking' option _role 'server' option tls_server '1' option port '1198' option proto 'udp6' option dev 'tap1' option tun_mtu '1500' option tun_mtu_extra '32' option ca '/etc/openvpn/server/ca.crt' option cert '/etc/openvpn/server/s-server-ipv6.crt' option key '/etc/openvpn/server/s-server-ipv6.key' option dh '/etc/openvpn/server/dh2048.pem' option tls_crypt '/etc/openvpn/server/ta.key' option remote_cert_tls 'client' option tls_version_min '1.2' option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384' option cipher 'AES-256-GCM' option auth 'SHA384' option keepalive '10 60' option comp_lzo 'no' option persist_key '1' option persist_tun '1' option status '/etc/openvpn/server/status 5' option log '/etc/openvpn/server/log' option verb '5'
Client
config openvpn 'IPv6' option enabled '1' option tls_client '1' option remote 'domain.com' option port '1198' option proto 'udp6' option dev 'tap0' option tun_mtu '1500' option tun_mtu_extra '32' option ca '/etc/openvpn/ca.crt' option cert '/etc/openvpn/client-ipv6.crt' option key '/etc/openvpn/client-ipv6.key' option tls_crypt '/etc/openvpn/ta.key' option remote_cert_tls 'server' option verify_x509_name 'S-SERVER name' option tls_version_min '1.2' option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384' option cipher 'AES-256-GCM' option auth 'SHA384' option comp_lzo 'no' option persist_key '1' option persist_tun '1' option resolv_retry 'infinite' option status '/etc/openvpn/status 5' option log '/etc/openvpn/log' option verb '5'
Client log:
> indent preformatted text by 4 spaces
Fri Apr 7 18:32:08 2017 us=715019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Apr 7 18:32:08 2017 us=715040 OpenVPN 2.4.0 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Apr 7 18:32:08 2017 us=715050 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10
Fri Apr 7 18:32:08 2017 us=715462 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr 7 18:32:08 2017 us=715481 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr 7 18:32:08 2017 us=715488 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr 7 18:32:08 2017 us=715496 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr 7 18:32:08 2017 us=715538 Control Channel MTU parms [ L:1582 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Fri Apr 7 18:32:08 2017 us=717580 TUN/TAP device tap0 opened
Fri Apr 7 18:32:08 2017 us=719813 TUN/TAP TX queue length set to 100
Fri Apr 7 18:32:08 2017 us=719878 Data Channel MTU parms [ L:1582 D:1450 EF:50 EB:399 ET:32 EL:3 ]
Fri Apr 7 18:32:08 2017 us=719912 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1582,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Fri Apr 7 18:32:08 2017 us=719919 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1582,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Fri Apr 7 18:32:08 2017 us=719939 TCP/UDP: Preserving recently used remote address: [AF_INET6]2003:xx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1198
Fri Apr 7 18:32:08 2017 us=719949 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr 7 18:32:08 2017 us=719964 setsockopt(IPV6_V6ONLY=0)
Fri Apr 7 18:32:08 2017 us=719988 UDPv6 link local (bound): [AF_INET6][undef]:1198
Fri Apr 7 18:32:08 2017 us=719997 UDPv6 link remote: [AF_INET6]2003:xx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1198
WrrrrrrrrrrrrrrrrrrrrrrrrrWrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrWrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrWrrrrrrrrrrrrrrrrrrrrWrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrFri
Fri Apr 7 18:33:08 2017 us=157033 TLS Error: TLS handshake failed
Fri Apr 7 18:33:08 2017 us=157082 TCP/UDP: Closing socket
Fri Apr 7 18:33:08 2017 us=157101 SIGUSR1[soft,tls-error] received, process restarting
Fri Apr 7 18:33:08 2017 us=157113 Restart pause, 5 second(s)
Fri Apr 7 18:33:13 2017 us=162402 Re-using SSL/TLS context
Server log:
> Fri Apr 7 18:50:54 2017 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Apr 7 18:50:54 2017 OpenVPN 2.4.0 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Apr 7 18:50:54 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10
Fri Apr 7 18:50:54 2017 Diffie-Hellman initialized with 2048 bit key
Fri Apr 7 18:50:54 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr 7 18:50:54 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr 7 18:50:54 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr 7 18:50:54 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr 7 18:50:54 2017 TUN/TAP device tap1 opened
Fri Apr 7 18:50:54 2017 TUN/TAP TX queue length set to 100
Fri Apr 7 18:50:54 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr 7 18:50:54 2017 setsockopt(IPV6_V6ONLY=0)
Fri Apr 7 18:50:54 2017 UDPv6 link local (bound): [AF_INET6][undef]:1198
Fri Apr 7 18:50:54 2017 UDPv6 link remote: [AF_UNSPEC]
Fri Apr 7 18:51:54 2017 [UNDEF] Inactivity timeout (--ping-restart), restarting
Fri Apr 7 18:51:54 2017 SIGUSR1[soft,ping-restart] received, process restarting
Fri Apr 7 18:51:54 2017 Restart pause, 5 second(s)
Fri Apr 7 18:51:59 2017 Preserving previous TUN/TAP instance: tap1
Fri Apr 7 18:51:59 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr 7 18:51:59 2017 setsockopt(IPV6_V6ONLY=0)
Fri Apr 7 18:51:59 2017 UDPv6 link local (bound): [AF_INET6][undef]:1198
Fri Apr 7 18:51:59 2017 UDPv6 link remote: [AF_UNSPEC]
Fri Apr 7 18:52:38 2017 TLS: Initial packet from [AF_INET6]2003:xx:xxxx:xxxx:xxxx:xxx:xxxx:xxx:1198, sid=4788178c 27594943
Fri Apr 7 18:53:38 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Apr 7 18:53:38 2017 TLS Error: TLS handshake failed
Fri Apr 7 18:53:38 2017 SIGUSR1[soft,tls-error] received, process restarting
Fri Apr 7 18:53:38 2017 Restart pause, 5 second(s)