OpenVPN Tunneling IPv6 - failed to add IPv6 route

Hi,

I configured my router to tunnel all traffic through my VPN Provider.
I used OpenVPN and so far only ipv4 was configured.
Some weeks ago my Setup suddenly stopped working.

I am using this configuration from the OpenWRT wiki: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client

To solve the Problem i enabled ipv6 in my Network.
Now every device is online with an IPv4 and IPv6 address.

I get this behaviour when i start openvpn (by /etc/init.d/openvpn restart):

  • IPv4 does not work anymore and
  • Connections using IPv6 do connect directly to the Internet instead of using the VPN

Looking into the OpenVPN logs i think those lines are the most interesting ones:

Sat Nov 30 10:50:47 2019 us=108826 GDG6: remote_host_ipv6=n/a
Sat Nov 30 10:50:47 2019 us=112657 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Sat Nov 30 10:50:47 2019 us=116667 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3

and:

Sat Nov 30 10:50:52 2019 us=922392 WARNING: OpenVPN was configured to add an IPv6 route over tun0. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected.

Full OpenVPN logs show this (for privacy reasons i obfuscated the vpn Provider name and the ip addresses):

Sat Nov 30 10:50:41 2019 us=217416 OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Nov 30 10:50:41 2019 us=221134 library versions: mbed TLS 2.16.3, LZO 2.10
Sat Nov 30 10:50:41 2019 us=230046 WARNING: failed to personalise random
Sat Nov 30 10:50:41 2019 us=233812 LZ4v2 compression initializing
Sat Nov 30 10:50:41 2019 us=239157 Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sat Nov 30 10:50:41 2019 us=332756 Data Channel MTU parms [ L:1626 D:1200 EF:126 EB:407 ET:0 EL:3 ]
Sat Nov 30 10:50:41 2019 us=336492 Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
Sat Nov 30 10:50:41 2019 us=340320 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Sat Nov 30 10:50:41 2019 us=344475 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Sat Nov 30 10:50:41 2019 us=348657 TCP/UDP: Preserving recently used remote address: [AF_INET]84.XXX.XXX.102:443
Sat Nov 30 10:50:41 2019 us=352481 Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat Nov 30 10:50:41 2019 us=356080 UDP link local: (not bound)
Sat Nov 30 10:50:41 2019 us=359679 UDP link remote: [AF_INET]84.XXX.XXX.102:443
Sat Nov 30 10:50:41 2019 us=381724 TLS: Initial packet from [AF_INET]84.XXX.XXX.102:443, sid=ae92ab17 8871bbaf
Sat Nov 30 10:50:41 2019 us=385753 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Nov 30 10:50:41 2019 us=464421 VERIFY OK: depth=1, C=XX, L=XXX, O=XXX, CN=XXX Root CA, emailAddress=info@xxx
Sat Nov 30 10:50:41 2019 us=470465 Validating certificate key usage
Sat Nov 30 10:50:41 2019 us=474034 VERIFY KU OK
Sat Nov 30 10:50:41 2019 us=477674 Validating certificate extended key usage
Sat Nov 30 10:50:41 2019 us=481363 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Nov 30 10:50:41 2019 us=485167 VERIFY EKU OK
Sat Nov 30 10:50:41 2019 us=488722 VERIFY OK: depth=0, CN=84.XXX.XXX.91-1574423188
Sat Nov 30 10:50:45 2019 us=747438 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1574', remote='link-mtu 1549'
Sat Nov 30 10:50:45 2019 us=751523 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sat Nov 30 10:50:45 2019 us=755466 WARNING: 'mtu-dynamic' is present in local config but missing in remote config, local='mtu-dynamic'
Sat Nov 30 10:50:45 2019 us=759566 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-128-GCM'
Sat Nov 30 10:50:45 2019 us=763694 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth [null-digest]'
Sat Nov 30 10:50:45 2019 us=767943 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Sat Nov 30 10:50:45 2019 us=773183 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 4096 bit key
Sat Nov 30 10:50:45 2019 us=777085 [84.XXX.XXX.91-1574423188] Peer Connection Initiated with [AF_INET]84.XXX.XXX.102:443
Sat Nov 30 10:50:47 2019 us=17334 SENT CONTROL [84.XXX.XXX.91-1574423188]: 'PUSH_REQUEST' (status=1)
Sat Nov 30 10:50:47 2019 us=44351 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.101.0.243,route 10.203.10.1,topology net30,ping 10,ping-restart 60,ifconfig 10.XXX.XXX.90 10.XXX.XXX.89,peer-id 4'
Sat Nov 30 10:50:47 2019 us=49039 OPTIONS IMPORT: timers and/or timeouts modified
Sat Nov 30 10:50:47 2019 us=52724 OPTIONS IMPORT: --ifconfig/up options modified
Sat Nov 30 10:50:47 2019 us=56306 OPTIONS IMPORT: route options modified
Sat Nov 30 10:50:47 2019 us=59915 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Nov 30 10:50:47 2019 us=63851 OPTIONS IMPORT: peer-id set
Sat Nov 30 10:50:47 2019 us=67412 OPTIONS IMPORT: adjusting link_mtu to 1629
Sat Nov 30 10:50:47 2019 us=87401 Data Channel MTU parms [ L:1577 D:1200 EF:77 EB:407 ET:0 EL:3 ]
Sat Nov 30 10:50:47 2019 us=91863 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Nov 30 10:50:47 2019 us=95634 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Nov 30 10:50:47 2019 us=99393 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Nov 30 10:50:47 2019 us=103183 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Nov 30 10:50:47 2019 us=108826 GDG6: remote_host_ipv6=n/a
Sat Nov 30 10:50:47 2019 us=112657 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Sat Nov 30 10:50:47 2019 us=116667 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
Sat Nov 30 10:50:47 2019 us=129537 TUN/TAP device tun0 opened
Sat Nov 30 10:50:47 2019 us=152179 TUN/TAP TX queue length set to 100
Sat Nov 30 10:50:47 2019 us=162099 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Nov 30 10:50:47 2019 us=171521 /sbin/ifconfig tun0 10.XXX.XXX.90 pointopoint 10.XXX.XXX.89 mtu 1500
Sat Nov 30 10:50:52 2019 us=891467 /sbin/route add -net 84.XXX.XXX.102 netmask 255.255.255.255 gw 192.168.178.1
Sat Nov 30 10:50:52 2019 us=899172 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.XXX.XXX.89
Sat Nov 30 10:50:52 2019 us=907050 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.XXX.XXX.89
Sat Nov 30 10:50:52 2019 us=914778 /sbin/route add -net 10.203.10.1 netmask 255.255.255.255 gw 10.XXX.XXX.89
Sat Nov 30 10:50:52 2019 us=922392 WARNING: OpenVPN was configured to add an IPv6 route over tun0. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected.
Sat Nov 30 10:50:52 2019 us=926687 Initialization Sequence Completed
Sat Nov 30 10:50:56 2019 us=335257 FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented
Sat Nov 30 10:51:06 2019 us=479152 FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented
Sat Nov 30 10:51:16 2019 us=248234 FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented
Sat Nov 30 10:51:26 2019 us=283314 FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented
Sat Nov 30 10:51:36 2019 us=295178 FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented
Sat Nov 30 10:51:46 2019 us=259170 FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented

Do you have any idea how to solve my IPv6 problem?
Thanks for any hint and help :slight_smile:

What issue are you trying to solve?

  • receiving an IPv6 address from your VPN provider; or
  • ensuring IPv6 traffic via WAN is disabled when connected to VPN?
1 Like

I want to use the ipv6 address from my vpn provider.
In the end I want to have ipv4 and ipv6 routed through the vpn.
Currently both things do not work.

OK, pleasse confirm that the VPN provider five you a single IPv6 address, or a subnet.

I am using Cyberghost VPN and this website states that they fully support ipv6: https://www.vpnuniversity.com/learn/should-your-vpn-support-ipv6

The setup was running with the same configuration for years but suddenly stopped working.
The ipv6 error messages are new.
So my conclusion is that i need to get the ipv6 stuff running in OpenVPN.