Good evening,
first: Thanks for your thoughts and tips!
I am currently trying to make my OpenVPN setup IPv6 ready. It is working so fare but I have two issues.
- The outgoing IPv6 address of the OVPN server is not the one of the WAN6 interface - so I get an error at the client side if not adding "float" to the config there. The server is accepting client requests via the WAN6 but replies from the LAN IPv6 address.
TCP/UDP: Incoming packet rejected from [AF_INET6]XXXX:XXX:b816:c5fc::1:1194[10], expected peer address: [AF_INET6]XXXX:XXXX:b816:c500:XXXX:XXXX:XXXX:ce25:1194 (allow this incoming source address/port by removing --remote or adding --float)
- I manually added a /112 subnet to the server config - however as my IPv6 prefix changes from time to time, I wonder whether their is way to have a /112 subnet delegated to the OpenVPN setting automatically? I have a /64 prefix delegated to the OpenWRT router.
I am running OpenWrt 19.07.2, r10947-65030d81f3 on a TP-Link TL-WDR4300 v1.
Thanks a lot!
Markus
Open VPN server
config openvpn 'lan'
option enabled '1'
option verb '3'
option log '/tmp/openvpn.log'
option tls_server '1'
option tls_version_min '1.2'
option user 'nobody'
option fast_io '1'
option group 'nogroup'
option dev 'tun0'
option port '1194'
option proto 'udp6'
option server '10.1.8.0 255.255.255.0'
## Here is the /112 global IPv6 prefix
option server_ipv6 'XXXX:XXXX:b816:c5fc::8:0/112'
option client_to_client '0'
option topology 'subnet'
option mute_replay_warnings '1'
option compress 'lzo'
option keepalive '10 120'
option persist_tun '1'
option persist_key '1'
option tls_crypt '/etc/openvpn/lan/ssl/tc.pem'
option dh '/etc/openvpn/lan/ssl/dh.pem'
option cert '/etc/openvpn/lan/ssl/lan_vpnserver.crt'
option key '/etc/openvpn/lan/ssl/lan_vpnserver.key'
option ca '/etc/openvpn/lan/ssl/ca.crt'
option cipher AES-256-GCM
option auth SHA512
option tls_cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
list push 'dhcp-option DOMAIN lan'
list push 'redirect-gateway def1'
list push 'topology subnet'
list push 'dhcp-option DNS 10.1.8.1'
list push 'block-outside-dns'
Open VPN client
verb 3
nobind
dev tun0
tls-client
proto udp
resolv-retry infinite
remote XXX.XXXX.XX 1194 udp
float
fast-io
comp-lzo
remote-cert-tls server
user nobody
group nobody
persist-key
persist-tun
mute-replay-warnings
cipher AES-256-GCM
mute 20
topology subnet
pull
auth SHA512
# ca, cert etc.
Firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule 'ovpn'
option name 'Allow-OpenVPN-lan'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
config zone
option network 'lanvpn'
option input 'ACCEPT'
option forward 'REJECT'
option name 'lanvpn'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'lanvpn'
Network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde0:cab8:dd28::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'lanvpn'
option ifname 'tun0'
option proto 'none'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '90:f6:52:ff:ce:25'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'