Puzzling ipv6 / openvpn interaction

While trying to debug an issue with FritzOS "exposed host", I came across a funny situation: at the moment, neither my router (the exposed host) nor the ISP router (Fritzbox 7530AX) have IPV6 enabled; I had disabled my he.net tunnel because it proved to be unreliable with double nat and the ISP does not provide native support... however my phone, using the mobile network on Deutsche Telekom with IPV6 active, can successfully connect my own router openvpn server over IPV6.

My guess is that Android is using a udp6 socket with a IPV4 destination but I don't have a clue how that would work.

Does it make sense?

Oh, the FritzOS issue, right: the exposed host would only function if the internal client was set to DHCP with reservation; if I set it to static, as would seem reasonable, the bloody thing merrily displays this as "exposed" but neither ssh nor vpn from outside work and traceroute reports a "no route" at the last hop.
Either that or it cannot differentiate between .2 and .23 :smiley:

tcpdump or it never happened.

Many LTE services are using 464 as a way to offer IPv4 compatibility on an IPv6 only network.

  • All packets moving between the phone and the cell tower are IPv6.
  • To access a v4 only site, the destination address is special prefix:v4v4:v4v4 where the last 32 bits are the v4 address of the site in hex.
  • When this packet reaches the edge of the phone company network, the special prefix routes it to a machine that NATs it out on a V4 IP that the phone company owns.
  • The V4 reply from the V4 Internet returns to the NAT machine on its public IPv4 port and is NATd back to V6 and sent through the phone company V6 only network back to the phone.

There are two ways the address gets converted.

  • The phone company DNS supports DNS64. When a v6 capable app on the phone requests (unbeknownst to it) a V4-only site by name, the DNS returns an IPv6 result for it containing the special prefix and the IPv4 as the last 32 bits. This can then be processed as far as the v6 capable app is concerned, as if it is a v6 site.
  • A non-v6 app on the phone will interact with an interface in the phone containing a local v4 IP (by convention almost always This interface runs a translation service that will change V4 traffic to v6 special prefix.
1 Like

I will first check the address format as @mk24 suggested then gather the dump for @trendy if that is not the case. Though it makes sense: I get a different IPV4 address if I ask whatismyip instead of contacting my vpn server at home.

Ok, indeed it looks like NAT64 is in operation here: The "well-known prefix" reserved for this service is 64:ff9b::/96

Thanks for the tip, @mk24

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.