Greetings. My ISP currently has dual-stack and provides me with both IPv4/IPv6 addresses. I've set the DOCSIS modem they gave me to bridge mode so that OpenWRT can now handle everything itself.
M problem is the following: I have a computer I'm running a test website located behind OpenWRT --that is, it has a 192.168.1.X address where the router has a public IP address. I've done port forwarding via LuCI and the requests reach this computer, but they are completely malformed. Nginx reports:
X.X.X.X - - [04/May/2018:20:17:07 -0500] "\x16\x03\x01\x00\xAB\x01\x00\x00\xA7\x03\x03\xE4\x00;2\xBEr\x86\xA3?\x86]\x8AN\x93\xDD.\xB2<\xD2P\x83\xAD*0.\x1D\xA6N>,\xC5x\x00\x008\xC0,\xC00\x00\x9F\xCC\xA9\xCC\xA8\xCC\xAA\xC0+\xC0/\x00\x9E\xC0$\xC0(\x00k\xC0#\xC0'\x00g\xC0" 400 166 "-" "-"
on every IPv4 request. It's not logging IPv6 requests for some reason, but IPv6 traffic towards the computer works completely fine and shows the website I'm testing. Not every ISP here works with IPv6 yet, so getting IPv4 to work is one of the big things here for me.
Interesting thing of note: certbot issued me a certificate without issues from the aforementioned computer. If there were a problem forwarding IPv4 traffic, certbot would've told me that its HTTP challenge isn't reachable through IPv4, which leads me to believe that either nginx is not catching the traffic correctly or OpenWRT is not consistently forwarding the traffic correctly. (or certbot issues certificates in plain-text, which I doubt).
I would prefer not to pass on any of these tasks for the router to perform as it has limited horsepower and capacity (and command-line is also crippled), so any help getting this to work would be greatly appreciated.
On certbot, it may have picked your IPv6 DNS and think it only checks that you have administrative control of the server once, not for every DNS record.
Only time I've seen that kind of "garbage" is when someone is trying to compromise my site. Your topology is that you've got a public IPv4 and IPv6 on the "WAN" of the OpenWRT box, then your web server is on a different machine, somewhere on the "LAN", yes?
If so, I'd be running tcpdump (-A will ASCII-dump the contents of the packets) or ngrep on the box with the web server to see if it is really "garbage on the wire" at that point. If so, then back up to the OpenWRT LAN interface, then the WAN interface, if needed.
Thank you for your reply. Even though I intentionally obscured the IP, it currently belongs to a VPS I manage. Within it, I ran this command:
openssl s_client -4 -connect mysite.tld:443 -tls1_2
CONNECTED(00000003)
139944348534528:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1525488177
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
and nginx logs the IP where the request came from (my VPS in this case), but with the garbage added to it. Running the same command specifically against IPv6 shows the correct response from the server along with the certificate.
And yes, my topology is public IPv4 and public IPv6 on the WAN interface and the 192.168.1.X block is for LAN and assigned to the the devices I own.