OpenVPN Client | DNS & IPv6

[Veldkornet]

So I've configured an OpenVPN Client with PrivateTunnel on my 87u with merlin 280.58 alpha3, and basically after I connect the router to the VPN and then go to dnsleaktest.com, I still see all of my normal OpenDNS servers.

Looking at the logs, it looks as though once connected to the VPN, the DNS servers change but only for IPv4, the IPv6 servers stay the same...

I did notice these errors in the logs:

Mar 13 21:39:39 openvpn[27601]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: client-ip (2.3.10)
Mar 13 21:39:39 openvpn[27601]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:14: block-ipv6 (2.3.10)

Mar 13 21:39:39 openvpn[27601]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.9.0.1,ifconfig 10.9.127.227 255.255.0.0,client-ip 94.209.120.78,ping 8,ping-restart 40,comp-lzo no,topology subnet,explicit-exit-notify,redirect-gateway def1,dhcp-option DNS 10.9.0.1,sndbuf 0,rcvbuf 0,socket-flags TCP_NODELAY,block-ipv6'
Mar 13 21:39:39 openvpn[27601]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: client-ip (2.3.10)
Mar 13 21:39:39 openvpn[27601]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:14: block-ipv6 (2.3.10)
Mar 13 21:39:39 openvpn[27601]: OPTIONS IMPORT: timers and/or timeouts modified
Mar 13 21:39:39 openvpn[27601]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Mar 13 21:39:39 openvpn[27601]: OPTIONS IMPORT: LZO parms modified
Mar 13 21:39:39 openvpn[27601]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Mar 13 21:39:39 openvpn[27601]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Mar 13 21:39:39 openvpn[27601]: OPTIONS IMPORT: --socket-flags option modified
Mar 13 21:39:39 openvpn[27601]: OPTIONS IMPORT: --ifconfig/up options modified
Mar 13 21:39:39 openvpn[27601]: OPTIONS IMPORT: route options modified
Mar 13 21:39:39 openvpn[27601]: OPTIONS IMPORT: route-related options modified
Mar 13 21:39:39 openvpn[27601]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mar 13 21:39:39 openvpn[27601]: TUN/TAP device tun11 opened
Mar 13 21:39:39 openvpn[27601]: TUN/TAP TX queue length set to 100
Mar 13 21:39:39 openvpn[27601]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mar 13 21:39:39 openvpn[27601]: /usr/sbin/ip link set dev tun11 up mtu 1500
Mar 13 21:39:39 openvpn[27601]: /usr/sbin/ip addr add dev tun11 10.9.127.227/16 broadcast 10.9.255.255
Mar 13 21:39:39 openvpn[27601]: updown.sh tun11 1500 1544 10.9.127.227 255.255.0.0 init
Mar 13 21:39:39 rc_service: service 27654:notify_rc updateresolv
Mar 13 21:39:39 dnsmasq[27593]: read /etc/hosts - 6 addresses
Mar 13 21:39:39 dnsmasq[27593]: read /etc/hosts.dnsmasq - 11 addresses
Mar 13 21:39:39 dnsmasq-dhcp[27593]: read /etc/ethers - 11 addresses
Mar 13 21:39:39 dnsmasq[27593]: using nameserver 2620:0:ccd::2#53
Mar 13 21:39:39 dnsmasq[27593]: using nameserver 2620:0:ccc::2#53
Mar 13 21:39:39 dnsmasq[27593]: using nameserver 10.9.0.1#53
Mar 13 21:39:42 openvpn[27601]: /usr/sbin/ip route add 89.233.106.6/32 via 192.168.1.1
Mar 13 21:39:43 openvpn[27601]: /usr/sbin/ip route add 0.0.0.0/1 via 10.9.0.1
Mar 13 21:39:43 openvpn[27601]: /usr/sbin/ip route add 128.0.0.0/1 via 10.9.0.1
Mar 13 21:39:43 openvpn-routing: Skipping, client 1 not in routing policy mode
Mar 13 21:39:43 openvpn[27601]: Initialization Sequence Completed
Mar 13 21:40:16 rc_service: httpd 1828:notify_rc stop_vpnclient1
Mar 13 21:40:17 openvpn[27601]: event_wait : Interrupted system call (code=4)
Mar 13 21:40:17 openvpn[27601]: vpnrouting.sh tun11 1500 1544 10.9.127.227 255.255.0.0 init
Mar 13 21:40:17 openvpn-routing: Configuring policy rules for client 1
Mar 13 21:40:17 openvpn-routing: Flushing client routing table
Mar 13 21:40:17 openvpn-routing: Completed routing policy configuration for client 1
Mar 13 21:40:17 openvpn[27601]: /usr/sbin/ip route del 89.233.106.6/32
Mar 13 21:40:17 openvpn[27601]: /usr/sbin/ip route del 0.0.0.0/1
Mar 13 21:40:17 openvpn[27601]: /usr/sbin/ip route del 128.0.0.0/1
Mar 13 21:40:17 openvpn[27601]: Closing TUN/TAP interface
Mar 13 21:40:17 openvpn[27601]: /usr/sbin/ip addr del dev tun11 10.9.127.227/16
Mar 13 21:40:17 openvpn[27601]: updown.sh tun11 1500 1544 10.9.127.227 255.255.0.0 init
Mar 13 21:40:18 rc_service: service 27786:notify_rc updateresolv
Mar 13 21:40:18 rc_service: waitting "stop_vpnclient1" via httpd ...
Mar 13 21:40:18 dnsmasq[27593]: read /etc/hosts - 6 addresses
Mar 13 21:40:18 dnsmasq[27593]: read /etc/hosts.dnsmasq - 11 addresses
Mar 13 21:40:18 dnsmasq-dhcp[27593]: read /etc/ethers - 11 addresses
Mar 13 21:40:18 dnsmasq[27593]: using nameserver 2620:0:ccd::2#53
Mar 13 21:40:18 dnsmasq[27593]: using nameserver 2620:0:ccc::2#53
Mar 13 21:40:18 dnsmasq[27593]: using nameserver 208.67.222.222#53
Mar 13 21:40:18 dnsmasq[27593]: using nameserver 208.67.220.220#53

 

[RMerlin]

The tunnel only supports IPv4.

 

[Veldkornet]

Right, but why doesn't the "block-IPv6" option work then?
In the client settings, the DNS servers are set to explicit and also set to redirect all internet traffic. So, I would assume that if there is no IPv6, it should remove the things?

If I start the same connection from my phone or PC, it doesn't have IPv6 anymore. Or is this outlook too simple?

Sent from my iPhone using Tapatalk

 

[RMerlin]

That does not seem to be a valid option:

Mar 13 21:39:39 openvpn[27601]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:14: block-ipv6 (2.3.10)

 

[john9527]

That does not seem to be a valid option:

Mar 13 21:39:39 openvpn[27601]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:14: block-ipv6 (2.3.10)

Some VPNs use 'customized' versions of OpenVPN in their client apps to support additional options. This may be one of those cases.

 

[RMerlin]

Some VPNs use 'customized' versions of OpenVPN in their client apps to support additional options. This may be one of those cases.

And beside, such an option would have no effect on the rest of the firmware, so anything accessing the Internet over IPv6 would still bypass the tunnel. The only solutions are to either disable IPv6 on the client, or disable it globally on the router.

 

[Veldkornet]

Some VPNs use 'customized' versions of OpenVPN in their client apps to support additional options. This may be one of those cases.

Could be, but considering PrivateTunnel is from OpenVPN themselves, I would expect them to do things properly.

And beside, such an option would have no effect on the rest of the firmware, so anything accessing the Internet over IPv6 would still bypass the tunnel. The only solutions are to either disable IPv6 on the client, or disable it globally on the router.

I get what you're saying, but IPv6 is being used more and more; so I don't think that disabling IPv6 every time I want to use the tunnel is the way to go.

Also, the OpenVPN client on my iPhone for example does automatically disable IPv6 when the VPN connects, and the IPv6 traffic doesn't bypass the VPN. I understand that my iPhone is not a router, but it does work as expected wrt IPv6.

I see in the logs that the DNS servers are modified during connection from:
Mar 13 21:39:38 dnsmasq[27593]: using nameserver 2620:0:ccd::2#53
Mar 13 21:39:38 dnsmasq[27593]: using nameserver 2620:0:ccc::2#53
Mar 13 21:39:38 dnsmasq[27593]: using nameserver 208.67.222.222#53
Mar 13 21:39:38 dnsmasq[27593]: using nameserver 208.67.220.220#53

To:
Mar 13 21:39:39 dnsmasq[27593]: using nameserver 2620:0:ccd::2#53
Mar 13 21:39:39 dnsmasq[27593]: using nameserver 2620:0:ccc::2#53
Mar 13 21:39:39 dnsmasq[27593]: using nameserver 10.9.0.1#53

So, shouldn't the IPv6 DNS servers just be removed in this process as well if the option block-ipv6 is received? As then IPv6 will not function? Or does this sound easier than it actually is?

Either way, I've logged a ticket with PrivateTunnel/OpenVPN support, so I'll see what they say...

 

[RMerlin]

Removing the IPv6 DNS will not prevent IPv6 traffic from being routed - plus, you can still do IPv6 resolution using an IPv4 DNS. And starting to apply custom routing rules for IPv6 on top of the IPv4 tunnel routes is reaching quite a level of design complexity that I'm not prepared to dive into - sorry.

Doing everything directly on a client (such as a phone or a desktop) is much simpler than on a router, as you don't have to deal with having some clients allowed, and others rejected.

 

[Veldkornet]

Where's your magic wand Merlin? I thought you just waved it and awesome firmwares appeared

Sim sala bim!

No but I understand what you're saying. I'll wait on support to see if they can add any extra info which may assist in making things easier...


Sent from my iPhone using Tapatalk

 

[john9527]

Could be, but considering PrivateTunnel is from OpenVPN themselves, I would expect them to do things properly.

FYI...Just in case I missed what could be a useful option (block-ipv6)....I checked the OpenVPN man page....no such option listed.

 

[Veldkornet]

So if anyone is interested, PrivateTunnel mostly said the same.

We are currently working on IPv6 support, so hopefully IPv6 availability will be expanded soon.

Since PrivateTunnel is only an IPv4 service at the moment, you will need to disable IPv6 support on your router to prevent it from leaking. When our service does eventually support IPv6, you will most likely need to upgrade to an OpenVPN client that can understand IPv6 based directives so you can be protected on that end.

However, now I have a new question, but this time about the OpenVPN Server & IPv6

When I connect from my phone with the OpenVPN app to my router; it first tries over IPv6, gets rejected "Connection Refused", then connects successfully over IPv4.
I see that in general IPv6 is supported, so is there something I can do to get it working? Or is this something that needs to be updated in the firmware first before it will work?


Sent from my iPhone using Tapatalk