OpenVPN IPV6 support

[Rooby]

Hello

short question. Is IPV6 supported on OpenVPN (ac66u and ac87u router)?

 

[nonolk]

Hello,

So short answer : yes.

See bellow:
https://community.openvpn.net/openvpn/wiki/IPv6

Regards,
--
Nonolk.

 

[Rooby]

ok so the IPV6 OpenVPN binaries are compiled and available on the router.

 

[nonolk]

I'm using it, so yes.... At least on AC68u.

 

[Rooby]

How do I enable it on the server and client to get the IPV6 support n server/client?
Can I just add in the custom config GUI:

proto tcp6-client
proto tcp6-server

But it does not overwrite the auto generated entry
client
proto tcp

it will jus append it. Is then the first config statment overwritten?

I want that the clients are talking to a IPV6 OpenVPN server (via 6in4 tunneling provider).

 

[nonolk]

Hello Rooby,

That's a pretty good question, in fact I'm using vpn site to site routed, with IPV6 inside the vpn Tunnel, not outside, so to be honest I really don't know.

I think the last statement is the one used, but this is just my guess.
It might be the server will listen on both IPV4 and IPV6 address.

So try and report back.

Best regards,
--
Nonolk.

 

[Rooby]

I have now tried to get OpenVPN running through IPV6 (outside the tunnel) with two Asus Merlin Routers
using TCP as the protocol and TUN as interface.
On IPV4 I get connection and everything works well.

For IPV6 I have set on the server in the custom config:

proto tcp6

Additionally I have opened on the IPV6 firewall the port 1194. (maybe not needed, maybe already done by OpenVPN)

On the clients I have set in the custom config:

remote <my IPV6 DynDNS address> 1194 tcp6

When I make the GUI entry in the client for the IPV4 server address invalid
the client tries to connect to the server via IPV6:

Feb 26 15:16:35 openvpn[19763]: Attempting to establish TCP connection with [AF_INET6]2003:66:xxxx:xxxx::1:1194 [nonblock]
Feb 26 15:16:45 openvpn[19763]: TCP: connect to [AF_INET6]2003:66:xxxx:xxxx::1:1194 failed, will try again in 5 seconds: Connection timed out
Feb 26 15:16:45 openvpn[19763]: SIGUSR1[soft,init_instance] received, process restarting
Feb 26 15:16:45 openvpn[19763]: Restart pause, 5 second(s)

For me it looks like the server is not answering.
But I can ping the my IPV6 2003:66:xxxx:xxxx::1.
If I do a port scan (http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php) the 1194 seems not to be opened.

Is there anything I forget to configure on the server?

 

[nonolk]

Hello Rooby,

For it's clearly a firewall issue. Your firewall don't let client connect the 1194 port on the router.

The important word here is on the router.

For instance in my scenario to allow ssh from the tunnel to the router endpoint I had to had the following rule:
ip6tables -I INPUT -i tun11 -j ACCEPT

Don't use it like that it won't work in your scenario.

I think you can first try to temporary disable the ipv6 firewall to see if it work. If yes the problem is the firewall, and you will have to insert a rule matching your environment.

By default the IPV6 firewall from Merlin firmware allow the ping to all addresses.

But right now there are no rules to allow openvpn.

Best regards,
--
Nonolk.

 

[Rooby]

Hello Rooby,

By default the IPV6 firewall from Merlin firmware allow the ping to all addresses.

But right now there are no rules to allow openvpn.

I was wondering why the ping was working. Now it is clear.
But unfortunately when I disable the IPV6 firewall the problem is the same. I get no connection.

 

[Rooby]

So I got it running by adding a command in the shell

ip6tables -I INPUT -p tcp -j ACCEPT

I guess with that I opened everything with tcp, not good way of doing.
Is there a better way to just open TCP for port 1194?

Should this not be done on the IPV6 firewall when I open TCP and port 1194?
But this was not working even if I disable the IPV6 firewall at all.
Is the IPV6 firewall working in the 378.50 ?
Additionally to allow ping to all clients per default is also quite bad for a firewall.

 

[RMerlin]

Additionally to allow ping to all clients per default is also quite bad for a firewall.

Allowing ICMP pings is required as per the IPv6 RFCs.

 

[Rooby]

Allowing ICMP pings is required as per the IPv6 RFCs.

Ok I did not know that. But personally I think it is not good to reply on pings if not really necessary.

RMerlin can you check if the IPV6 firewall is working correctly?
I have now added the following in the firewall-start script

ip6tables -I INPUT -i ppp0 -p tcp --dport 1194 -j ACCEPT

I guess this is the correct setting for open only the port 1194 for OpenVPN and IPV6
But shouldn't it be done by the firewall when I open the port 1194 or even automatically when I enable OpenVPN?

 

[RMerlin]

Ok I did not know that. But personally I think it is not good to reply on pings if not really necessary.

Why? Not responding to pings is just silly paranoia. Beside, who would scan 2^128 IPs through pings to find out systems that actually respond to pings? That would require someone willing to die of old age before he can find a valid target.

RMerlin can you check if the IPV6 firewall is working correctly?
I have now added the following in the firewall-start script

ip6tables -I INPUT -i ppp0 -p tcp --dport 1194 -j ACCEPT

I guess this is the correct setting for open only the port 1194 for OpenVPN and IPV6
But shouldn't it be done by the firewall when I open the port 1194 or even automatically when I enable OpenVPN?

I didn't implement IPv6 support for OpenVPN, so I wasn't expecting it to work.

 

[Rooby]

Why? Not responding to pings is just silly paranoia. Beside, who would scan 2^128 IPs through pings to find out systems that actually respond to pings? That would require someone willing to die of old age before he can find a valid target.

This is quite easy it will show a potential hacker yes there is a target which is alive and waiting to get hacked. Maybe the reply will also show the operating system. But I do not know much about TCP/IP packets. A good firewall will just drop everything which is not configured and does not reply. A stupid ping search over all possible address of course is not practicable. I fully agree.

I didn't implement IPv6 support for OpenVPN, so I wasn't expecting it to work.

Yes it seems to work so I can connect to my server (server and client both are RT-AC66U with your SW). I can see the IPV6 client address in the VPN server overview.
To make it more convenient I would suggest to add
UDP6/TCP6 as drop down menu to the GUI of of server and client.
and on the client if UDP6 or TCP6 is selected add just one additional line for the IPV6 server address which results in two remote statements in the OpenVPN config file with the IPV6 one first. Then when IPV6 is not working it falls down to IPV4 connection.
What do you think ?

For the firewall to open port 1194 for IPV6 I don't really know how to handle. Maybe open it automatically if UDP6 or TCP6 is chosen or just give a hint to open it manually.

 

[RMerlin]

Yes it seems to work so I can connect to my server (server and client both are RT-AC66U with your SW). I can see the IPV6 client address in the VPN server overview.
To make it more convenient I would suggest to add
UDP6/TCP6 as drop down menu to the GUI of of server and client.
and on the client if UDP6 or TCP6 is selected add just one additional line for the IPV6 server address which results in two remote statements in the OpenVPN config file with the IPV6 one first. Then when IPV6 is not working it falls down to IPV4 connection.
What do you think ?

For the firewall to open port 1194 for IPV6 I don't really know how to handle. Maybe open it automatically if UDP6 or TCP6 is chosen or just give a hint to open it manually.

Adding IPv6 support is not a priority right now (it'd be tricky for me to test it) but I will possibly eventually take a look at it to see how doable it would be. For now I can least take a look at the firewall part of it, since this is something normally handled automatically on the IPv4 side of things, so I'd do the same thing for IPv6 - should be rather simple to implement.

 

[Rooby]

Ok if not possible/no priority maybe you can put it in the pipe. In Germany we have an important cable provider which uses IPV6 and DS-light which means you have only a native IPV6 connection. So IPV6 is becoming more important, at least here ...
But nevertheless thank you for your work. Without your work I would miss important features like OpenVPN.

 

[john9527]

Adding IPv6 support is not a priority right now (it'd be tricky for me to test it) but I will possibly eventually take a look at it to see how doable it would be. For now I can least take a look at the firewall part of it, since this is something normally handled automatically on the IPv4 side of things, so I'd do the same thing for IPv6 - should be rather simple to implement.

Just a little tweak for your work queue (the firewall part) I took a look at it and there were a couple of things I wasn't sure of. Thanks!

 

[Chrysalis]

blocking pings is 1990s style security.

its no real security concern.

 

[Hunny Puppy]

So following up on this thread, does Asus Merlin have support for OpenVPN IPv6 now with the 380 and newer firmware?
I'm trying to address an issue of IPv6 leaking. What's happening is some of my clients are connecting through a network which have IPv6. So some of the packets are leaking into the internet directly without going through the VPN (as Windows prefers IPv6 to IPv4). I'm trying to figure out a way to tell the VPN client to redirect ALL traffic to the OpenVPN server and through one way to do that would be to setup a ipv6 tunnel. @RMerlin any advise on this to get all traffic routed to the VPN (IPv6 and IPv4). I can't disable the IPv6 protocol in the remote clients in all cases hence trying to handle this through the OpenVPN Server/Client configs

 

[RMerlin]

So following up on this thread, does Asus Merlin have support for OpenVPN IPv6 now with the 380 and newer firmware?

No.