Unable to connect to OpenVPN over IPv6

[hillbeast]

Hi! I'm trying to set up openvpn server to let clients connect using the router's ipv6 address, but failing. My openvpn server is working fine over ipv4, but my ISP in the UK uses carrier-grade NAT, and I don't want to keep paying for a static IP address. Any help or clues regarding what I could be missing would be greatly appreciated!! Below is more info and what I've tried so far. The thing I don't understand right now is why the WAN IPv6 address (2a01:4b00:efgh:...) looks so different to the LAN IPv6 prefix (2a01:4b00:abcd:1200::1/56) my router gets to manage.

Router: Asus RT-AC68U
Firmware: MerlinWRT 384.19

​

IPv6 Connection Type	Native with DHCP-PD
WAN IPv6 Address	2a01:4b00:efgh:xxxx:xxxx:xxxx:xxxx:eff5
WAN IPv6 Gateway	fe80::a208:6fff:fe9d:5b5b
LAN IPv6 Address	2a01:4b00:abcd:1200::1/56
DHCP-PD	Enabled
LAN IPv6 Prefix	2a01:4b00:abcd:1200::/56

Custom VPN Server configuration (in addition to basic IPv4 settings on the UI):
proto udp6
server-ipv6 2a01:4b00:abcd:1200:123::/80
push "route-ipv6 2a01:4b00:abcd:1200::/56"
push "route-ipv6 2000::/3"
push "dhcp-option DNS6 2a01:4b00:abcd:1200::1"

OpenVPN Client config:
client
dev tun
remote 2a01:4b00:abcd:1200::1 1194 udp6 ;; <- this doesn't work
;remote 2a01:4b00:efgh:xxxx:xxxx:xxxx:xxxx:eff5 1194 udp6 ;; <- this doesn't work
;remote 123.0.456.789 1194 udp ;; <- this works
resolv-retry infinite
nobind
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
compress lz4-v2
keepalive 15 60
auth-user-pass
remote-cert-tls server
...

Any help is greatly appreciated!! Thanks in advance

 

[hillbeast]

I've also tried enabling and disabling the firewall, but no luck. The IPv6 connection just gets stuck in this state:

2021-04-22 09:20:44.471208 UDPv6 link local: (not bound)
2021-04-22 09:20:44.471220 UDPv6 link remote: [AF_INET6]{remote ipv6 address from client config}
2021-04-22 09:20:44.471244 MANAGEMENT: >STATE:1619079644,WAIT,,,,,,

As for the ipv4 connection, I am able to connect successfully and even get allotted a virtual ipv6 address, but it always ends up using UDPv4, and the IPv6 routing never works (when I check on ipv6-test.com). Just to clarify, my client network does support ipv6 and everything looks fine on ipv6-test.com. Here's the client connection logs when I use the ipv4 connection: https://gist.github.com/shivanker/0f28d4fd471943642222907b4abeb009

 

[eibgrad]

AFAIK, Merlin only supports IPv4 w/ OpenVPN.

 

[hillbeast]

Oh, that would be slightly surprising. Because I do get an ipv6 address when I connect over ipv4, and I see everything going fine in the ovpn-server initialization logs:

Apr 21 20:42:44 ovpn-server1[942]: ovpn-up 1 server tun21 1500 1622 10.8.0.1 255.255.255.0 init
Apr 21 20:42:44 ovpn-server1[942]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Apr 21 20:42:44 ovpn-server1[942]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr 21 20:42:44 ovpn-server1[942]: setsockopt(IPV6_V6ONLY=0)
Apr 21 20:42:44 ovpn-server1[942]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Apr 21 20:42:44 ovpn-server1[942]: UDPv6 link remote: [AF_UNSPEC]
Apr 21 20:42:44 ovpn-server1[942]: MULTI: multi_init called, r=256 v=256
Apr 21 20:42:44 ovpn-server1[942]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Apr 21 20:42:44 ovpn-server1[942]: Initialization Sequence Completed


Any way to confirm if IPv6 support is indeed lacking? I tried checking the port status on netstat, and it seems like openvpn is receiving udp packets over the ipv6 address:

$ admin@RT-AC68U-5140:/tmp/home/root# netstat -putan | grep 1194
udp 0 0 :::1194 :::* 14078/vpnserver1

 

[ColinTaylor]

Merlin has stated many times that IPv6 is not supported for the OpenVPN server.

This thread might suggest there's "an issue" when IPv6 is enabled on the WAN.

 

[hillbeast]

Sorry, I'm pretty new around here.. Is this a hardware issue, or does MerlinWRT not support VPN-over-IPv6 on any model? Is this something I could contribute to the community? Or is it really beyond any hope to get this working?

 

[ColinTaylor]

It's not a hardware issue. It's just that stock Asus firmware doesn't support it and neither does Merlin. I don't see any realistic chance of IPv6 VPN support being added by Merlin as he has frequently said that as he doesn't have an IPv6 connection himself he has no way of developing, testing and supporting IPv6 applications.

 

[hillbeast]

Well, found this thread - https://www.snbforums.com/threads/openvpn-ipv6-support.22879/page-2. I guess this is probably a lost cause for now.

 

[AurelM]

I've posted a tutorial about this, not two weeks ago: IPv6 DDNS (noip.com) and VPN server for CG-NAT IPv4 . Did it not show in your search results or did it not help you?

Keep in mind that the firmware I use is the newer 386 branch with openvpn 2.5.x, but it should work on the older firmware as well. The newer version supports the CHACHA20-POLY1305 cipher for data encryption which is faster than AES-128-CBC on processors that don't have AES hardware acceleration like the one the Asus RT-AC68U router uses, so if not for a really good reason for sticking with the older firmware, I would upgrade and use this cipher.

AsusWRT-Merlin firmware does not support setting a IPv6 OpenVPN server through the WebUI, but it can be done through scripts.

I would disable compression, see The VORACLE attack vulnerability for more information.
At first I would let the Custom Configuration field empty and make sure the tunnel works (by trying to access the router's WebUI from the client using the router's LAN IP Address) and then add to it as necessary.

I don't see the proto statement in your client config. It should be like this:

client
dev tun
proto udp6
remote 2a01:4b00:efgh:xxxx:xxxx:xxxx:xxxx:eff5 1194
resolv-retry infinite
[...]

So use the router's WAN IPv6 Address for the remote statement or a IPv6 host name that resolves to it.

 

[hillbeast]

Did it not show in your search results or did it not help you?

It did not show up. Let me give it a read now! Thanks!!

if not for a really good reason for sticking with the older firmware, I would upgrade and use this cipher.

That's really cool, thanks for letting me know. I'm not physically near my router right now (only 2500 miles away). But I do plan to upgrade when I get back and have some time on my hands.

I would disable compression, see The VORACLE attack vulnerability for more information.

Yeah, that's a calculated risk on my part -- given that I was struggling with HD streaming given my ISP's upload speed.

I don't see the proto statement in your client config.

I've actually inlined the protocol into the remote line. It's just another syntax for the same thing -

remote 2a01:4b00:abcd:1200::1 1194 udp6

 

[hillbeast]

Doesn't seem to work for me. I tried running the script manually as well. Verified the nvram vpnserver proto was set to udp6. Verified the changes in ip6tables. Still couldn't connect to the VPN with the ipv6 address (ddns is a separate issue, and I don't care much about it). One question though - with your script, do I still need the additional lines in vpn server config?

Custom VPN Server configuration (in addition to basic IPv4 settings on the UI):
proto udp6
server-ipv6 2a01:4b00:abcd:1200:123::/80
push "route-ipv6 2a01:4b00:abcd:1200::/56"
push "route-ipv6 2000::/3"
push "dhcp-option DNS6 2a01:4b00:abcd:1200::1"

As for the LAN IPv6 address vs the WAN IPv6 address, I enabled SSH from WAN, and verified that the LAN IPv6 is indeed my router's publicly visible IP address, not the WAN IPv6 address. Next up, I'm thinking of logging if the router receives any UDP packet on the ipv6 address at all (using ip6tables).

EDIT: ^ Yeah the packets processed by the INPUT rule do go up when I try to connect (with LAN ipv6 address).
In addition to the INPUT rule, I also added a FORWARD rule for tun21 as indicated in this post - https://www.snbforums.com/threads/openvpn-ipv6.40549/#post-340077. But still no luck.

admin@RT-AC68U-5140:/tmp/home/root# ip6tables -L -v | grep -E '(tun21|1194|Chain INPUT|Chain FORWARD)'
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
   17  1054 ACCEPT     udp      any    any     anywhere             anywhere             udp dpt:1194
Chain FORWARD (policy DROP 0 packets, 0 bytes)
  456 64184 ACCEPT     all      tun21  any     anywhere             anywhere

 

[AurelM]

I've actually inlined the protocol into the remote line. It's just another syntax for the same thing -

I actually saw this, but did not know it works like this so I suggested a way that I know works. But after checking the manual, I now know this works too.

do I still need the additional lines in vpn server config?

There shouldn't need to be anything there to make the client connect. As I said, I would leave it empty at first to make sure it works and then add to it. I don't have anything there, but I only use that server to reach the router.
The script is there to add the ip6tables rule in case the router reboots and it also makes sure that the protocol is set to udp6 in case any changes are made in the WebUI.

As for the LAN IPv6 address vs the WAN IPv6 address, I enabled SSH from WAN, and verified that the LAN IPv6 is indeed my router's publicly visible IP address, not the WAN IPv6 address. Next up, I'm thinking of logging if the router receives any UDP packet on the ipv6 address at all (using ip6tables).

I just tried using the LAN IPv6 Address in the client config and it won't connect. Switched to the WAN IPv6 Address and it connects like before. So definitely use the WAN IPv6 Address.

As for the SSH working, remember that IPv6 is meant to give all hosts a internet routable address (or publicly visible to use your words), so it makes sense you are able to connect to both WAN and LAN IPv6 addresses. Have you tried connecting to the WAN IPv6 Address using SSH and it actually didn't work (after enabling access from WAN also) ?

In addition to the INPUT rule, I also added a FORWARD rule for tun21 as indicated in this post - https://www.snbforums.com/threads/openvpn-ipv6.40549/#post-340077.

I don't have this rule set, but I've added it and it makes no difference as far as client being able to connect. From what I can tell, this rule is there for allowing IPv6 requests from vpn clients to go to another interface of the router, like to a host in LAN through br0 interface.

 

[hillbeast]

There shouldn't need to be anything there to make the client connect. As I said, I would leave it empty at first to make sure it works and then add to it. I don't have anything there, but I only use that server to reach the router.

Tried clearing out the additional options.. Still doesn't work for me..

Have you tried connecting to the WAN IPv6 Address using SSH and it actually didn't work (after enabling access from WAN also) ?

Yes, I tried with the WAN IPv6 address and unable to ssh using it.