Discussion:
[Openvpn-users] Need help with Ubuntu 16.04 LTS OpenVPN 2.4 Dual-Stack Server Firewall Configuration
d***@telus.net
2017-06-10 00:18:35 UTC
Permalink
A few months ago, I was trying to get a dual-stack client and server working on Windows 10. I was able to get the client and server to connect and fully work for ipv4, but I was unable to configure the network settings on the server so it would also work for ipv6. I tried several different approaches, but no matter what I tried, the server would not pass the ipv6 traffic. I decided to try again using a linux server. I configured a Ubuntu 16.04 LTS server running the latest version of openvpn from scratch. The server is behind a pfsense router with native dual stack. It has a single ethernet interface with ipv4 and ipv6 dhcp addresses. The client is behind a completely separate pfsense router. It also has native dual stack on a single ethernet interface with ipv4 and ipv6 dhcp addresses. So as to not carry over any possible problems from the previous attempt, I created new keys and new configuration files from scratch. The client and server connect and the vpn will carry ipv4 traffic, but I'm not sure how to configure the server to carry the ipv6 traffic.

Note, I initially started using ULA addressing on the server (fc00::/64). That did not work, so I switched to prefix::/64. In both cases, everything worked properly except for passing ipv6 traffic.

I've tried to make the client and server configurations as minimalist as possible.

Here is the server configuration:

port 1194
proto udp
dev tun

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh4096.pem

cipher AES-256-CBC
auth SHA512

server 10.8.0.0 255.255.255.0
server-ipv6 {redacted prefix}::/64
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS6 2001:4860:4860::8888"

ifconfig-pool-persist ipp.txt
keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log
log openvpn.log
verb 3

Here is the client configuration:

ca ca.crt
cert client.crt
key client.key

remote {redacted ipv4 server address} 1194
comp-lzo
client
dev tun
redirect-gateway def1

remote-cert-tls server
cipher AES-256-CBC
auth SHA512

proto udp
resolv-retry infinite
nobind

persist-key
persist-tun

verb 3
mute 20

Are there any issues in the above configuration files?

I followed some instructions in a tutorial on digital ocean to configure the server firewall using ufw (which is a front-end to iptables). While I'm not exactly sure why or how it works, it works. I can ping the client and server using both ipv4 and ipv6 in both directions. I can look up ipv4 and ipv6 addresses from the client using nslookup. I can ping external addresses and access external websites from the client using ipv4, but not using ipv6. As I said, I initially tried using fc00::/64 but that didn't work so I changed to {delegated prefix}::/64. That made no difference, so I'm not sure whether I should be using ULA or UGA. I'm quite sure the problems is at least in part because the firewall is not configured to pass the ipv6 traffic, but I haven't found any examples showing the ipv6 equivalent of how I configured the firewall for ipv4.

Forwarding of ipv4 and ipv6 is enabled.

Here are the rules I added to ufw for ipv4:

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o wlp11s0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

I tried posting on the forum. I received the usual RTFM replies, but no suggestions about ufw. The OpenVPN documentation and how-tos are sorely lacking for ipv6.

I'm hoping someone out there knows how to do this.
d***@telus.net
2017-06-10 17:13:36 UTC
Permalink
I have a follow-up from what I posted below.

Here are the actual changes I put into /etc/ufw/before.rules. What I posted got mangled and it was from the tutorial before I changed it to match my configuration.

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

I found another tutorial from a few years ago for openvpn ipv6 on Debian. It's here: https://www.tecmint.com/install-openvpn-in-debian/. Not clear of all of the extra scripts are required, but it had some ip*tables rules.

#!/bin/sh
# description: Firewall
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
case "$1" in
start)
$IPT -F INPUT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
$IPT -A INPUT -i tap+ -j ACCEPT
$IPT -A FORWARD -i tap+ -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -F POSTROUTING
$IPT -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
$IPT -A INPUT -i eth0 -j DROP
$IPT6 -F INPUT
$IPT6 -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPT6 -A INPUT -i eth0 -p icmpv6 -j ACCEPT
$IPT6 -A FORWARD -s 2a00:dd80:003d:000c::/64 -i tap0 -o eth0 -j ACCEPT
$IPT6 -A INPUT -i eth0 -j DROP
exit 0
;;
stop)
$IPT -F
$IPT6 -F
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac

I attempted to insert this: $IPT6 -A FORWARD -s 2a00:dd80:003d:000c::/64 -i tap0 -o eth0 -j ACCEPT using ufw.

# START OPENVPN RULES
# FILTER table rules
*filter
:FORWARD ACCEPT [0:0]
-A FORWARD -s {prefix}::/64 -i tun0 -o eth0 -j ACCEPT
COMMIT
# END OPENVPN RULES

I'm not sure if it's correct, but presumably not, because it did not make any difference.

FYI, the address of the server is {prefix}::1 and the address of the client is {prefix}::1000.

-----Original Message-----
From: ***@telus.net [mailto:***@telus.net]
Sent: Friday, June 9, 2017 5:19 PM
To: openvpn-***@lists.sourceforge.net
Subject: [Openvpn-users] Need help with Ubuntu 16.04 LTS OpenVPN 2.4
Dual-Stack Server Firewall Configuration

A few months ago, I was trying to get a dual-stack client and server working
on Windows 10. I was able to get the client and server to connect and fully
work for ipv4, but I was unable to configure the network settings on the
server so it would also work for ipv6. I tried several different approaches,
but no matter what I tried, the server would not pass the ipv6 traffic. I
decided to try again using a linux server. I configured a Ubuntu 16.04 LTS
server running the latest version of openvpn from scratch. The server is
behind a pfsense router with native dual stack. It has a single ethernet
interface with ipv4 and ipv6 dhcp addresses. The client is behind a
completely separate pfsense router. It also has native dual stack on a
single ethernet interface with ipv4 and ipv6 dhcp addresses. So as to not
carry over any possible problems from the previous attempt, I created new
keys and new configuration files from scratch. The client and server connect
and the vpn will carry ipv4 traffic, but I'm not sure how to configure the
server to carry the ipv6 traffic.

Note, I initially started using ULA addressing on the server (fc00::/64).
That did not work, so I switched to prefix::/64. In both cases, everything
worked properly except for passing ipv6 traffic.

I've tried to make the client and server configurations as minimalist as
possible.

Here is the server configuration:

port 1194
proto udp
dev tun

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh4096.pem

cipher AES-256-CBC
auth SHA512

server 10.8.0.0 255.255.255.0
server-ipv6 {redacted prefix}::/64
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS6 2001:4860:4860::8888"

ifconfig-pool-persist ipp.txt
keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log
log openvpn.log
verb 3

Here is the client configuration:

ca ca.crt
cert client.crt
key client.key

remote {redacted ipv4 server address} 1194 comp-lzo client dev tun
redirect-gateway def1

remote-cert-tls server
cipher AES-256-CBC
auth SHA512

proto udp
resolv-retry infinite
nobind

persist-key
persist-tun

verb 3
mute 20

Are there any issues in the above configuration files?

I followed some instructions in a tutorial on digital ocean to configure the
server firewall using ufw (which is a front-end to iptables). While I'm not
exactly sure why or how it works, it works. I can ping the client and server
using both ipv4 and ipv6 in both directions. I can look up ipv4 and ipv6
addresses from the client using nslookup. I can ping external addresses and
access external websites from the client using ipv4, but not using ipv6. As
I said, I initially tried using fc00::/64 but that didn't work so I changed
to {delegated prefix}::/64. That made no difference, so I'm not sure whether
I should be using ULA or UGA. I'm quite sure the problems is at least in
part because the firewall is not configured to pass the ipv6 traffic, but I
haven't found any examples showing the ipv6 equivalent of how I configured
the firewall for ipv4.

Forwarding of ipv4 and ipv6 is enabled.

Here are the rules I added to ufw for ipv4:

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you
discovered!) -A POSTROUTING -s 10.8.0.0/8 -o wlp11s0 -j MASQUERADE COMMIT #
END OPENVPN RULES

I tried posting on the forum. I received the usual RTFM replies, but no
suggestions about ufw. The OpenVPN documentation and how-tos are sorely
lacking for ipv6.

I'm hoping someone out there knows how to do this.
Gert Doering
2017-06-10 17:51:41 UTC
Permalink
Hi,

On Sat, Jun 10, 2017 at 10:13:36AM -0700, ***@telus.net wrote:
> I found another tutorial from a few years ago for openvpn ipv6 on Debian. It's here: https://www.tecmint.com/install-openvpn-in-debian/. Not clear of all of the extra scripts are required, but it had some ip*tables rules.

Unless you need NAT, you should first try to make it work with no
firewall active at all - this can be hard enough, and if you're not
sure if the firewall is getting in your way or whether it's just plain
routing, searching gets more annoying.

When the firewall is *off*, verify the following:

- ipv6 forwarding is turned on on the server (often overlooked)
- the default router has a route for the openvpn IPv6 network towards
the openvpn server (for IPv4, it uses NAT with masquerading, but
the IPv6 config with no NAT needs a route *back* so response packets
can be delivered)
- that you can ping openvpn client (::1000) -> openvpn server (::1)
and back
- if that works, try traceroute6 from the openvpn client towards a
target that should be behind the VPN, and see how far you get
- and do a traceroute6 from "somewhere out" towards the openvpn client,
and see how far you get

(this is really basic *routing*, and not so much "openvpn setup", so
most people go looking in the wrong configs...)

For added insight

- do tcpdump on all involved interfaces (openvpn client tun, openvpn
server tun and LAN interface, next router's LAN and WAN interface)
when you do the traceroutes, and see where the packets show up

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Daryl Morse
2017-06-10 18:53:55 UTC
Permalink
Hi Gert,

Thank you very much for the reply.

Since the linux host is behind a firewall, there is no strict requirement
for it to have its own firewall, at least for security reasons. However, for
ipv4, ufw is used to nat the private address (10.8.0.x) to the lan address.
The VPN did not work at all for ipv4 until I added the masquerade rule to
ufw. (iptables can be used directly as well.) My understanding is that an
ip6tables rule is required to forward packets from the tun interface to the
eth interface.

Both ipv4 and ipv6 forwarding are turned on in the openvpn server.

The openvpn server is on the lan which has a default route for the delegated
prefix/64. From the openvpn server, it's possible to ping outside ipv4 and
ipv6 addresses. It's just not possible from the client, even though the
client and server can ping each other using both ipv4 and ipv6. Packets
don't seem to be getting across from the tun interface to the eth interface.

I'll do some further testing and post the results.

Cheers,
Daryl

-----Original Message-----
From: Gert Doering [mailto:***@greenie.muc.de]
Sent: Saturday, June 10, 2017 10:52 AM
To: ***@telus.net
Cc: openvpn-***@lists.sourceforge.net
Subject: Re: [Openvpn-users] Need help with Ubuntu 16.04 LTS OpenVPN 2.4
Dual-Stack Server Firewall Configuration

Hi,

On Sat, Jun 10, 2017 at 10:13:36AM -0700, ***@telus.net wrote:
> I found another tutorial from a few years ago for openvpn ipv6 on Debian.
It's here: https://www.tecmint.com/install-openvpn-in-debian/. Not clear of
all of the extra scripts are required, but it had some ip*tables rules.

Unless you need NAT, you should first try to make it work with no firewall
active at all - this can be hard enough, and if you're not sure if the
firewall is getting in your way or whether it's just plain routing,
searching gets more annoying.

When the firewall is *off*, verify the following:

- ipv6 forwarding is turned on on the server (often overlooked)
- the default router has a route for the openvpn IPv6 network towards
the openvpn server (for IPv4, it uses NAT with masquerading, but
the IPv6 config with no NAT needs a route *back* so response packets
can be delivered)
- that you can ping openvpn client (::1000) -> openvpn server (::1)
and back
- if that works, try traceroute6 from the openvpn client towards a
target that should be behind the VPN, and see how far you get
- and do a traceroute6 from "somewhere out" towards the openvpn client,
and see how far you get

(this is really basic *routing*, and not so much "openvpn setup", so most
people go looking in the wrong configs...)

For added insight

- do tcpdump on all involved interfaces (openvpn client tun, openvpn
server tun and LAN interface, next router's LAN and WAN interface)
when you do the traceroutes, and see where the packets show up

gert
--
USENET is *not* the non-clickable part of WWW!

//www.muc.de/~gert/
Gert Doering - Munich, Germany
***@greenie.muc.de
fax: +49-89-35655025
***@net.informatik.tu-muenchen.de
Gert Doering
2017-06-10 19:07:17 UTC
Permalink
Hi,

On Sat, Jun 10, 2017 at 11:53:55AM -0700, Daryl Morse wrote:
> Since the linux host is behind a firewall, there is no strict requirement
> for it to have its own firewall, at least for security reasons. However, for
> ipv4, ufw is used to nat the private address (10.8.0.x) to the lan address.
> The VPN did not work at all for ipv4 until I added the masquerade rule to
> ufw. (iptables can be used directly as well.) My understanding is that an
> ip6tables rule is required to forward packets from the tun interface to the
> eth interface.

*if* ip6tables are active, *and* the default policy for "FORWARD" is
to drop packets, *then* you need to have a policy to permit, well,
forwarded packets.

If ip6tables are not active at all, or the default policy is "permit",
then no extra rule is needed.

I just prefer to have firewalls rules out of the way while diagnosing
packet forwarding, so I know "it is not the firewall" if it's not working :)

> Both ipv4 and ipv6 forwarding are turned on in the openvpn server.
>
> The openvpn server is on the lan which has a default route for the delegated
> prefix/64. From the openvpn server, it's possible to ping outside ipv4 and
> ipv6 addresses. It's just not possible from the client, even though the
> client and server can ping each other using both ipv4 and ipv6. Packets
> don't seem to be getting across from the tun interface to the eth interface.

Smells very much like "firewall" to me.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
d***@telus.net
2017-06-11 05:34:23 UTC
Permalink
Hi Gert,

I disabled the firewall. This caused openvpn to work worse than before. It was no longer possible to ping an outside host using ipv6, although it's still possible to ping the client and server in both directions. It's also possible to ping another host on the same lan as the server using ipv6.

***@ubuntu-vpn:~# ufw reset
Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)? y
Backing up 'before.rules' to '/etc/ufw/before.rules.20170610_220636'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20170610_220636'
Backing up 'after.rules' to '/etc/ufw/after.rules.20170610_220636'
Backing up 'user.rules' to '/etc/ufw/user.rules.20170610_220636'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20170610_220636'
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20170610_220636'

***@ubuntu-vpn:~# ufw disable
Firewall stopped and disabled on system startup

***@ubuntu-vpn:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
***@ubuntu-vpn:~# ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

With the ufw disabled, I manually enabled ipv4 and ipv6 forwarding using /etc/sysctl.conf.

***@ubuntu-vpn:~# sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

This file is missing one of the settings in /etc/ufw/systcl.conf, but it appears the using "all" caused both to be set.
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

***@ubuntu-vpn:~# more /proc/sys/net/ipv4/ip_forward
1
***@ubuntu-vpn:~# more /proc/sys/net/ipv6/conf/all/forwarding
1
***@ubuntu-vpn:~# more /proc/sys/net/ipv6/conf/default/forwarding
1

***@ubuntu-vpn:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:15:5d:5c:e2:26
inet addr:192.168.1.104 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 2001:x:y:e800::1376/128 Scope:Global
inet6 addr: fe80::215:5dff:fe5c:e226/64 Scope:Link
inet6 addr: 2001:x:y:e800:215:5dff:fe5c:e226/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8577 errors:0 dropped:12 overruns:0 frame:0
TX packets:5417 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2938952 (2.9 MB) TX bytes:518972 (518.9 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:226 errors:0 dropped:0 overruns:0 frame:0
TX packets:226 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:20504 (20.5 KB) TX bytes:20504 (20.5 KB)

With the firewall disabled, I can ping and traceroute google.com from the server using ipv4, but not ipv6.

***@ubuntu-vpn:~# ping6 google.com
connect: Network is unreachable

***@ubuntu-vpn:~# traceroute -6 google.com
traceroute to google.com (2607:f8b0:400a:800::200e), 30 hops max, 80 byte packets
connect: Network is unreachable

Any idea how to get this working? It was working before I disabled ufw.
Gert Doering
2017-06-11 05:59:48 UTC
Permalink
Hi,

On Sat, Jun 10, 2017 at 11:34:23PM -0600, ***@telus.net wrote:
> ***@ubuntu-vpn:~# ping6 google.com
> connect: Network is unreachable
>
> ***@ubuntu-vpn:~# traceroute -6 google.com
> traceroute to google.com (2607:f8b0:400a:800::200e), 30 hops max, 80 byte packets
> connect: Network is unreachable
>
> Any idea how to get this working? It was working before I disabled ufw.

Seems you lost the default route on the OpenVPN server.

Look for the "accept_ra" setting on the eth interface - it's possible
that this gets turned off if you enable forwarding (because "traditionally",
routers do not listen to router advertisements)

/proc/sys/net/ipv6/conf/default/accept_ra
/proc/sys/net/ipv6/conf/enp0s25/accept_ra

gert


--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
d***@telus.net
2017-06-11 16:41:45 UTC
Permalink
Here is some info for you.

***@ubuntu-vpn:~# more /proc/sys/net/ipv6/conf/default/accept_ra
1
***@ubuntu-vpn:~# more /proc/sys/net/ipv6/conf/eth0/accept_ra
1

***@ubuntu-vpn:~# ip -6 -d route show
unicast 2001:x:y:e800::1376 dev eth0 proto kernel scope global metric 256 pref medium
unicast 2001:x:y:e800::/64 dev eth0 proto kernel scope global metric 256 expires 39085sec pref medium
unicast fe80::/64 dev eth0 proto kernel scope global metric 256 pref medium

***@ubuntu-vpn:~# route -A inet6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2001:x:y:e800::1376/128 :: U 256 0 0 eth0
2001:x:y:e800::/64 :: UAe 256 2 417 eth0
fe80::/64 :: U 256 0 0 eth0
::/0 :: !n -1 1 2626 lo
::1/128 :: Un 0 3 18 lo
2001:x:y:e800::/128 :: Un 0 1 0 lo
2001:x:y:e800::1376/128 :: Un 0 3 1683 lo
2001:x:y:e800:215:5dff:fe5c:e226/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::215:5dff:fe5c:e226/128 :: Un 0 2 546 lo
ff00::/8 :: U 256 2 5043 eth0
::/0 :: !n -1 1 2626 lo

***@ubuntu-vpn:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:15:5d:5c:e2:26
inet addr:192.168.1.104 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 2001:x:y:e800::1376/128 Scope:Global
inet6 addr: fe80::215:5dff:fe5c:e226/64 Scope:Link
inet6 addr: 2001:x:y:e800:215:5dff:fe5c:e226/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25112 errors:0 dropped:12 overruns:0 frame:0
TX packets:16022 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5222718 (5.2 MB) TX bytes:1494575 (1.4 MB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:238 errors:0 dropped:0 overruns:0 frame:0
TX packets:238 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:21752 (21.7 KB) TX bytes:21752 (21.7 KB)

2001:x:y:e800::1376 This is the dhcpv6 address of the server.
Selva Nair
2017-06-11 17:41:43 UTC
Permalink
On Sun, Jun 11, 2017 at 12:41 PM, ***@telus.net <
***@telus.net> wrote:

> Here is some info for you.
>
> ***@ubuntu-vpn:~# more /proc/sys/net/ipv6/conf/default/accept_ra
> 1
> ***@ubuntu-vpn:~# more /proc/sys/net/ipv6/conf/eth0/accept_ra
> 1
>

If ipv6 forwarding is enabled you would need accept_ra = 2 for auto
configuration to work -- alternatively you could manually set the default
ipv6 route.

Selva
Daryl Morse
2017-06-12 00:04:26 UTC
Permalink
With /proc/sys/net/ipv6/conf/eth0/accept_ra=2, it’s possible to ping external addresses from the server.



How do I make that setting persist. I used systemctl and it clears upon rebooting.



After restarting and reapplying the setting, it’s possible to ping the client and server both ways using ipv4 but not ipv6. It’s possible to ping the client and server from other hosts on their respective network with ipv6, so the problem is related to openvpn.
Gert Doering
2017-06-12 06:10:09 UTC
Permalink
Hi,

On Sun, Jun 11, 2017 at 05:04:26PM -0700, Daryl Morse wrote:
> With /proc/sys/net/ipv6/conf/eth0/accept_ra=2, it???s possible to ping external addresses from the server.
>
> How do I make that setting persist. I used systemctl and it clears upon rebooting.

/etc/sysctl.conf

> After restarting and reapplying the setting, it???s possible to ping the client and server both ways using ipv4 but not ipv6. It???s possible to ping the client and server from other hosts on their respective network with ipv6, so the problem is related to openvpn.

Have you been following the check list in my "it's always routing" mail?

If yes, what's the outcome?

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Daryl Morse
2017-06-12 17:01:16 UTC
Permalink
Hi Gert,

Thank you for your reply. I really appreciate your patience.

There was no entry in sysctl.conf for
/proc/sys/net/ipv6/conf/eth0/accept_ra=2 so I added it at the bottom. I
presume that's okay.

I'm really at a loss. I haven't touched the routing on either the client or
the server (at least not directly). (I wouldn't even know where to begin.) I
concur with you that "it's always routing" (or maybe routing or the
firewall). In my limited experience using a windows 10 client and both
windows 10 server and linux server, it's not difficult to get the client and
server talking to each other, but to get the server to pass the traffic
seems like a brick wall especially for ipv6.

When I originally installed openvpn on the client and the server, it was
possible to ping in both directions using ipv4 and ipv6. As I said, I didn't
touch the routing before or after, so I have no idea why it stopped working.
When I had ufw enabled, I was able to get the server to pass ipv4 traffic,
but I can't even get that working now.

At the moment with the firewall on the server disabled, I can ping external
websites using ipv4 and ipv6. Similarly on the client when openvpn is not
connected. When I connect the client to the server, I can ping the server
from the client using both ipv4 and ipv6. I can only ping the client from
the server using ipv4.

Maybe we need to go back to first principles.

What info should I post? Should I send the client and server config files?

Thanks again.

-----Original Message-----
From: Gert Doering [mailto:***@greenie.muc.de]
Sent: Sunday, June 11, 2017 11:10 PM
To: Daryl Morse <***@telus.net>
Cc: 'openvpn users list' <openvpn-***@lists.sourceforge.net>
Subject: Re: [Openvpn-users] Need help with Ubuntu 16.04 LTS OpenVPN 2.4
Dual-Stack Server Firewall Configuration

Hi,

On Sun, Jun 11, 2017 at 05:04:26PM -0700, Daryl Morse wrote:
> With /proc/sys/net/ipv6/conf/eth0/accept_ra=2, it???s possible to ping
external addresses from the server.
>
> How do I make that setting persist. I used systemctl and it clears upon
rebooting.

/etc/sysctl.conf

> After restarting and reapplying the setting, it???s possible to ping the
client and server both ways using ipv4 but not ipv6. It???s possible to ping
the client and server from other hosts on their respective network with
ipv6, so the problem is related to openvpn.

Have you been following the check list in my "it's always routing" mail?

If yes, what's the outcome?

gert
--
USENET is *not* the non-clickable part of WWW!

//www.muc.de/~gert/
Gert Doering - Munich, Germany
***@greenie.muc.de
fax: +49-89-35655025
***@net.informatik.tu-muenchen.de
d***@telus.net
2017-06-12 00:52:05 UTC
Permalink
Further to that, I restarted the server and tried again.

I can ping the server from the client using both ipv4 and ipv6. I can only ping the client from the server using ipv4, but not with ipv6. This is somewhat strange because usually it's been possible to ping both ways using either protocol.

Any suggestions? What further info can I provide to troubleshoot this?


From: "Daryl Morse" <***@telus.net>
To: "openvpn users list" <openvpn-***@lists.sourceforge.net>
Sent: Sunday, June 11, 2017 5:04:26 PM
Subject: RE: [Openvpn-users] Need help with Ubuntu 16.04 LTS OpenVPN 2.4 Dual-Stack Server Firewall Configuration



With /proc/sys/net/ipv6/conf/eth0/accept_ra=2, it’s possible to ping external addresses from the server.



How do I make that setting persist. I used systemctl and it clears upon rebooting.



After restarting and reapplying the setting, it ’ s possible to ping the client and server both ways using ipv4 but not ipv6. It ’ s possible to ping the client and server from other hosts on their respective network with ipv6, so the problem is related to openvpn.
d***@telus.net
2017-06-12 02:31:13 UTC
Permalink
Here are the logs from the client and server. I haven't made any changes to the config files.
d***@telus.net
2017-06-12 17:31:08 UTC
Permalink
Here is some further information from the client.

2001:X:Y:4000 CLIENT LAN PREFIX


2001:A:B:e800 SERVER LAN PREFIX


server ipv4: 10.8.0.1

server ipv6: 2001:A:B:e800::1




The client is getting the ipv4 and ipv6 google dns being pushed from the server. Should I try not pushing them?




It's possible to ping the server from the client using ipv4 and ipv6.




It's not possible to resolve a name on the client.




tracert fails using ipv4 or ipv6.


OPENVPN DISCONNECTED


C:\Users\User>nslookup google.com
Server: pfSense.localdomain
Address: 2001:X:Y:4000:215:5dff:fe5c:e205


Non-authoritative answer:
Name: google.com
Addresses: 2607:f8b0:400a:800::200e
216.58.193.78


OPENVPN CONNECTED


C:\Users\User>IPCONFIG /ALL


Windows IP Configuration


Host Name . . . . . . . . . . . . : DESKTOP-3
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : localdomain


Ethernet adapter Ethernet 2:


Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-01-30-5A-9F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:A:B:e800::1000(Preferred)
Link-local IPv6 Address . . . . . : fe80::909f:1c71:40fd:64e%2(Preferred)
IPv4 Address. . . . . . . . . . . : 10.8.0.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Lease Obtained. . . . . . . . . . : Monday, June 12, 2017 9:53:39 AM
Lease Expires . . . . . . . . . . : Tuesday, June 12, 2018 9:53:39 AM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.8.0.5
DHCPv6 IAID . . . . . . . . . . . : 83951361
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-2E-DE-64-00-15-5D-5C-E2-11
DNS Servers . . . . . . . . . . . : 2001:4860:4860::8888
8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled


Ethernet adapter Ethernet:


Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-5C-E2-11
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:X:Y:4000::1094(Preferred)
Lease Obtained. . . . . . . . . . : Sunday, June 11, 2017 5:54:20 PM
Lease Expires . . . . . . . . . . : Monday, June 12, 2017 11:56:28 AM
IPv6 Address. . . . . . . . . . . : 2001:X:Y:4000:18e0:4a20:6d32:ba92(Preferred)
Temporary IPv6 Address. . . . . . : 2001:X:Y:4000:b5d9:c2e5:a3a5:d145(Preferred)
Link-local IPv6 Address . . . . . : fe80::18e0:4a20:6d32:ba92%3(Preferred)
IPv4 Address. . . . . . . . . . . : 10.28.92.248(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, June 11, 2017 5:54:18 PM
Lease Expires . . . . . . . . . . : Monday, June 12, 2017 11:44:33 AM
Default Gateway . . . . . . . . . : fe80::1:1%3
10.28.92.10
DHCP Server . . . . . . . . . . . : 10.28.92.10
DHCPv6 IAID . . . . . . . . . . . : 50337119
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-2E-DE-64-00-15-5D-5C-E2-11
DNS Servers . . . . . . . . . . . : 2001:X:Y:4000:215:5dff:fe5c:e205
10.28.92.10
NetBIOS over Tcpip. . . . . . . . : Enabled


C:\Users\User>nslookup google.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 2001:4860:4860::8888


DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out


C:\Users\User>ping 10.8.0.1


Pinging 10.8.0.1 with 32 bytes of data:
Reply from 10.8.0.1: bytes=32 time=16ms TTL=64
Reply from 10.8.0.1: bytes=32 time=22ms TTL=64
Reply from 10.8.0.1: bytes=32 time=13ms TTL=64
Reply from 10.8.0.1: bytes=32 time=12ms TTL=64


Ping statistics for 10.8.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 12ms, Maximum = 22ms, Average = 15ms


C:\Users\User>ping -6 2001:A:B:e800::1


Pinging 2001:A:B:e800::1 with 32 bytes of data:
Reply from 2001:A:B:e800::1: time=11ms
Reply from 2001:A:B:e800::1: time=11ms
Reply from 2001:A:B:e800::1: time=12ms


Ping statistics for 2001:A:B:e800::1:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 12ms, Average = 11ms


C:\Users\User>tracert 8.8.8.8


Tracing route to 8.8.8.8 over a maximum of 30 hops


1 16 ms 13 ms 12 ms 10.8.0.1
...
30 * * * Request timed out.


Trace complete.


C:\Users\User>tracert google.com
Unable to resolve target system name google.com.


C:\Users\User>tracert -6 2607:f8b0:400a:800::200e


Tracing route to 2607:f8b0:400a:800::200e over a maximum of 30 hops


1 * * * Request timed out.
...
30 * * * Request timed out.


Trace complete.
d***@telus.net
2017-06-12 20:12:07 UTC
Permalink
Here is some further information from the server. 2001: a : b :e800 is the server lan prefix.

I stopped openvpn , displayed the routes, started openvpn , displayed the routes, connected the client to the server, displayed the routes.

***@ubuntu-vpn:~# systemctl stop openvpn
***@ubuntu-vpn:~# ip -4 -d route
unicast default via 192.168.1.1 dev eth0 proto boot scope global
unicast 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.104
***@ubuntu-vpn:~# ip -6 -d route
unicast 2001:a:b:e800::1376 dev eth0 proto kernel scope global metric 256 pref medium
unicast 2001:a:b:e800::/64 dev eth0 proto kernel scope global metric 256 expires 86399sec pref medium
unicast fe80::/64 dev eth0 proto kernel scope global metric 256 pref medium
unicast default via fe80::1:1 dev eth0 proto ra scope global metric 1024 expires 59sec hoplimit 64 pref medium
***@ubuntu-vpn:~# systemctl start openvpn
***@ubuntu-vpn:~# ip -4 -d route
unicast default via 192.168.1.1 dev eth0 proto boot scope global
unicast 10.8.0.0/24 via 10.8.0.2 dev tun0 proto boot scope global
unicast 10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
unicast 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.104
***@ubuntu-vpn:~# ip -6 -d route
unicast 2001:a:b:e800::1376 dev eth0 proto kernel scope global metric 256 pref medium
unicast 2001:a:b:e800::/64 dev eth0 proto kernel scope global metric 256 expires 86399sec pref medium
unicast 2001:a:b:e800::/64 dev tun0 proto kernel scope global metric 256 pref medium
unicast fe80::/64 dev eth0 proto kernel scope global metric 256 pref medium
unicast default via fe80::1:1 dev eth0 proto ra scope global metric 1024 expires 59sec hoplimit 64 pref medium


Traceroute with openvpn running, same whether client connected or not.

***@ubuntu-vpn:~# traceroute -6 google.com
traceroute to google.com (2607:f8b0:400a:800::200e), 30 hops max, 80 byte packets
1 * * node-1w7jr9ql8redacteda2y0pq.ipv6.telus.net (2001:a:b:e800:215:5dff:fe5c:e21e) 15.531 ms
2 sttlwawbgr80.bb.telus.com (2001:568:1::50a) 16.982 ms 17.230 ms 17.215 ms
3 2001:4860:1:1:0:354:0:4 (2001:4860:1:1:0:354:0:4) 19.805 ms 20.478 ms 20.465 ms
4 2001:4860:0:1040::1 (2001:4860:0:1040::1) 17.638 ms 2001:4860:0:1041::1 (2001:4860:0:1041::1) 17.625 ms 2001:4860:0:1040::1 (2001:4860:0:1040::1) 17.611 ms
5 2001:4860:0:1::1e6f (2001:4860:0:1::1e6f) 17.597 ms 17.585 ms 17.772 ms
6 sea15s07-in-x0e.1e100.net (2607:f8b0:400a:800::200e) 18.711 ms 9.119 ms 8.240 ms


Server ping self then server ping client.

***@ubuntu-vpn:~# ping6 2001:a:b:e800::1
PING 2001:a:b:e800::1(2001:a:b:e800::1) 56 data bytes
64 bytes from 2001:a:b:e800::1: icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from 2001:a:b:e800::1: icmp_seq=2 ttl=64 time=0.053 ms
64 bytes from 2001:a:b:e800::1: icmp_seq=3 ttl=64 time=0.051 ms
^C
--- 2001:569:74b0:e800::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.038/0.047/0.053/0.008 ms
***@ubuntu-vpn:~# ping6 2001:a:74b0:e800::1000
PING 2001:a:b:e800::1000(2001:a:b:e800::1000) 56 data bytes
From 2001:a:b:e800::1376 icmp_seq=1 Destination unreachable: Address unreachable
From 2001:a:b:e800::1376 icmp_seq=2 Destination unreachable: Address unreachable
From 2001:a:b:e800::1376 icmp_seq=3 Destination unreachable: Address unreachable
From 2001:a:b:e800::1376 icmp_seq=4 Destination unreachable: Address unreachable
From 2001:a:b:e800::1376 icmp_seq=5 Destination unreachable: Address unreachable
From 2001:a:b:e800::1376 icmp_seq=6 Destination unreachable: Address unreachable
^C
--- 2001:569:74b0:e800::1000 ping statistics ---
8 packets transmitted, 0 received, +6 errors, 100% packet loss, time 7037ms

Traceroute server to client.

***@ubuntu-vpn:~# traceroute -6 2001:a:b:e800::1000
traceroute to 2001:a:b:e800::1000 (2001:a:b:e800::1000), 30 hops max, 80 byte packets
1 node-1w7jr9ql82redactedpfwg9empi.ipv6.telus.net (2001:a:b:e800::1376) 2999.840 ms !H 2999.792 ms !H 2999.784 ms !H





Does that shed light on anything? Since the lan and the tunnel are on the same network, does that cause the problem? If so, this is because I used the lan prefix for the vpn. Is that incorrect? If so, I'm not clear what prefix to use for the vpn.
d***@telus.net
2017-06-12 22:07:12 UTC
Permalink
I changed the prefix in the vpn server to use ULA, fc00::/64.




Here are the routes on the server:




***@ubuntu-vpn:~# ip -6 -d route
unicast 2001:a:b:e800::1376 dev eth0 proto kernel scope global metric 256 pref medium
unicast 2001:a:b:e800::/64 dev eth0 proto kernel scope global metric 256 expires 86384sec pref medium
unicast fc00::/64 dev tun0 proto kernel scope global metric 256 pref medium
unicast fe80::/64 dev eth0 proto kernel scope global metric 256 pref medium
unicast default via fe80::1:1 dev eth0 proto ra scope global metric 1024 expires 44sec hoplimit 64 pref medium





The server is fc00::1 and the client is fc00::1000.




With this configuration, the client and server can ping each other both ways using both ipv4 and ipv6, but the client still cannot access external addresses.




Where are the ipv4 and ipv6 addresses NATed?
d***@telus.net
2017-06-13 23:03:14 UTC
Permalink
Since I reported yesterday what is working and not working, I've been looking at a couple of different tutorials for openvpn dual-stack configurations. Based on that, I'm pretty sure the problem is in the ipv6 addressing and routing, but I'm not clear how to properly configure the server to get it working.

As I said, I tried using the lan prefix::/64 and fc00::/64. Using fc00, it was possible to ping in both directions. Using the lan prefix, the client could ping the server, but not vice versa. I presume this is because of the routing.

I got the ipv4 working by using this command iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE.

I found these two tutorials about dual-stack openvpn configurations:

OpenVPN Server and Client Installation and Configuration on Debian 7 https://www.tecmint.com/install-openvpn-in-debian/, dated 4/4/2014

Build a OpenVPN server on Ubuntu to provide a IPv6 tunnel over IPv4 https://techblog.synagila.com/2016/02/24/build-a-openvpn-server-on-ubuntu-to-provide-a-ipv6-tunnel-over-ipv4/, dated 2/24/2016

They are both quite different, presumably because of they are using different versions of linux and openvpn. I'm really surprised this isn't documented on the openvpn website.

I'm looking for a minimally simple server configuration, preferably one that's authoritative from the openvpn community and known to work on ubuntu 16.04 with openvpn 2.4. If someone can point me in the right direction, I'd appreciate it. I will post the configuration on the openvpn forum if I ever get it working.

Thanks.
Loading...