VPN IPv6 connection

[klmhsb42]

Could you tell me if VPN app should work with IPv6? I can only access from my private network with IPv4 and can only get IPv4 tunnel through my DSlite even if I choose "combined IPv4/IPv6 Tunnel" in my openVPN andorid app. I can not access from extern IPv6 network. To open port 1194 doesn't help, which I don't need if I understand correctly. openVPN app logs say that the app is trying to connect with [IPv6]:1194 via UDP and [subdomain.syncloud.it]:1194 (IPv6) via UDPv6 which both are failing.

[cyberb]

Can you run this command:

netstat -lnp | grep 1194

[klmhsb42]

udp 0 0 0.0.0.0:1194 0.0.0.0:* 3316/openvpn

[cyberb]

Could you try setting Proto to udp6 on Configuration - OpenVPN config page and save? That should make it listen on both v4 and v6. I will make it default then.

[klmhsb42]

Not sure where to run the command or which config file to edit. I ended up here /snap/openvpn/current/config/openvpn/ but there is only keys folder. Also I tried apt-cache policy openvpn but not sure what output means and if it's V2.3 or 2.4. Docs say to run openvpn --config myvpn.conf and then proto udp6. Version 2.4 should use IPv4 and 6 with just proto udp see here. I will try it if you could give me some help how to do...

[cyberb]

The setting is in our OpenVPN UI.

[klmhsb42]

Ok that was easy. Andorid app says UDPv6 (sometimes) but ipv6-test.com says IPv6 not supported

[klmhsb42]

netstat -lnp | grep 1194 udp6 0 0 :::1194 :::* 5591/openvpn

[klmhsb42]

(1) Update to "ipv6-test.com says IPv6 not supported": Works for windows 10 client but not for android app client. They suggest to use L2-mode OpenVPN but I don't know how to do.

(2) I will still have to test it from extern IPv6 network (I'm testing from my home network now) and will let you know if it works.

(3) I'm not able to resolve local hostnames from my router. One solution could be this or as here suggested to use TAP instead of TUN mode.

[klmhsb42]

To (2): access from extern IPv6 network works

[cyberb]

What android app says?

[klmhsb42]

Same as the windows app. Private IP of device is IPv4. Server is syncloud with IPv6. Port is 1194 and Protocol is UDPv6. Everything is fine. Only strange thing is, that my andorid device doesn't have an IPv6 address anymore if I test it, so I can't access IPv6 only server, which is strange as I have to be in IPv6 network to access VPN. IPv4 of my ISP is shown. So everything works fine, I just don't have IPv6 anymore.

[cyberb]

I see, yes I think there should be a way to also enable IPv6 private network, currently it is IPv4.

[cyberb]

I have pushed a new fix for IPv6, can you update using this command:

snap refresh openvpn --channel=master

Then go to openvpn web: Configuration - OpenVPN.config page and without any change hit Save and apply.

Then try to reconnect using Android (Windows) and see if you can visit IPv6 only sites.

[klmhsb42]

All done.

nap refresh openvpn --channel=master
openvpn (master) 20011784 from 'syncloud' refreshed
Snap openvpn is no longer tracking master/stable.

Android client has time out error. Can not connect anymore. I'm testing from privat network. App logs says, that the client is testing over UDP and UDPv4.

[klmhsb42]

I have no IPv6 preference in the andorid app. Setting to IPv4/6 tunnel doesn't make a differnece.

[klmhsb42]

Ok, it tries also udpv6. But i cant connect.

[cyberb]

Could you send you server config to support:

cat /var/snap/openvpn/current/openvpn/server.conf

[klmhsb42]

Done

[cyberb]

Ok, fixed another problem, could you repeat, refresh from master channel and save from UI. If it does not work please send me server config again.

[klmhsb42]

Can not open UI anymore.

502 Bad Gateway
nginx/1.13.12

root@odroid-xu3and4:~# snap refresh openvpn --channel=master
error: cannot perform the following tasks:
- Stop snap "openvpn" services ([start snap.openvpn.web.service snap.openvpn.server.service snap.openvpn.nginx.service] failed with exit status 1: Job for snap.openvpn.server.service failed. See 'systemctl status snap.openvpn.server.service' and 'journalctl -xn' for details.
)
- Start snap "openvpn" (20011885) services ([start snap.openvpn.web.service snap.openvpn.server.service snap.openvpn.nginx.service] failed with exit status 1: Job for snap.openvpn.server.service failed. See 'systemctl status snap.openvpn.server.service' and 'journalctl -xn' for details.
)

[klmhsb42]

server config per mail done

[cyberb]

Ok, previous issue broke ipenvpn installation. Could you remove first and then refresh:

snap remove openvpn
snap refresh openvpn --channel=master

Then you will need to generate client key again before you can test connection.

[klmhsb42]

Ok all done + save and apply by UI. I can connect again. https://ipv6-test.com/ Still says IPv6 not supported. The client app shows private IP both 4 and 6. Server public is 6. UDPv6.

[klmhsb42]

Should I send you clinet logs?

[cyberb]

Yes please and server config again. We are getting there :)

[klmhsb42]

done

[cyberb]

Now you need to upgrade system from settings first. Then upgrade openvpn and save config. Then try connecting again. If still does not work send me server config please.

[klmhsb42]

with Windows Client it works, with Android (Version 7.0) Client still not (IPv6 Test negative). Logs per mail

[cyberb]

This is strange, I have tested Syncloud device with IPv6 and OpenVPN Connect on Android v9.1 worked using IPv6 and I was able to browse the internet. Can you send your server config? Also a screenshot from Android and logs.

[klmhsb42]

I can access from extern IPv6 and browse the internet, too. I just can't open IPv6 only websites anymore (only on my Android v7). I'm testing this from my privat network. I don't know if I have this issue from extern network. Maybe it's an issue of old Android versions. Anyway, it's not that big deal, so if it takes too much time to fix it, we can close this issue...

[cyberb]

Interesting, for me is says "your private IPv4" and "your private IPv6". So I am curious if your phone supports IPv6. At home do you get IPv6 address for the phone when connected to WiFi? You can see it in Settings - System - About phone - Status. If you do not get IPv6 Frome network which support IPv6 that is a phone issue.

[klmhsb42]

Left screenshot is without VPN, so I get IPv6. Settings show both 4 and 6 address.

[klmhsb42]

Settings sgow actually v6 even with VPN connection. I don't know what's wrong...

[cyberb]

VPN client defently does not show IPv6. You need to test from later android version somehow. Maybe it is openvpn app + old android issue. What version of VPN Connect do you have?

[klmhsb42]

Yes, only "server public ip" is v6. VPN Connect v 3.1.0.(4292)

[klmhsb42]

If I test it with my Windows 10 PC, it shows the same (private IP as v4) but IPv6 test is positiv

[cyberb]

Yes, only "server public ip" is v6. VPN Connect v 3.1.0.(4292)

I have the same

[cyberb]

If I test it with my Windows 10 PC, it shows the same (private IP as v4) but IPv6 test is positiv

Strange, do you think it even uses VPN for IPv6 then. Can you send you server conf to support:

cat /var/snap/openvpn/current/openvpn/server.conf

[klmhsb42]

done. Well, it's hard to know, as I'm acessing through privat network

[cyberb]

Ok, you still have old server config which does not support IPv6. I have pushed openvpn app to prod so it should be easier.

1. Check that you are on latest platform in settings - updates. Upgrade if needed.
2. Uninstall OpenVPN app and install again so it regenerates server config.
3. Create new client certificate from the UI and try to use it in Android. You should have both IPv4 and IPv6 private addresses. If not send me your new server config.

[klmhsb42]

Ok, now the client shows both IP! like you said. However, IPv6 test fails now with windows 10 too. config per mail

[klmhsb42]

The app makes sometime UDPv4 connection, but I test it only if I have UDPv6 connection

[cyberb]

Are you testing from local network or external? What IP versions do you have on external network?

[klmhsb42]

Still local. I would have to test it from a friends Wifi. Can I send you my VPN certificate per mail and you test it? Also I'm not sure if I need to open port 1194 for connection. Last time it did only work with open port 1194 (and 80/443) +

Enable PING6 + Open firewall for delegated IPv6 prefixes of this device +
Open this device completely for internet sharing via IPv6 (exposed host)

And I don't know what I really need to conect from extern. Without everything it doesn't work and with everything it works from extern. So would be cool if could try it several times to connect while I'm removing settings from my router step-by-step...

[klmhsb42]

certificate per mail done

[klmhsb42]

maybe this could help

[klmhsb42]

this could help as well. It's in german but maybe you can translate with chrome browser. I think my problem is the NAT, but not sure...

[cyberb]

Forgot to tell you, I tried your certificate. Connection worked, but IPv6 test site said IPv6 is not available. I was trying from dual stack network.

So when you open https://ipv6-test.com/ from home pc does it show that IPv6 is ok?

[klmhsb42]

Do you mean without VPN? Then, yes. IPv6 is native and test is green...

[cyberb]

Do you mean without VPN?

Yes

Ok, need to dig more, I had to change my ISP and as a result lost IPv6 which I had for two weeks :) I will try to setup a device in the cloud to test it.