VPN IPv6 connection

[klmhsb42]

Could you tell me if VPN app should work with IPv6? I can only access from my private network with IPv4 and can only get IPv4 tunnel through my DSlite even if I choose "combined IPv4/IPv6 Tunnel" in my openVPN andorid app. I can not access from extern IPv6 network. To open port 1194 doesn't help, which I don't need if I understand correctly. openVPN app logs say that the app is trying to connect with [IPv6]:1194 via UDP and [subdomain.syncloud.it]:1194 (IPv6) via UDPv6 which both are failing.

[klmhsb42]

Cool, keep me updated

[cyberb]

Can you try new version:

snap refresh openvpn --channel=master

IPv6 forwarding was not enabled.

[klmhsb42]

done + save and apply. IPv6 Test negative. I sent you logs per mail...

[cyberb]

Could you run:

cat  /proc/sys/net/ipv6/conf/all/forwarding

And:

ping6 google.con

And also send the output of ifconfig to support.

[klmhsb42]

cat /proc/sys/net/ipv6/conf/all/forwarding output: 1 and ping6 google.com output: connect: Network is unreachable

[klmhsb42]

ifconfig per mail

[cyberb]

Looks like you do not have IPv6 address on the device. Could you run this and reboot:

echo "iface eth0 inet6 dhcp" >> /etc/network/interfaces

[klmhsb42]

ok, I did. There is not really a change

cat /proc/sys/net/ipv6/conf/all/forwarding output: 1 and ping6 google.com output: connect: Network is unreachable ifconfig per mail

[cyberb]

Could you run this:

cat /etc/network/interfaces

[klmhsb42]

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
iface eth0 inet6 dhcp

[cyberb]

Did you reboot?

[klmhsb42]

Yes, via the syncloud platform UI. I could do hard reboot by plugging power cable out/in. Don't know if this would make a difference

[cyberb]

Could you remove OpenVPN app and then remove run:

ip link delete tun0

Then reboot and try ping6.

[klmhsb42]

ok, ping6 works now

[cyberb]

Could you send me:

ip -6 route show

Then install openvpn with:

snap install openvpn --channel=master

Then again:

ip -6 route show

[klmhsb42]

done

[cyberb]

Could your remove openvpn and install latest (with no IPv6 routes modification).

snap install openvpn --channel=master

[klmhsb42]

I tested what you sent me per mail, but it didn't work. Sorry, I forgot to answer. Ok, done. Should I try to connect?

[klmhsb42]

IPv6 not supported

[cyberb]

Could you ping6 from server? Could you connect with IPv4? Could you connect with IPv6? Could you send ip -6 route show? Could you send ifconfig?

[klmhsb42]

Ping6 works. Sent mail. OpenVPN certificate attached in mail. You can try to connect, if you want.

[cyberb]

Cannot connect as you now have only local IPv6 (fe80) on your eth0 network interface. Just realized your IPv6 is actually local IP (fe80). Could you remove openvpn and reboot to make sure you actually have anything other than fe80 under inet6 for eth0?

[klmhsb42]

see mail with new certificate

[cyberb]

Ip looks good. Still cannot connect to neither 1194 nor 443. Can you see your device in browser? Was it visible before installing openvpn?

[klmhsb42]

yes, you are right device is not public accesible anymore. ports are open. https://www.syncloud.it/user.html says "IPv6 Address: Not provided"

[cyberb]

Right, sorry for so many requests, but I still have no IPv6 for testing. Tried Amazon EC2 instance but they give a single IP instead of 64 bit block like home ISPs usually do.

Was you devise ever accessible by IPv6 from the Internet?

[klmhsb42]

As long as I can help, I will answer. Yes it was accessible by IPv6 and yes, it was possible to connect to OpenVPN via IPv6 from extern. Only thing was, that https://ipv6-test.com/ showed that IPv6 is not supported (after connection!). But I was still able to access the web in through the VPN (but by IPv4 only). Could be a NAT problem?

Now, my IPv6 is removed from https://www.syncloud.it/user.html trough one of the commands. It's ok, as I'm playing arround with the device. Maybe I should activate it again? Otherwhise I could re-flash syncloud, if we don't find the error.

So, at least we could go back to old version. http://www.ipv6proxy.net/ is helpful tool to test at least access, but I don't want to submit any password. I don't have external IPv6 network for testing neither at the moment. Neither from my mobile ISP nor from university or any public place.

[cyberb]

As long as I can help, I will answer. Yes it was accessible by IPv6 and yes, it was possible to connect to OpenVPN via IPv6 from extern. Only thing was, that https://ipv6-test.com/ showed that IPv6 is not supported (after connection!). But I was still able to access the web in through the VPN (but by IPv4 only). Could be a NAT problem?

As I understand you do not need NAT on IPv6, if you have at least a 64 bit prefix IPv6 range (this is a standard for ISP v6 customers). So in the beginning I was following the setup which was using two 64 bit subnets (https://community.openvpn.net/openvpn/wiki/IPv6#Details:IPv6routedblock).

Currently I am trying the second approach (https://community.openvpn.net/openvpn/wiki/IPv6#SplittingasingleroutableIPv6netblock)

In the end I am not even sure what will it achieve, I guess to hide you real location.

Now, my IPv6 is removed from https://www.syncloud.it/user.html trough one of the commands. It's ok, as I'm playing arround with the device. Maybe I should activate it again? Otherwhise I could re-flash syncloud, if we don't find the error.

I have recently fixed the problem when ipv6 would stay in DNS when it was not available any more on device and caused a lot of problems accessing device from DS network and half of the time trying to connect to non-existent IPv6. Could you re-flesh so we can start over having a working IPv6 DNS.

So, at least we could go back to old version. http://www.ipv6proxy.net/ is helpful tool to test at least access, but I don't want to submit any password. I don't have external IPv6 network for testing neither at the moment. Neither from my mobile ISP nor from university or any public place.

I see, so you have ipv6 from your broadband provider? I have ipv6 (DS) only from my mobile provider, so I can test. Let's try to finish this second IPv6 testing option. I can always rollback to version one later.

[klmhsb42]

Yes, I have ipv6 from your broadband provider, however as dual stack lite, like here described. I will let you know, when I've re-fleshed...

[klmhsb42]

*my

[klmhsb42]

I would like to use my mini linux pc/VM server which is always on for future tests, as it's easier to setup a new VM image. However, I've installed it like 3 months ago, but I still haven't a SSL certificate. I sent my logs to support now. Could you fix that first? I would be able to cooparate on the IPv6 issue then...

[klmhsb42]

OK, certificate works now. Let me know what to test for VPN.

[cyberb]

Have installed master openvpn?

snap install openvpn --channel=master

[klmhsb42]

I tried it now again. That's the problem at the moment. After installation https://www.syncloud.it/user.html says "IPv6 Address: Not provided" and external access is not possible for me anymore. There must be some error in that openvpn version...

[klmhsb42]

Maybe it removes the IPv6 entry by installation, maybe that of eth0? https://device.syncloud.it/network.html shows still the entry

[cyberb]

Right, openvpn installation definitely breaks IPv6 somehow.

1. Could you relash and make sure device works again and visible from outside.
2. Send:

   ip -6 route show
   ifconfig

3. Install openvpn:

   snap install openvpn --channel=master

4. Send ip and ifconfig again.

If you are using virtual box you can use snapshots to save VM states to simplify all this.

[klmhsb42]

done and mail sent. https://www.syncloud.it/user.html says still "IPv6 Address: Not provided" after restore snapshot. I've to activate it probably again. device was external accessible before.

[klmhsb42]

Works after reactivation again.

[cyberb]

From the email routes do not look good. Still before try next thing, can you give me a key to try to connect?

[klmhsb42]

I installed it from app store. Domain is still accessible from extern. Could work. certificate per mail.

[cyberb]

I can connect but still no access outside, that was expected. Just published another version with a different subnet mode and a few other things. Could you repeat the procedure? Reflash (virtualbox snapshot restore), OpenVPN from master channel, email with ifxonfig and routes.

[klmhsb42]

done. I guess there is still something which breaks it. " IPv6 Address: Not provided "

[cyberb]

Was it working before you installed OpenVPN?

[klmhsb42]

yes, I tried it again, see email. IPv6 (tun0) could be wrong IPv6? https://device.syncloud.it/network.html shows IPv6 entry but https://www.syncloud.it/user.html shows " IPv6 Address: Not provided "

[cyberb]

I am running out of ideas on how to make this working with IPv6. I guess routed tun network cannot really work on a single IP block. Another option is a bridged tap network but looks like it needs a more complex setup and allows only a single client on a OpenVPN instance.

[cyberb]

Probably wireguard is another popular VPN server to try.

[thomasschaeferm]

Hello, Someone asked me to try this openvpn-solution and to investigate the problem. Sorry, it is comment nr97 and I did not read the other 96. First of all: Thank you for this easy-to-use-solution. At the moment I did just the base installation and installed openvpn via app-center. It works with payload IPv4 and transport IPv6. (server with ds-lite, client Telekom IPv6-only/NAT64) IPv6 is configured for payload as well, but IPv6 as payload doesn't work. In my opinion the mistake is to take the exact same /64-prefix on both ends. I think there are 3 possible solutions: 1) requesting an additional prefix from the router via dhcpv6-pd 2) take just a subnet of the /64 and take care to make ndp-proxies 3) take ULU-addresses and do NAT

1. is the clean solution, also preferred/suggested by the openvpn-docs disadvantage: dhcpv6-pd is not widely support by soho-routers

2. is a little bit tricky, but it works for me for more than two years

3. is the ugliest solution and should be avoided

4. It would be great, if 1 and 2 are implemented, auto-detection: if 1 fails then do 2

Thomas

[cyberb]

requesting an additional prefix from the router via dhcpv6-pd

Great I did not know you could do that. Do you need to modify /etc/network/interfaces for that or it is possible to do that dynamically?

[thomasschaeferm]

I think it is a dynamic thing. I did not look into the system, how do you configure the network. I just realized, you are using debian8. Some suggestions:

• dhclient by ISC with option "-P"
• the networkmanager uses PD implicitly when configured to share IPv6 (method=shared)
• the dhcpcd client with the option ia_pd https://manpages.debian.org/testing/dhcpcd5/dhcpcd.conf.5.en.html#ia_pd

For using ndp-proxy you may have a look here: https://www.thomas--schaefer.de/server.ovpn.sh Ignore the ipv4 part. Your IPv4 works in general, of course with an additional NAT. A short description: It cuts a /112 from the /64 and adds routing/ndp-proxying for the openvpn-server.

[thomasschaeferm]

I looked a little bit in your code. You tried already a mix of splitting the /64 into two /65 and NAT. Since you have already experience with splitting the network my proposal for a quick solution is to use parts of that code to just separate one /112 out of the /64. server config server-ipv6 2001:db8:5d6:2301:0:0:1:1/112 system settings sysctl net.ipv6.conf.eth0.proxy_ndp=1 sysctl net.ipv6.conf.eth0.accept_ra=2 sysctl net.ipv6.conf.all.forwarding=1 ip neigh add proxy 2001:db8:5d6:2301::1:1000 dev eth0 ip neigh add proxy 2001:db8:5d6:2301::1:1001 dev eth0 ip neigh add proxy 2001:db8:5d6:2301::1:1002 dev eth0

(e.g. three clients, for every client you need an additional proxy entry) This proposal should work. I would also test it for you. At the moment I see only one disadvantage: If a user uses two syncloud boxes with openvpn within one LAN - the duplicate address detection (dad) will detect a problem. Maybe randomizing the start address of /112 could solve this. PS: This is proposal nr2 from yesterday "take just a subnet of the /64 and take care to make ndp-proxies" PPS: you can still use echo 1> /proc/sys/net/ipv6/conf/... instead of sysctl, depending on your favour