Hi all,
I run OpenVPN for my virtual private networking as it's a workhorse I've
gotten to know well over the years and is also one of the few that
supports layer 2 networking (that is, forwarding Ethernet frames over
the VPN).
I also use it in L3 mode with Android clients for forwarding VoIP traffic.
OpenVPN circa release 2.3 introduced `proto udp6`, which is supposed to
bind to the port dual-stack. I notice when I do this though,
connections via IPv4 get refused.
Relevant software versions:
vk4msl-gap# openvpn --version
OpenVPN 2.6.12 x86_64-unknown-openbsd7.6 [SSL (OpenSSL)] [LZO] [LZ4]
[MH/RECVDA] [AEAD]
library versions: LibreSSL 4.0.0, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sa...@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no
enable_crypto_ofb_cfb=yes enable_dco=no enable_debug=yes enable_dlopen=unknown
enable_dlopen_self=unknown enable_dlopen_self_static=unknown
enable_fast_install=needless enable_fragment=yes enable_gtk_doc=no
enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes
enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=no
enable_plugin_auth_pam=no enable_plugin_down_root=yes enable_plugins=yes
enable_port_share=yes enable_selinux=no enable_shared=yes
enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no
enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no
enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes
enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl
with_gnu_ld=no with_mem_check=no with_openssl_engine=no with_sysroot=no
vk4msl-gap# uname -a
OpenBSD vk4msl-gap.dmz.longlandclan.id.au 7.6 GENERIC.MP#1 amd64
I've kludged around this in L2 configurations by running two OpenVPN
daemons on different `tap` interfaces and bridging them (along with the
Ethernet they connect to), but I cannot do this with a `tun` device, and
it's a really icky way to work around an issue that shouldn't exist in
2025 anyway. One daemon can do both on Linux simultaneously, it should
likewise be able to do both on OpenBSD.
When I use `proto udp6` I see the following in `netstat`:
vk4msl-gap# netstat -nl | grep 1194
udp6 0 0 *.1194 *.*
In this situation from OpenVPN on my Android 10 phone, I see connection
refusals on IPv4 (and strangely, "network is unreachable" on IPv6… I'll
blame Telstra's 4G network for that).
Obviously, `proto udp4` does what it says on the tin. `proto udp` seems
to behave as an alias for `proto udp4`. `proto udp6` is supposed to
listen dual-stack, making it possible to connect via either, however on
OpenBSD, it seems to be IPv6-exclusive.
How do I get it to bind to both IPv4 and IPv6?
--
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
...it's backed up on a tape somewhere.
