On Fri, Apr 04, 2025 at 07:26:34AM +1000, Stuart Longland VK4MSL wrote: > Hi all, > > I run OpenVPN for my virtual private networking as it's a workhorse I've > gotten to know well over the years and is also one of the few that supports > layer 2 networking (that is, forwarding Ethernet frames over the VPN). > > I also use it in L3 mode with Android clients for forwarding VoIP traffic. > > OpenVPN circa release 2.3 introduced `proto udp6`, which is supposed to bind > to the port dual-stack. I notice when I do this though, connections via > IPv4 get refused. > > Relevant software versions: > > vk4msl-gap# openvpn --version > > OpenVPN 2.6.12 x86_64-unknown-openbsd7.6 [SSL (OpenSSL)] [LZO] [LZ4] > > [MH/RECVDA] [AEAD] > > library versions: LibreSSL 4.0.0, LZO 2.10 > > Originally developed by James Yonan > > Copyright (C) 2002-2024 OpenVPN Inc <sa...@openvpn.net> > > Compile time defines: enable_async_push=no enable_comp_stub=no > > enable_crypto_ofb_cfb=yes enable_dco=no enable_debug=yes > > enable_dlopen=unknown enable_dlopen_self=unknown > > enable_dlopen_self_static=unknown enable_fast_install=needless > > enable_fragment=yes enable_gtk_doc=no enable_iproute2=no > > enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes > > enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=no > > enable_plugin_auth_pam=no enable_plugin_down_root=yes enable_plugins=yes > > enable_port_share=yes enable_selinux=no enable_shared=yes > > enable_shared_with_static_runtimes=no enable_silent_rules=no > > enable_small=no enable_static=yes enable_strict=no enable_strict_options=no > > enable_systemd=no enable_werror=no enable_win32_dll=yes > > enable_wolfssl_options_h=yes enable_x509_alt_username=no > > with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=no > > with_mem_check=no with_openssl_engine=no with_sysroot=no > > vk4msl-gap# uname -a > > OpenBSD vk4msl-gap.dmz.longlandclan.id.au 7.6 GENERIC.MP#1 amd64 > > I've kludged around this in L2 configurations by running two OpenVPN daemons > on different `tap` interfaces and bridging them (along with the Ethernet > they connect to), but I cannot do this with a `tun` device, and it's a > really icky way to work around an issue that shouldn't exist in 2025 anyway. > One daemon can do both on Linux simultaneously, it should likewise be able > to do both on OpenBSD. > > When I use `proto udp6` I see the following in `netstat`: > > vk4msl-gap# netstat -nl | grep 1194 > > udp6 0 0 *.1194 *.* > > In this situation from OpenVPN on my Android 10 phone, I see connection > refusals on IPv4 (and strangely, "network is unreachable" on IPv6??? I'll > blame Telstra's 4G network for that). > > Obviously, `proto udp4` does what it says on the tin. `proto udp` seems to > behave as an alias for `proto udp4`. `proto udp6` is supposed to listen > dual-stack, making it possible to connect via either, however on OpenBSD, it > seems to be IPv6-exclusive. > > How do I get it to bind to both IPv4 and IPv6?
so linux has a feature where it will map ipv4 connections into the ipv4 mapped address space in ipv6 and let you handle them all with a single ipv6 listener. have a look for the doco around the "net.ipv6.bindv6only" sysctl on linux for a bit more explanaion. openbsd does not implement this. i'm guessing that openvpn is relying on this feature though. the right solution is to configure the software to bind separate sockets for each address family. i believe you can do this with openvpn by specifying multiple "--local" arguments to the daemon. you should be able to bind to ipv4 with "--local 0.0.0.0" and ipv6 with "--local ::". i could be completely wrong though. i havent tried this myself, so it may not work at all in practice. dlg > -- > Stuart Longland (aka Redhatter, VK4MSL) > > I haven't lost my mind... > ...it's backed up on a tape somewhere. >
