Hi, Using OpenVPN 2.3 (on FreeBSD) in server mode using tun and UDP. Clients are (mostly) Windows (2.3) and now also iOS
I came across 2 issues while trying to setup IPv6 (over IPv4). While trying to get it working, I first tried it with my iPhone (running iOS 7) iPhone get’s an IPv6 address, can ping the server and the server can ping the iPhone.. so far so good. Only thing _not_ working is IPv6 traffic for the specified routes, rendering it rather useless… According to the OpenVPN log @ iPhone, it successfully adds the route… @ server I have (for full config, see further down) : server-ipv6 2001:xxx:2300:513::/64 push “route-ipv6 2001:xxx::/29” route-ipv6 "2001:xxx:2300:513::/64" All traffic to 2001:xxx::/29 is dead on the iPhone client once the VPN connection get’s established on the iPhone. Then I also tried the following to see if it would help : push “route-ipv6 2001:xxx::/29 2001:xxx:2300:513::1 1” ← fails on iPhone with message ‘route destinations other than vpn_gateway or net_gateway are not supported’ Again trying something else, I did : push “route-ipv6 2001:xxx::/29 vpn_gateway 1” <- again this does nothing on the iPhone but seems to get accepted according to the log, but this does trigger a failure to install the route on Windows Vista (Linux not tested) : Sun Sep 22 16:31:52 2013 PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 2001:xxx:2300:513::1000/64 2001:xxx:2300:513::1,route 213.xxx.99.210 255.255.255.255 net_gateway,route 192.168.0.0 255.255.255.0,route 10.31.0.0 255.255.0.0,route 10.54.0.0 255.255.0.0,route 213.xxx.64.0 255.255.192.0,route 94.xxx.192.0 255.255.248. 0 vpn_gateway,route-ipv6 2001:xxx::/29 vpn_gateway 1,dhcp-option DNS 213.xxx.123.165,dhcp-option DNS 213.xxx.123.166,tun-ipv6,route-gateway 10.31.43.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.31.43.2 255.255.255.0' Sun Sep 22 16:31:52 2013 Options error: route-ipv6 parameter gateway 'vpn_gateway' must be a valid address #2 : so the Windows client does not seem to like 'vpn_gateway' for an IPv6 route, but does like it for an IPv4 route And #3 : the ‘reconnect’ option also seems to no longer work on Windows Vista when having an IPv6 route : Sun Sep 22 17:20:01 2013 Route deletion via IPAPI succeeded [adaptive] Sun Sep 22 17:20:01 2013 Closing TUN/TAP interface Sun Sep 22 17:20:01 2013 delete_route_ipv6(2001:xxx:2300:513::/64) Sun Sep 22 17:20:01 2013 C:\Windows\system32\netsh.exe interface ipv6 delete route 2001:xxx:2300:513::/64 LAN-verbinding 2 fe80::8 Sun Sep 22 17:20:01 2013 ERROR: Windows route add ipv6 command failed: returned error code 1 Sun Sep 22 17:20:01 2013 NETSH: C:\Windows\system32\netsh.exe interface ipv6 delete address LAN-verbinding 2 2001:xxx:2300:513::1000 Sun Sep 22 17:20:02 2013 ERROR: netsh command failed: returned error code 1 Sun Sep 22 17:20:02 2013 MANAGEMENT: Client disconnected Sun Sep 22 17:20:02 2013 NETSH: command failed Sun Sep 22 17:20:02 2013 Exiting due to fatal error Server side config : daemon local 213.xxx.99.210 port 5000 proto udp dev tun ca keys/ovpn.ca.crt cert keys/ovpn.crt key keys/ovpn.key # This file should be kept secret dh keys/dh1024.pem client-cert-not-required username-as-common-name ;duplicate-cn topology subnet mode server tls-server server 10.31.43.0 255.255.255.0 server-ipv6 2001:xxx:2300:513::/64 client-config-dir ccd push "route 213.xxx.99.210 255.255.255.255 net_gateway" push "route 192.168.0.0 255.255.255.0" push "route 10.31.0.0 255.255.0.0" push "route 10.54.0.0 255.255.0.0" push "route 213.xxx.64.0 255.255.192.0" push "route 94.xxx.192.0 255.255.248.0 vpn_gateway" push "route-ipv6 2001:xxx::/29" ;push "route-ipv6 2001:xxx::/29 2001:xxx:2300:513::1 1" ;push "route-ipv6 2001:xxx::/29 vpn_gateway 1" route-ipv6 "2001:xxx:2300:513::/64" push "dhcp-option DNS 213.xxx.123.165" push "dhcp-option DNS 213.xxx.123.166" keepalive 10 60 comp-lzo max-clients 75 user openvpn group openvpn persist-key persist-tun status openvpn-status.log verb 3 plugin /usr/local/lib/openvpn-auth-ldap.so /usr/local/etc/openvpn/auth-ldap. conf script-security 2 Client side config : <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </cert> <key> -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- </key> auth-user-pass client dev tun proto udp remote 213.xxx.99.210 5000 resolv-retry infinite nobind persist-tun mute-replay-warnings ns-cert-type server comp-lzo verb 3 mute 20 Did anyone came across the same issue(s) ? Couldn’t find so fast something in the bug list. Thanks & best regards, Wouter ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
