id summary reporter owner description type status priority milestone component version severity resolution keywords cc 1277 Providing IPv6 outside the tunnel -- wont connect with IPv6 address kenjiuno "I'm running OpenVPN server on company's linux host named ubunku (Ubuntu 18.04.4 LTS). My company's gateway (router) has both fixed IPv4 global address and native IPv6. And there is IPv6 support on my home. So I want to use IPv6 for OpenVPN connection. It is ok: - home(IPv4) to company(IPv4) OpenVPN Server It is not good, having error: - home(IPv6) to company(IPv6) OpenVPN Server OpenVPN Windows 10 client log: {{{ Sat Apr 25 22:05:16 2020 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 16 2020 Sat Apr 25 22:05:16 2020 Windows version 6.2 (Windows 8 or greater) 64bit Sat Apr 25 22:05:16 2020 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Sat Apr 25 22:05:16 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sat Apr 25 22:05:18 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sat Apr 25 22:05:18 2020 TCP/UDP: Preserving recently used remote address: [AF_INET6]2001:XXXX:XXXX:XXXX::bf5:11940 Sat Apr 25 22:05:18 2020 UDPv6 link local: (not bound) Sat Apr 25 22:05:18 2020 UDPv6 link remote: [AF_INET6]2001:XXXX:XXXX:XXXX::bf5:11940 Sat Apr 25 22:06:18 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sat Apr 25 22:06:18 2020 TLS Error: TLS handshake failed Sat Apr 25 22:06:18 2020 SIGUSR1[soft,tls-error] received, process restarting Sat Apr 25 22:06:23 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sat Apr 25 22:06:23 2020 TCP/UDP: Preserving recently used remote address: [AF_INET6]2001:XXXX:XXXX:XXXX::bf5:11940 Sat Apr 25 22:06:23 2020 UDPv6 link local: (not bound) Sat Apr 25 22:06:23 2020 UDPv6 link remote: [AF_INET6]2001:XXXX:XXXX:XXXX::bf5:11940 }}} I knew why... This is wireshark captured log on my home Windows 10: {{{ No. Time Source Destination Protocol Length Info 1 21:59:48 2400:YYYY:YYYY:YYYY:b42d:c192:906f:e3d4 2001:XXXX:XXXX:XXXX::bf5 UDP 76 58659 → 11940 Len=14 2 21:59:48 2001:XXXX:XXXX:XXXX:d809:87d0:6835:21b8 2400:YYYY:YYYY:YYYY:b42d:c192:906f:e3d4 UDP 88 11940 → 58659 Len=26 }}} ubunku (Ubuntu running OpenVPN Server) has 3 global IPv6 addresses, and OpenVPN server chose wrong IPv6 address for responding to client! {{{ ku@ubunku:~$ ifconfig eno1 eno1: flags=4163 mtu 1500 inet 192.168.2.100 netmask 255.255.255.0 broadcast 192.168.2.255 inet6 2001:XXXX:XXXX:XXXX:d809:87d0:6835:21b8 prefixlen 64 scopeid 0x0 inet6 fdf2:82d2:d07::bf5 prefixlen 128 scopeid 0x0 inet6 2001:XXXX:XXXX:XXXX::bf5 prefixlen 128 scopeid 0x0 inet6 2001:XXXX:XXXX:XXXX:3617:ebff:feeb:29e2 prefixlen 64 scopeid 0x0 inet6 fdf2:82d2:d07:0:3617:ebff:feeb:29e2 prefixlen 64 scopeid 0x0 inet6 fe80::3617:ebff:feeb:29e2 prefixlen 64 scopeid 0x20 inet6 fdf2:82d2:d07:0:d809:87d0:6835:21b8 prefixlen 64 scopeid 0x0 ether 34:17:eb:eb:29:e2 txqueuelen 1000 (イーサネット) RX packets 629233 bytes 153382016 (153.3 MB) RX errors 0 dropped 15553 overruns 0 frame 0 TX packets 108970 bytes 24606509 (24.6 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 16 }}} `2001:XXXX:XXXX:XXXX::bf5` is OepnVPN Server host published via router. However OpenVPN Server chose binding address `2001:XXXX:XXXX:XXXX:d809:87d0:6835:21b8` for responding to client. This is my `/etc/openvpn/server.conf` {{{ port 11940 proto udp6 dev tun ca ca.crt cert server.crt key server.key dh dh.pem crl-verify crl.pem ifconfig-pool-persist ipp.txt server 192.168.123.0 255.255.255.0 push ""route 192.168.2.0 255.255.255.0"" push ""dhcp-option WINS 192.168.2.181"" push ""dhcp-option DNS 192.168.2.1"" client-to-client keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status /var/log/openvpn/server-status.log log /var/log/openvpn/server.log log-append /var/log/openvpn/server.log verb 3 }}} client (Windows, OpenVPN GUI v11.15.0.0) {{{ client proto udp6 remote 2001:XXXX:XXXX:XXXX::bf5 port 11940 dev tun nobind comp-lzo tun-mtu 1500 key-direction 1 -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN ENCRYPTED PRIVATE KEY----- ... -----END ENCRYPTED PRIVATE KEY----- }}} I don't want to use `local` direction because: - last `local` seems to be used if multiple ones specified. not all of them. - `proto udp6` accepts both IPv4/IPv6 very well for now. " Bug / Defect closed major Generic / unclassified OpenVPN 2.4.4 (Community Ed) Not set (select this one, unless your'e a OpenVPN developer) notabug