Opened 4 years ago

Closed 4 years ago

#709 closed Bug / Defect (notabug)

ipv6 redirect-gateway-ipv6 problem

Reported by: akonstantin2402 Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.10 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hi.
We use openvpn version 2.3.10 like vpn provider on debian.
A few days ago we try to configure ipv6 support for our client and find this problem:
We have working configuration for ipv4 clients where we use this command
push "redirect-gateway" for saving remote server route via default route
Example:

  1. without openvpn connection i have this one default route on client

default via 10.16.1.1 dev wlp2s0 (wifi on ubuntu)

2.While connecting with openvpn server i see in openvpn server log this message
/sbin/ip route add 46.101.17.48/32 via 10.16.1.1

3.and on client after openvpn connection
46.101.17.48 via 10.16.1.1 dev wlp2s0 (wifi on ubuntu)
default via 10.5.0.9 dev tun0

And all works fine.

Now with ipv6 connection.
We try to use push "redirect-gateway-ipv6" but only if we manually add route to server to routing table after openvpn connection the clients works fine.
Example
For ipv6 adress i use miredo

1.client routing table without openvpn
ip -6 route
default dev teredo metric 1029 pref medium

  1. While connecting vpn server gives to client this route:

add_route_ipv6(2001:19f0:0:2013:5400:ff:fe28:f8c8/128 -> 2002:19f0:0:2013::1 metric -1) dev tun0

  1. Client routing table after openvpn connection:

2001:19f0:0:2013:5400:ff:fe28:f8c8 dev tun0
2000::/3 dev tun0 metric 1024 pref medium --- default route

At this configuration client don`t work.

We need
ip -6 route del 2001:19f0:0:2013:5400:ff:fe28:f8c8/128 dev tun0
and
ip -6 route add 2001:19f0:0:2013:5400:ff:fe28:f8c8/128 dev teredo
After redirecting server ip to real device teredo all works fine.

client routing table after changes:
2001:19f0:0:2013:5400:ff:fe28:f8c8 dev teredo
2000::/3 dev tun0

So the problem is:
in ipv4 push "redirect-gateway" gives right route to server via real device
46.101.17.48 via 10.16.1.1 dev wlp2s0

in ipv6 push "redirect-gateway-ipv6" gives wrong route to server via tun interface not real interface
2001:19f0:0:2013:5400:ff:fe28:f8c8 dev tun0

Could you help us issue this problem?
Thank you.

Change History (6)

comment:1 Changed 4 years ago by plaisthos

OpenVPN does not have a "redirect-gateway-ipv6" option. OpenVPN master (not 2.3.10) has a ipv6 flag for redirect-gateway ("redirect-gateway ipv6").

Overall I am bit confused. Are your clients connecting via ipv6 or ipv4? And Toredo which does IPv4 to provide IPv6 support might also be too complex to implement in a redirect-gateway logic. (To automatically discover that the Toredo IPv4 addresses needd to be routed to the real device to not break the connection)

comment:2 Changed 4 years ago by Gert Döring

If you connect over IPv6, and want to route an IPv6 block into the tunnel that overlaps with the server's v6 address, you need to use git master (or OpenVPN Connect) on the clients - 2.3.x does not have the necessary logic to detect the current IPv6 default gateway and install the correct /128 route for the VPN gateway.

comment:3 Changed 4 years ago by akonstantin2402

Today i`ve created openvpn client on server with real ipv6 address and try to connect to server.
I`ve changed push "redirect-gateway-ipv6" to push "redirect-gateway ipv6" on server and get this log from client during connection:
ROUTE6: default_gateway=UNDEF

and ipv6 routes

  1. before openvpn connection

2604:a880:800:10::/64 dev eth0 proto kernel metric 256
default via 2604:a880:800:10::1 dev eth0 metric 1024

2.After openvpn connection:
2002:19f0:0:2013::/64 dev tun0 proto kernel metric 256 -(this is subnet that i give for clients)
2000::/3 dev tun0 metric 1024

And only if we add route like:
ip -6 r add 2001:19f0:0:2013:5400:ff:fe28:f8c8/128 via 2604:a880:800:10::1 dev eth0 -- (this is route to openvpn server )
makes this connection works.

So seems openvpn can`t see default gateway for ipv6 routes :(

comment:4 Changed 4 years ago by akonstantin2402

Today i`ve created openvpn client with real ipv6 address and try to connect to server.
I`ve changed push "redirect-gateway-ipv6" to push "redirect-gateway ipv6" on server and get this log from client during connection:
ROUTE6: default_gateway=UNDEF

and ipv6 routes

  1. before openvpn connection

2604:a880:800:10::/64 dev eth0 proto kernel metric 256
default via 2604:a880:800:10::1 dev eth0 metric 1024

2.After openvpn connection:
2002:19f0:0:2013::/64 dev tun0 proto kernel metric 256 -(this is subnet that i give for clients)
2000::/3 dev tun0 metric 1024

And only if we add route like:
ip -6 r add 2001:19f0:0:2013:5400:ff:fe28:f8c8/128 via 2604:a880:800:10::1 dev eth0 -- (this is route to openvpn server )
makes this connection works.

So seems openvpn can`t see default gateway for ipv6 routes :(

comment:5 in reply to:  4 Changed 4 years ago by Gert Döring

Replying to akonstantin2402:

So seems openvpn can`t see default gateway for ipv6 routes :(

This is what I am telling you in comment 2: you need git master OpenVPN or OpenVPN Connect for that functionality, it is not in OpenVPN 2.3.x and will not be.

If your clients are 2.3, and connect over IPv6, you need to push route-ipv6 statements that are not overlapping with the server's IPv6 address. Whether or not a client can handle overlaps can be seen by the IV_RGI6=1 client-info pushed to the server.

comment:6 Changed 4 years ago by Gert Döring

Resolution: notabug
Status: newclosed

Closing this, as we're not going to include this in 2.3.x (the changes are too intrusive to be considered a bugfix, and 2.3.x is not getting new features). git master will be released as 2.4_alpha in the next few months, and hopefully as 2.4.0 soon after.

Note: See TracTickets for help on using tickets.