build.openvpn.net unreachable via IPv6. breaking distro updates

[digitalhype]

Over the past several days build.openvpn.net has been unreachable via IPv6. Not answering https, nor responding to ping. Traceroute dies in Amazon EC2 network edge.

This is breaking Debian/Ubuntu? sofware updates, as there is a very long timeout. Default on Debian-based distro is for apt package manager to attempt IPv6 (AAAA) address first.

Another individual reported this same problem today in a linux mint forum.

The workaround is to configure apt to use ipv4 only. But, this still needs to be fixed.

Server does not answer https
============================
user@router:~$ telnet build.openvpn.net 443
Trying 2600:1f1c:702:ae00:e0a7:e533:ee3a:8dbc...
^C

Example working via IPv4
========================

user@router:~$ telnet -4 build.openvpn.net 443
Trying 52.53.189.67...
Connected to build.openvpn.net.
Escape character is '^{]'.
?
HTTP/1.1 400 Bad Request
Server: nginx/1.10.3
Date: Fri, 14 Jul 2017 20:18:52 GMT
Content-Type: text/html
Content-Length: 173
Connection: close}

<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>
Connection closed by foreign host.

Does not respond to ping
========================

user@router:~$ ping6 build.openvpn.net
PING build.openvpn.net(2600:1f1c:702:ae00:e0a7:e533:ee3a:8dbc) 56 data bytes
^{C
--- build.openvpn.net ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1007ms}

Trace dies in Amazon EC2 net
=============================

user@router:~$ traceroute6 build.openvpn.net
traceroute to build.openvpn.net (2600:1f1c:702:ae00:e0a7:e533:ee3a:8dbc) from 2600:8800:ff04:900:xxxx:xxxx:xxxx:xxxx, port 33434, from port 40170, 30 hops max, 60 bytes packets

1 2600:8800:ff04:900::1 (2600:8800:ff04:900::1) 7.470 ms 7.633 ms 7.522 ms
2 2001:578:801:fffc:300::38 (2001:578:801:fffc:300::38) 7.682 ms 7.280 ms 7.576 ms
3 2001:578:802:104::64 (2001:578:802:104::64) 6.984 ms 7.093 ms 7.616 ms
4 2001:578:1:0:172:17:249:33 (2001:578:1:0:172:17:249:33) 20.135 ms 20.764 ms 21.392 ms
5 2620:107:4008:228::1 (2620:107:4008:228::1) 20.923 ms 21.434 ms 20.527 ms
6 * * *
7 2600:9000:eee::7c (2600:9000:eee::7c) 34.411 ms 35.209 ms 38.288 ms
8 2620:107:3000::d (2620:107:3000::d) 34.039 ms 35.081 ms 35.506 ms
9 * * *

10 2620:107:3000::6 (2620:107:3000::6) 36.274 ms 35.677 ms 35.162 ms
11 * * *
12 2620:107:3000::c (2620:107:3000::c) 30.772 ms 30.041 ms 32.158 ms
13 2620:107:3000::a (2620:107:3000::a) 29.278 ms 30.112 ms 29.784 ms
14 * * *
15 2620:107:3000::12 (2620:107:3000::12) 30.645 ms 35.565 ms 32.458 ms
16 2620:107:3000::103 (2620:107:3000::103) 33.255 ms 31.696 ms 31.757 ms
17 2620:107:4000:4101:8000:0:6440:10a0 (2620:107:4000:4101:8000:0:6440:10a0) 33.085 ms 32.934 ms 40.901 ms
18 2620:107:4000:4101::6440:2959 (2620:107:4000:4101::6440:2959) 32.756 ms 40.378 ms 30.570 ms
19 2620:107:4000:4101::6440:2909 (2620:107:4000:4101::6440:2909) 40.846 ms 31.692 ms 47.538 ms
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

[Gert Döring]

I can see this as well (neither ping, nor tcp/80 or tcp/443) - but I can't do anything about it. Assigning to mattock.

[Samuli Seppänen]

Fixed. Everything was correct except that the local firewall (ip6tables) which did not let DHCPv6 server responses through. I fixed that for this node and all other/future IPv6-enabled nodes. The nice thing is that build.openvpn.net has native IPv6 support now - no more need for Tunnelbroker kludges.

Based on my testing IPv6 (ping6, http/https) now works. Once I get confirmation from your guys I'll close this as fixed.

[Gert Döring]

looks good from here (AS5539, DE, http/https) - thanks!

[serinalevis]

SPAM