Opened 2 years ago

Last modified 17 months ago

#953 new Bug / Defect

Dual-Stack Server with tls-auth has errors when IPv6 clients connect

Reported by: gpf Owned by:
Priority: major Milestone:
Component: IPv6 Version: OpenVPN 2.4.3 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger, Antonio

Description

I have configured a server with dual-stack support (proto udp6). When clients (OpenVPN connect on iOS) connect via IPv6 they get a timeout on the client side and the server logs bad packet IDs and packet authentication failures.

The error goes away when I configure the server to be IPv6 only by using a "local <ipv6 address>" configuration line.

Attachments (3)

server-logs.txt (27.7 KB) - added by gpf 2 years ago.
Logs from the Server
server-config.txt (783 bytes) - added by gpf 2 years ago.
Server Configuration
client-ovpn.txt (557 bytes) - added by gpf 2 years ago.
Client ovpn file

Download all attachments as: .zip

Change History (10)

Changed 2 years ago by gpf

Attachment: server-logs.txt added

Logs from the Server

Changed 2 years ago by gpf

Attachment: server-config.txt added

Server Configuration

comment:1 Changed 2 years ago by Gert Döring

Cc: Steffan Karger Antonio added

Changed 2 years ago by gpf

Attachment: client-ovpn.txt added

Client ovpn file

comment:2 Changed 2 years ago by gpf

This is the debian 9 backports version: 2.4.3-4~bpo9+1

comment:3 Changed 2 years ago by gpf

I also tested with "cipher AES-256-GCM" instead of "auth SHA512" and used tls-crypt (using the iOS beta client) instead of tls-auth. Still can't connect but error changes to:

Oct 31 21:25:51 alita ovpn-vpn[7182]: tls-crypt unwrap error: packet authentication failed
Oct 31 21:25:51 alita ovpn-vpn[7182]: TLS Error: tls-crypt unwrapping failed from [AF_INET6]2001:4c50:62f:8800:81f2:c691:1288:d54f:63522

comment:4 in reply to:  description ; Changed 17 months ago by vzsze

Replying to gpf:

I have configured a server with dual-stack support (proto udp6). When clients (OpenVPN connect on iOS) connect via IPv6 they get a timeout on the client side and the server logs bad packet IDs and packet authentication failures.

The error goes away when I configure the server to be IPv6 only by using a "local <ipv6 address>" configuration line.

I'm seeing this error, too. Is there any workaround, besides turning off TSL-Auth?

comment:5 in reply to:  4 Changed 17 months ago by gpf

Replying to vzsze:

I'm seeing this error, too. Is there any workaround, besides turning off TSL-Auth?

Not using dualstack. Right now I switched back to v4 only. :(

comment:6 Changed 17 months ago by Antonio

Does the problem happen only when connecting with Connect for iOS? Or does it happen with any client?

comment:7 Changed 17 months ago by vzsze

I'm using Linux client on Ubuntu 18.04.

Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

Last edited 17 months ago by vzsze (previous) (diff)
Note: See TracTickets for help on using tickets.