Dual-Stack Server with tls-auth has errors when IPv6 clients connect

[gpf]

I have configured a server with dual-stack support (proto udp6). When clients (OpenVPN connect on iOS) connect via IPv6 they get a timeout on the client side and the server logs bad packet IDs and packet authentication failures.

The error goes away when I configure the server to be IPv6 only by using a "local <ipv6 address>" configuration line.

[gpf]

Logs from the Server

[gpf]

Server Configuration

[gpf]

Client ovpn file

[gpf]

This is the debian 9 backports version: 2.4.3-4~bpo9+1

[gpf]

I also tested with "cipher AES-256-GCM" instead of "auth SHA512" and used tls-crypt (using the iOS beta client) instead of tls-auth. Still can't connect but error changes to:

Oct 31 21:25:51 alita ovpn-vpn[7182]: tls-crypt unwrap error: packet authentication failed
Oct 31 21:25:51 alita ovpn-vpn[7182]: TLS Error: tls-crypt unwrapping failed from [AF_INET6]2001:4c50:62f:8800:81f2:c691:1288:d54f:63522

[vzsze]

Replying to gpf:

I have configured a server with dual-stack support (proto udp6). When clients (OpenVPN connect on iOS) connect via IPv6 they get a timeout on the client side and the server logs bad packet IDs and packet authentication failures.

The error goes away when I configure the server to be IPv6 only by using a "local <ipv6 address>" configuration line.

I'm seeing this error, too. Is there any workaround, besides turning off TSL-Auth?

[gpf]

Replying to vzsze:

I'm seeing this error, too. Is there any workaround, besides turning off TSL-Auth?

Not using dualstack. Right now I switched back to v4 only. :(

[Antonio Quartulli]

Does the problem happen only when connecting with Connect for iOS? Or does it happen with any client?

[vzsze]

I'm using Linux client on Ubuntu 18.04.