1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenVPN with IPv6 traffic

Discussion in 'Tomato Firmware' started by Jorge Nerín, Feb 3, 2014.

  1. Jorge Nerín

    Jorge Nerín Reformed Router Member

    Hello, I have been trying to get IPv6 working inside an OpenVPN tunnel, there is support since OpenVPN 2.3.0. First I tried with Toastman tomato-K26USB-NVRAM64K-1.28.0503.6MIPSR2Toastman-RT-N-VPN.trx since that was the branch I was using, but now I'm doing my tests with Shibby tomato-K26USB-1.28.RT-N5x-MIPSR2-116-VPN-64K.trx as it has OpenVPN 2.3.2.

    The problem I'm having is that when I modify my setup of a working IPv4 only tunnel to include IPv6 the tunnel stops working with errors like these:
    Feb  3 23:23:52 Asus-RT-N66U daemon.warn openvpn[3457]: IP packet with unknown IP version=1 seen
    Feb  3 23:23:53 Asus-RT-N66U daemon.warn openvpn[3457]: IP packet with unknown IP version=1 seen
    Feb  3 23:23:54 Asus-RT-N66U daemon.warn openvpn[3457]: IP packet with unknown IP version=1 seen
    Feb  3 23:23:55 Asus-RT-N66U daemon.warn openvpn[3457]: IP packet with unknown IP version=1 seen
    I have managed to launch a working tunnel with IPv4 & IPv6 but only from commandline, with exactly the same config file the gui launched tunnel doesn't work but the one launched from commandline works.

    Let me tell you. My IPv6 setup comes from a 6to4 tunnel provided by hurricane electric, it might be important.

    First of all, my lines in the custom config section:
    # solves the error: TUN Error: option_error: only topology 'subnet' supported with IPv6
    topology subnet
    # One subnet of the /48 allocated
    server-ipv6 2001:470:c82d:1::/64
    # route to /64 assigned by HE
    push "route-ipv6 2001:470:1f13:5bd::/64"
    # Explicit, so select Disabled in Web/GUI
    comp-lzo adaptive
    push "comp-lzo adaptive"
    Well, if I try it starting from the web it won't work, but if I:
    1. telnet to the router
    2. copy the directory /etc/openvpn/server1 to a safe place (It will disappear when the vpn is stopped)
    3. Stop the vpn from the GUI
    4. modprobe tun
    5. iptables -I INPUT 1 -i tun21 -j ACCEPT
    6. iptables -I INPUT 1 -p udp -m udp --dport 1194 -j ACCEPT
    7. cd to that directory
    8. openvpn --config config.ovpn --verb 5
    Then it will work. Proof from a machine in the network to the remote vpn client (android phone on 3g):
    $ ping
    PING ( 56(84) bytes of data.
    64 bytes from icmp_seq=1 ttl=63 time=320 ms
    64 bytes from icmp_seq=2 ttl=63 time=331 ms
    64 bytes from icmp_seq=3 ttl=63 time=332 ms
    --- ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 1999ms
    rtt min/avg/max/mdev = 320.930/328.246/332.289/5.182 ms
    $ ping6 2001:470:c82d:1::1000
    PING 2001:470:c82d:1::1000(2001:470:c82d:1::1000) 56 data bytes
    64 bytes from 2001:470:c82d:1::1000: icmp_seq=1 ttl=63 time=334 ms
    64 bytes from 2001:470:c82d:1::1000: icmp_seq=2 ttl=63 time=343 ms
    64 bytes from 2001:470:c82d:1::1000: icmp_seq=3 ttl=63 time=332 ms
    --- 2001:470:c82d:1::1000 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2001ms
    rtt min/avg/max/mdev = 332.243/336.587/343.029/4.694 ms
    Sooo, I have to sleep now, but I wanted to tell you that it should work, but there is something in the way it's launched that prevents it from working.

    BTW the command line launched from web/GUI is:
    root@Asus-RT-N66U:/tmp/home/root# ps w|grep vpn
    3385 root      3196 S    /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn
    3395 root      1552 S    grep vpn
    root@Asus-RT-N66U:/tmp/home/root# ls -l /etc/openvpn/vpnserver1
    lrwxrwxrwx    1 root     root            17 Feb  3 23:16 /etc/openvpn/vpnserver1 -> /usr/sbin/openvpn
    Last edited: Feb 4, 2014
  2. Jorge Nerín

    Jorge Nerín Reformed Router Member

    Today I have had a little time to dig further. But I didn't managed to advance a lot.

    I have a simpler proof of concept:
    1. Start the VPN from the Web/GUI
    2. telnet to the router
    3. Kill the vpn:
      1. ps w | grep vpn
      2. kill the vpn pid
    4. rmmod tun
    5. modprobe tun
    6. launch from command line the same command line previously killed:
      1. /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn
    7. Test it, it works now.
    Now I need help, I would like to know where is the full list of commands that are run each time the vpn is started from Web/GUI or at system startup. It seems that there is at least one that puts the tun21 interface in promisc mode, but that is not the problem, I tested with promisc on & off and it works if I previously rmmod the tun module.

    I have compared the "ip addr" output and followed the changes with "ip monitor", but I'm not finding anything. I would like to know what happens when I click Start in the Web/GUI, what commands will run? where is the list/script?
  3. Jorge Nerín

    Jorge Nerín Reformed Router Member

    I have had another little time to investigate today, I have found the script that launches the vpn in release/src/router/rc/vpn.c: start_vpnserver() function, so the full sequence is:
    1. modprobe tun
    2. openvpn --mktun --dev tun21
    3. ifconfig tun21 promisc up
    4. /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn
    5. vpn is up but malfunctioning (with ipv6 enabled the connection doesn't work for either protocols "IP packet with unknown IP version=x seen")
    Just form completion the stop sequence is:
    1. sed -i "s/-A/-D/g;s/-I/-D/g" /etc/openvpn/fw/server1-fw.sh
    2. /etc/openvpn/fw/server1-fw.sh
    3. openvpn --rmtun --dev tun21
    4. rmmod tun
    5. vpn is stopped
    I have tried by hand, and if I eliminate the persistent tunnel creation and the ifconfig (as then is no tunnel device yet) it works for me.
    1. modprobe tun
    2. /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn
    3. vpn works as expected
    I don't think the persistent tunnel makes sense when the connection type is tun, I see the need for it in a tap/bridged connection, but not in this case. And I also don't see any reason for having the tunnel device in promisc mode.

    Can someone explain the reasoning behind these two commands, just to see if I can maintain the intended behaviour and also keep a working setup.

    P.D. After managing to get a stable working connection with both IPv4 & IPv6 I discovered that there exists several bugs in Android VPN (VPNService can only provide connectivity for routes that are reachable without VPN, VPN issues on KitKat, etc.) that keeps me from doing anything useful with the IPv6 portion if it comes from a tunnel :rolleyes:, so now I can happily ping6 my phone from home, but no application on the phone will use the IPv6 connection.

    edited to clarify the problem about IPv6 was regarding the VPN and to add some links
    Last edited: Feb 25, 2014
  4. hasIPv6

    hasIPv6 Serious Server Member

    The persistent tunnel creation in vpn.c is a problem; There is a --tun-ipv6 missing to enable IPv6 support!
  5. Jorge Nerín

    Jorge Nerín Reformed Router Member

    I will test it when I have time. But I still don't understand the reasoning of making a persistent tunnel and activating the promisc mode in TUN mode.
  6. nmalinoski

    nmalinoski Serious Server Member

    Has anyone made progress with routing IPv6 over an OpenVPN tunnel? There are still no GUI options for this.

Share This Page