tickets #112289
closedOpenVPN IPv6 connection fails
100%
Description
Hi,
I use nm-openvpn.
If I specify remote=gate.opensuse.org, it defaults to IPv6 - that's very nice, but connection attempts time out and fail:
Jun 11 13:56:42 dreamland NetworkManager[5713]: <info> [1654948602.2096] vpn[0x55b40661c150,f54e8de7-c5fd-4de6-a574-d0e45cd0987c,"Heroes"]: starting openvpn
Jun 11 13:56:42 dreamland NetworkManager[5713]: <info> [1654948602.2099] audit: op="connection-activate" uuid="f54e8de7-c5fd-4de6-a574-d0e45cd0987c" name="Heroes" pid=1799 uid=1000 result="success"
Jun 11 13:56:42 dreamland NetworkManager[5882]: 2022-06-11 13:56:42 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Jun 11 13:56:42 dreamland nm-openvpn[5882]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Jun 11 13:56:42 dreamland nm-openvpn[5882]: OpenVPN 2.5.6 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
Jun 11 13:56:42 dreamland nm-openvpn[5882]: library versions: OpenSSL 1.1.1o 3 May 2022, LZO 2.10
Jun 11 13:56:42 dreamland nm-openvpn[5882]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 11 13:56:42 dreamland nm-openvpn[5882]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 11 13:56:42 dreamland nm-openvpn[5882]: TCP/UDP: Preserving recently used remote address: [AF_INET6]2001:67c:2178:8::28:1194
Jun 11 13:56:42 dreamland nm-openvpn[5882]: UDP link local: (not bound)
Jun 11 13:56:42 dreamland nm-openvpn[5882]: UDP link remote: [AF_INET6]2001:67c:2178:8::28:1194
Jun 11 13:56:42 dreamland nm-openvpn[5882]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jun 11 13:57:41 dreamland NetworkManager[5713]: <info> [1654948661.6903] dhcp6 (br0): activation: beginning transaction (timeout in 45 seconds)
Jun 11 13:57:41 dreamland NetworkManager[5713]: <info> [1654948661.6912] policy: set 'bridge-br0' (br0) as default for IPv6 routing and DNS
Jun 11 13:57:42 dreamland NetworkManager[5713]: <warn> [1654948662.8457] vpn[0x55b40661c150,f54e8de7-c5fd-4de6-a574-d0e45cd0987c,"Heroes"]: connect timeout exceeded
Jun 11 13:57:42 dreamland NetworkManager[5713]: <info> [1654948662.8460] manager: startup complete
Jun 11 13:57:42 dreamland nm-openvpn-serv[5878]: Connect timer expired, disconnecting.
Jun 11 13:57:42 dreamland nm-openvpn[5882]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 11 13:57:42 dreamland nm-openvpn[5882]: TLS Error: TLS handshake failed
Jun 11 13:57:42 dreamland nm-openvpn[5882]: SIGTERM received, sending exit notification to peer
Jun 11 13:57:42 dreamland nm-openvpn[5882]: Converting soft SIGUSR1 received during exit notification to SIGTERM
Jun 11 13:57:42 dreamland nm-openvpn[5882]: SIGTERM[soft,exit-with-notification] received, process exiting
If I force it to use IPv4 and specify remote=195.135.221.151, connection attempts succeed immediately:
Jun 11 13:58:59 dreamland NetworkManager[6050]: <info> [1654948739.3325] vpn[0x5649c763a180,f54e8de7-c5fd-4de6-a574-d0e45cd0987c,"Heroes"]: starting openvpn
Jun 11 13:58:59 dreamland NetworkManager[6050]: <info> [1654948739.3327] audit: op="connection-activate" uuid="f54e8de7-c5fd-4de6-a574-d0e45cd0987c" name="Heroes" pid=1799 uid=1000 result="success"
Jun 11 13:58:59 dreamland NetworkManager[6208]: 2022-06-11 13:58:59 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Jun 11 13:58:59 dreamland nm-openvpn[6208]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Jun 11 13:58:59 dreamland nm-openvpn[6208]: OpenVPN 2.5.6 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
Jun 11 13:58:59 dreamland nm-openvpn[6208]: library versions: OpenSSL 1.1.1o 3 May 2022, LZO 2.10
Jun 11 13:58:59 dreamland nm-openvpn[6208]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 11 13:58:59 dreamland nm-openvpn[6208]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 11 13:58:59 dreamland nm-openvpn[6208]: TCP/UDP: Preserving recently used remote address: [AF_INET]195.135.221.151:1194
Jun 11 13:58:59 dreamland nm-openvpn[6208]: UDP link local: (not bound)
Jun 11 13:58:59 dreamland nm-openvpn[6208]: UDP link remote: [AF_INET]195.135.221.151:1194
Jun 11 13:58:59 dreamland nm-openvpn[6208]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jun 11 13:58:59 dreamland nm-openvpn[6208]: [scar.opensuse.org] Peer Connection Initiated with [AF_INET]195.135.221.151:1194
Jun 11 13:59:00 dreamland nm-openvpn[6208]: TUN/TAP device tun0 opened
Jun 11 13:59:00 dreamland nm-openvpn[6208]: /usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 6204 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_5 --tun -- tun0 1500 1553 192.168.252.162 192.168.252.1 init
Jun 11 13:59:00 dreamland NetworkManager[6050]: <info> [1654948740.7554] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/8)
Jun 11 13:59:00 dreamland nm-openvpn[6208]: GID set to nm-openvpn
Jun 11 13:59:00 dreamland nm-openvpn[6208]: UID set to nm-openvpn
Jun 11 13:59:00 dreamland nm-openvpn[6208]: Initialization Sequence Completed
I am able to connect to other OpenVPN gateways over IPv6 just fine.
Best,
Georg
Updated by pjessen almost 2 years ago
- Status changed from New to Workable
- Private changed from Yes to No
Looking at scar.i.o.o, it is not listening on 1194 on ipv6, only ipv4.
Updated by pjessen almost 2 years ago
pjessen wrote:
Looking at scar.i.o.o, it is not listening on 1194 on ipv6, only ipv4.
It ought to be easily fixed, by amending /etc/openvpn/heroes_udp.conf to say "local scar.opensuse.org". I might try that later, right now I have to go shopping :-)
Updated by bmwiedemann almost 2 years ago
I found it helped to change
-local 195.135.221.151
-proto udp
+proto udp6
Updated by crameleon almost 2 years ago
Removing `localĀ“ would make it listen on all interfaces - if this is intended.
Updated by bmwiedemann almost 2 years ago
- Status changed from Workable to In Progress
- % Done changed from 0 to 80
It does not hurt to listen on all interfaces, as we already listened on the Internet - the most hostile of all the interfaces.
Btw: I could not find this in salt. Is that config not tracked in there?
Updated by cboltz almost 2 years ago
My understanding of the openvpn manpage is that udp covers IPv4 and IPv6, while udp6 means IPv6 only.
Are you sure that proto udp6 is a good idea? (The actual question is: does openvpn still listen on IPv4 with this option?)
Regarding salt: no, unfortunately nobody salted scar yet.
Updated by bmwiedemann almost 2 years ago
https://community.openvpn.net/openvpn/wiki/IPv6
says
To connect to your server over ipv6 (ipv6 transport) use this on both sides:
proto udp6
In my test, "udp" only listened on IPv4 and udp6 listened on both IPv4 and IPv6.
https://serverfault.com/questions/651832/openvpn-with-mixed-ipv4-and-ipv6-clients
wrote
On the server side, specifying "proto" twice doesn't actually do anything - "proto udp6" will make it bind a dual-stack socket to handle v4+v6, overwriting the "proto udp" in the previous line.
Updated by bmwiedemann almost 2 years ago
- Status changed from In Progress to Resolved
- % Done changed from 80 to 100