tickets #112289
closedOpenVPN IPv6 connection fails
100%
Description
Hi,
I use nm-openvpn.
If I specify remote=gate.opensuse.org, it defaults to IPv6 - that's very nice, but connection attempts time out and fail:
Jun 11 13:56:42 dreamland NetworkManager[5713]: <info> [1654948602.2096] vpn[0x55b40661c150,f54e8de7-c5fd-4de6-a574-d0e45cd0987c,"Heroes"]: starting openvpn
Jun 11 13:56:42 dreamland NetworkManager[5713]: <info> [1654948602.2099] audit: op="connection-activate" uuid="f54e8de7-c5fd-4de6-a574-d0e45cd0987c" name="Heroes" pid=1799 uid=1000 result="success"
Jun 11 13:56:42 dreamland NetworkManager[5882]: 2022-06-11 13:56:42 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Jun 11 13:56:42 dreamland nm-openvpn[5882]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Jun 11 13:56:42 dreamland nm-openvpn[5882]: OpenVPN 2.5.6 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
Jun 11 13:56:42 dreamland nm-openvpn[5882]: library versions: OpenSSL 1.1.1o 3 May 2022, LZO 2.10
Jun 11 13:56:42 dreamland nm-openvpn[5882]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 11 13:56:42 dreamland nm-openvpn[5882]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 11 13:56:42 dreamland nm-openvpn[5882]: TCP/UDP: Preserving recently used remote address: [AF_INET6]2001:67c:2178:8::28:1194
Jun 11 13:56:42 dreamland nm-openvpn[5882]: UDP link local: (not bound)
Jun 11 13:56:42 dreamland nm-openvpn[5882]: UDP link remote: [AF_INET6]2001:67c:2178:8::28:1194
Jun 11 13:56:42 dreamland nm-openvpn[5882]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jun 11 13:57:41 dreamland NetworkManager[5713]: <info> [1654948661.6903] dhcp6 (br0): activation: beginning transaction (timeout in 45 seconds)
Jun 11 13:57:41 dreamland NetworkManager[5713]: <info> [1654948661.6912] policy: set 'bridge-br0' (br0) as default for IPv6 routing and DNS
Jun 11 13:57:42 dreamland NetworkManager[5713]: <warn> [1654948662.8457] vpn[0x55b40661c150,f54e8de7-c5fd-4de6-a574-d0e45cd0987c,"Heroes"]: connect timeout exceeded
Jun 11 13:57:42 dreamland NetworkManager[5713]: <info> [1654948662.8460] manager: startup complete
Jun 11 13:57:42 dreamland nm-openvpn-serv[5878]: Connect timer expired, disconnecting.
Jun 11 13:57:42 dreamland nm-openvpn[5882]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 11 13:57:42 dreamland nm-openvpn[5882]: TLS Error: TLS handshake failed
Jun 11 13:57:42 dreamland nm-openvpn[5882]: SIGTERM received, sending exit notification to peer
Jun 11 13:57:42 dreamland nm-openvpn[5882]: Converting soft SIGUSR1 received during exit notification to SIGTERM
Jun 11 13:57:42 dreamland nm-openvpn[5882]: SIGTERM[soft,exit-with-notification] received, process exiting
If I force it to use IPv4 and specify remote=195.135.221.151, connection attempts succeed immediately:
Jun 11 13:58:59 dreamland NetworkManager[6050]: <info> [1654948739.3325] vpn[0x5649c763a180,f54e8de7-c5fd-4de6-a574-d0e45cd0987c,"Heroes"]: starting openvpn
Jun 11 13:58:59 dreamland NetworkManager[6050]: <info> [1654948739.3327] audit: op="connection-activate" uuid="f54e8de7-c5fd-4de6-a574-d0e45cd0987c" name="Heroes" pid=1799 uid=1000 result="success"
Jun 11 13:58:59 dreamland NetworkManager[6208]: 2022-06-11 13:58:59 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Jun 11 13:58:59 dreamland nm-openvpn[6208]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Jun 11 13:58:59 dreamland nm-openvpn[6208]: OpenVPN 2.5.6 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
Jun 11 13:58:59 dreamland nm-openvpn[6208]: library versions: OpenSSL 1.1.1o 3 May 2022, LZO 2.10
Jun 11 13:58:59 dreamland nm-openvpn[6208]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 11 13:58:59 dreamland nm-openvpn[6208]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 11 13:58:59 dreamland nm-openvpn[6208]: TCP/UDP: Preserving recently used remote address: [AF_INET]195.135.221.151:1194
Jun 11 13:58:59 dreamland nm-openvpn[6208]: UDP link local: (not bound)
Jun 11 13:58:59 dreamland nm-openvpn[6208]: UDP link remote: [AF_INET]195.135.221.151:1194
Jun 11 13:58:59 dreamland nm-openvpn[6208]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jun 11 13:58:59 dreamland nm-openvpn[6208]: [scar.opensuse.org] Peer Connection Initiated with [AF_INET]195.135.221.151:1194
Jun 11 13:59:00 dreamland nm-openvpn[6208]: TUN/TAP device tun0 opened
Jun 11 13:59:00 dreamland nm-openvpn[6208]: /usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 6204 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_5 --tun -- tun0 1500 1553 192.168.252.162 192.168.252.1 init
Jun 11 13:59:00 dreamland NetworkManager[6050]: <info> [1654948740.7554] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/8)
Jun 11 13:59:00 dreamland nm-openvpn[6208]: GID set to nm-openvpn
Jun 11 13:59:00 dreamland nm-openvpn[6208]: UID set to nm-openvpn
Jun 11 13:59:00 dreamland nm-openvpn[6208]: Initialization Sequence Completed
I am able to connect to other OpenVPN gateways over IPv6 just fine.
Best,
Georg