1
Virtual private networks / [OpenVPN] High packet loss, only when connecting to the server via IPv6
« on: February 25, 2024, 02:00:20 pm »
Hello,
We've recently migrated to OpnSense and use OpenVPN for our staff to connect to our office when working remotely. Feature wise this is all well, however I've noticed that when starting a tunnel connecting to the server over IPv6 there is approximately 11% of packet loss for traffic within the tunnel. (This is quite high for stable service.)
I used WinMTR to consistently check loss to the OpnSense router directly being routed un-tunnelled, and another instance to check loss to a host within the closed network tunnelled. To the un-tunnelled loss was sub 1%, though tunnelled loss was anywhere from 9%-13%.
Importantly I noticed that if I switch my OpenVPN client to only use an IPv4 server the loss goes away completely. Changing from UDP to TCP did not have any impact.
In my test scenario both sides (my home and our office) are on fully native IPv4 + IPv6, and are in fact using the same ISP (Zen Internet). The connectivity, non-tunnelled, between us is rather ideal with minimal to go wrong.
One thing that might be important: For the IPv6 server to be readily available we're using a static floating IP address attached to the WAN interface, because although Zen Internet allocate us a 48-bit IPv6 prefix they (along with Openreach) also require use of DHCPv6 to establish IPv6 over PPPoE. Therefore the floating IP address is how we can have a static IPv6 address from within our 48-bit prefix for our office's router. (This isn't a problem for IPv4 as we have a single static address for that.)
Installation is on bare metal, version 24.1.2_1-amd64.
We've recently migrated to OpnSense and use OpenVPN for our staff to connect to our office when working remotely. Feature wise this is all well, however I've noticed that when starting a tunnel connecting to the server over IPv6 there is approximately 11% of packet loss for traffic within the tunnel. (This is quite high for stable service.)
I used WinMTR to consistently check loss to the OpnSense router directly being routed un-tunnelled, and another instance to check loss to a host within the closed network tunnelled. To the un-tunnelled loss was sub 1%, though tunnelled loss was anywhere from 9%-13%.
Importantly I noticed that if I switch my OpenVPN client to only use an IPv4 server the loss goes away completely. Changing from UDP to TCP did not have any impact.
In my test scenario both sides (my home and our office) are on fully native IPv4 + IPv6, and are in fact using the same ISP (Zen Internet). The connectivity, non-tunnelled, between us is rather ideal with minimal to go wrong.
One thing that might be important: For the IPv6 server to be readily available we're using a static floating IP address attached to the WAN interface, because although Zen Internet allocate us a 48-bit IPv6 prefix they (along with Openreach) also require use of DHCPv6 to establish IPv6 over PPPoE. Therefore the floating IP address is how we can have a static IPv6 address from within our 48-bit prefix for our office's router. (This isn't a problem for IPv4 as we have a single static address for that.)
Installation is on bare metal, version 24.1.2_1-amd64.