Messages

I'm running OpenVPN on 20.1-RC1.  I select "Force all client generated traffic through the tunnel" in my OpenVPN Remote Access server config.  I use the client export utility.  I can connect fine from my laptop, and I get assigned a working IPv4 and IPv6 address.  However, only the 0.0.0.0/1 and 128.0.0.0/1 routes through the VPN tunnel are added when I connect.  No IPv6 routing table entries are made, and none of my IPv6 traffic goes over the VPN.   Shouldn't ::/1 and 8000::/1 routes be added when I connect?  If I manually add the routes on my laptop, it can access the internet fine over the IPv6 OpenVPN link, but by default, no IPv6 traffic goes over the tunnel.

If I had a /64 I wouldn't NAT. 

I have a dynamic IPv6 address assigned to me via DHCP, that is an interface on the firewall.  I use ULA space (fd00::/8) internally, and then do an outbound NAT.  This works with pfsense.  It does not with opnsense 19.7.2.  The reason?  My translation target is set to "interface address", but instead of grabbing the publicly routable IPv6 WAN address, opnsense translates my packets to the link local (fe80::) address, which obviously won't work on the internet.

root@cerberus:~ # tcpdump -Nni em0 host 2607:f8b0:4005:808::2004
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:42:07.475749 IP6 fe80::2e0:67ff:fe13:6324 > 2607:f8b0:4005:808::2004: ICMP6, echo request, seq 106, length 72

I don't know what my public IPv6 address is going to be day to day, so I can't hard code it.  Is there any way to have opnsense ignore link local addresses when its doing an outbound nat?  I can think of no reason that would be needed.

OK, to get this to happen I had to configure a OpenVPN server, Assign an interface, and then disable/enable the server. (It doesn't happen right when the interface is assigned, but will happen on reboot or disable/enable)

root@OPNsense:~ # ls /tmp/*defaultgw*
/tmp/em0_defaultgwv6    /tmp/ovpns1_defaultgw

It looks like there is an issue with "tunnel ipv6" mode as well.  If you choose Local Network: Network and try to fill in an address, you are limited to /0 - /32 as a subnet mask.

I have a working Routed IPSEC (VTI) tunnel that has a IPv4 phase 2 that works fine.  I'd like to add an IPv6 routed phase 2, but when I try to enter IPv6 addresses I get:

The following input errors were detected:

A valid local network IP address must be specified.
A valid remote network IP address must be specified.

Is there any plan to support IPv6 routed IPSEC?

This only happens when I assign an interface to an openvpn tunnel.

I just have the DHCP gateway - nothing pointing to openvpn.

It was assigned an interface because this box is intended to have multiple OpenVPN servers running on it and I need to be able to do firewall rules per VPN.  However, right now only one VPN is configured, and there is an allow any firewall rule.  The exact same config worked in 19.1.10. 

As you can see, there is no mention of a default in my OpenVPN server config:

And I have a 3rd box that shows it just fine.

[default 10.10.10.2 UGS ovpns1]

After configuring an OpenVPN server, and adding the OpenVPN interface, default for IPv4 was changed to point through the OpenVPN interface, which killed everything:

root@aker:~ # netstat -rna4
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            10.10.10.2         UGS      ovpns1
10.0.0.0/24        10.10.10.2         UGS      ovpns1
10.10.10.0/24      10.10.10.2         UGS      ovpns1
10.10.10.1         link#11            UHS         lo0
10.10.10.2         link#11            UH       ovpns1
73.140.16.0/23     link#1             U           em0
73.140.16.217      link#1             UHS         lo0
127.0.0.1          link#7             UH          lo0
192.168.42.0/24    link#2             U           em1
192.168.42.1       link#2             UHS         lo0

I disabled the OpenVPN server, and the default was pulled, but nothing replaced it:

root@aker:~ # netstat -rna4
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
73.140.16.0/23     link#1             U           em0
73.140.16.217      link#1             UHS         lo0
127.0.0.1          link#7             UH          lo0
192.168.42.0/24    link#2             U           em1
192.168.42.1       link#2             UHS         lo0
root@aker:~ # netstat -rna4

After a reboot, all is back to normal (OpenVPN is still turned off):

root@aker:~ # netstat -rna4
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            73.140.16.1        UGS         em0
73.140.16.0/23     link#1             U           em0
73.140.16.217      link#1             UHS         lo0
127.0.0.1          link#7             UH          lo0
192.168.42.0/24    link#2             U           em1
192.168.42.1       link#2             UHS         lo0


This worked in 19.1.10.  I upgraded that version to 19.7r1, but ran into this problem.  I then reinstalled a fresh 19.7r1 and ran into the same problem.   Why would the OpenVPN *server* install a default route?

It seems to be cosmetic only, as I can still use IPv6 to get to places, and netstat -rna6 shows my IPv6 default route.   It's just missing from the GUI.

Under System -> Gateways -> Single  only my WAN_DHCP gateway is listed after upgrading to RC1.  I've tried this on two different machines, and reset config to factory.  They both are getting IPv6 addresses via DHCPv6, which I can see on the cli.... I just don't have a gateway

This feels more like a bug.  The same config works fine on pfsense.