"
Hi Everyone,
I'm having trouble trying to figure this out. Here's the basic setup. I have no IPv6 from my ISP. I know, odd, right? Breezeline has not enabled and has no current intentions of enabling IPv6 any time soon. They only give IPv6 to their business customers. My router also does not support a tunnel to HE.net, darn TP-LINK! It's also not capable of running OpenWrt or DD-WRT. So, my solutions is that I have a VPS online and I've set it up with OPNsense. I have the HE tunnel set up and have connectivity with my /48 set up on the WAN side. To start with, I set up a LAN interface (yes, the VPS has a separate interface for a VPS to VPS network) with a /64, which I've done before, and everything worked fine. I could pink the LAN address(es) no problem from a web site that checks for me (since I have no IPv6). I then removed the IP configuration from the LAN (wasn't sure if keeping it in there would be an issue), created a bridge, added the LAN to it (after changing LAN to another interface temporarily), then set the LAN to the bridge and configured the IP addresses the same. Still working so far. I then created an OpenVPN instance to connect to from home (starting with just OpenVPN GUI on my laptop, will link my local OPNsense once I confirm everything is working and configure it properly for maybe a /50 so that I can assign /64s locally). When I connect I get an IPv4 address and IPv6 address. I can ping the ipv4 side and not the IPv6 side. Checking the firewall rules for the bridge (LAN), it has all kinds of premade rules and is allowing ICMP no problem. I'm not seeing anything blocked in the firewall logs.
Here's my OpenVPN server side configuration.
And my client side configuration (exported by OPNsense)
I also tried adding:
push "redirect-gateway def1 ipv6"
which gave me this
Same situation, I do not get an IPv6 gateway and cannot ping the server side IPv6 address, nothing blocked in the firewall logs.
Any help in pointing me in the right direction would be appreciated as I have not set something like this up before and have looked up multiple guides and this is as far as I can get.
I'm having trouble trying to figure this out. Here's the basic setup. I have no IPv6 from my ISP. I know, odd, right? Breezeline has not enabled and has no current intentions of enabling IPv6 any time soon. They only give IPv6 to their business customers. My router also does not support a tunnel to HE.net, darn TP-LINK! It's also not capable of running OpenWrt or DD-WRT. So, my solutions is that I have a VPS online and I've set it up with OPNsense. I have the HE tunnel set up and have connectivity with my /48 set up on the WAN side. To start with, I set up a LAN interface (yes, the VPS has a separate interface for a VPS to VPS network) with a /64, which I've done before, and everything worked fine. I could pink the LAN address(es) no problem from a web site that checks for me (since I have no IPv6). I then removed the IP configuration from the LAN (wasn't sure if keeping it in there would be an issue), created a bridge, added the LAN to it (after changing LAN to another interface temporarily), then set the LAN to the bridge and configured the IP addresses the same. Still working so far. I then created an OpenVPN instance to connect to from home (starting with just OpenVPN GUI on my laptop, will link my local OPNsense once I confirm everything is working and configure it properly for maybe a /50 so that I can assign /64s locally). When I connect I get an IPv4 address and IPv6 address. I can ping the ipv4 side and not the IPv6 side. Checking the firewall rules for the bridge (LAN), it has all kinds of premade rules and is allowing ICMP no problem. I'm not seeing anything blocked in the firewall logs.
Here's my OpenVPN server side configuration.
Code Select
dev ovpns1
ping-timer-rem
topology subnet
dh /usr/local/etc/inc/plugins.inc.d/openvpn/dh.rfc7919
verify-client-cert require
server-bridge
client-config-dir /var/etc/openvpn-csc/1
auth-user-pass-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py --defer '4edaae17-381d-4343-984c-3f089bf7b6b7'" via-env
learn-address "/usr/local/opnsense/scripts/openvpn/ovpn_eveny.py '1'"
client disconnect "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '4edaae17-381d-4343-984c-3f089bf7b6b7'"
tls-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '4edaae17-381d-4343-984c-3f089bf7b6b7'"
multihome
persist-tun
persist-key
dev-type tap
dev-mode /dev/tap1
script-security 3
writepid /var/run/ovpn-instalce-4edaae17-381d-4343-984c-3f089bf7b6b7.pid
daemon openvpn_server1
management /var/etc/openvpn/instance-4edaae17-381d-4343-984c-3f089bf7b6b7.sock unix
proto udb
verb 3
disable-dco
up /usr/local/etc/inc/pluginc.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/pluginc.inc.d/openvpn/ovpn-linkdown
port 1194
data-ciphers RES-256-GCM
auth SHA512
<key>
</key>
<cert>
</cert>
<ca>
</ca>
key and certificates not posted of courseAnd my client side configuration (exported by OPNsense)
Code Select
dev tap
persist-tun
persist-key
auth SHA512
client
resolv-retry infinite
remote [ip of server] 1194 udp
lport 0
verify-x509-name "C=US, ST=[state], L=[city], O=[organization], CN=[common name]" subject
remote-cert-tls server
auth-user-pass
<ca>
</ca>
<cert>
</cert>
<key>
</key>
I also tried adding:
push "redirect-gateway def1 ipv6"
which gave me this
Code Select
Sun Dec 22 11:43:21 2024 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Sun Dec 22 11:43:21 2024 OpenVPN 2.6.12 [git:v2.6.12/038a94bae57a446c] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jul 18 2024
Sun Dec 22 11:43:21 2024 Windows version 10.0 (Windows 10 or greater), amd64 executable
Sun Dec 22 11:43:21 2024 library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10
Sun Dec 22 11:43:21 2024 DCO version: 1.2.1
Sun Dec 22 11:43:23 2024 TCP/UDP: Preserving recently used remote address: [AF_INET][server ip]:1194
Sun Dec 22 11:43:23 2024 UDPv4 link local (bound): [AF_INET][undef]:0
Sun Dec 22 11:43:23 2024 UDPv4 link remote: [AF_INET][server ip]:1194
Sun Dec 22 11:43:23 2024 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Dec 22 11:43:24 2024 [common name] Peer Connection Initiated with [AF_INET][server ip]:1194
Sun Dec 22 11:43:25 2024 open_tun
Sun Dec 22 11:43:25 2024 tap-windows6 device [OpenVPN TAP-Windows6] opened
Sun Dec 22 11:43:25 2024 Successful ARP Flush on interface [23] {BAFF7420-7C13-4733-9D62-10E62C1FA291}
Sun Dec 22 11:43:30 2024 WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for OpenVPN TAP-Windows6, therefore the route installation may fail or may not work as expected.
Sun Dec 22 11:43:30 2024 ROUTE6 WARNING: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was set via --ifconfig-ipv6 or --route-ipv6-gateway option. Not installing IPv6 route to ::/3.
Sun Dec 22 11:43:30 2024 ROUTE6 WARNING: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was set via --ifconfig-ipv6 or --route-ipv6-gateway option. Not installing IPv6 route to 2000::/4.
Sun Dec 22 11:43:30 2024 ROUTE6 WARNING: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was set via --ifconfig-ipv6 or --route-ipv6-gateway option. Not installing IPv6 route to 3000::/4.
Sun Dec 22 11:43:30 2024 ROUTE6 WARNING: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was set via --ifconfig-ipv6 or --route-ipv6-gateway option. Not installing IPv6 route to fc00::/7.
Sun Dec 22 11:43:30 2024 Initialization Sequence Completed
Sun Dec 22 11:43:30 2024 ERROR: Some routes were not successfully added. The connection may not function correctly
Same situation, I do not get an IPv6 gateway and cannot ping the server side IPv6 address, nothing blocked in the firewall logs.
Any help in pointing me in the right direction would be appreciated as I have not set something like this up before and have looked up multiple guides and this is as far as I can get.
