"
I'm running OpenVPN on 20.1-RC1. I select "Force all client generated traffic through the tunnel" in my OpenVPN Remote Access server config. I use the client export utility. I can connect fine from my laptop, and I get assigned a working IPv4 and IPv6 address. However, only the 0.0.0.0/1 and 128.0.0.0/1 routes through the VPN tunnel are added when I connect. No IPv6 routing table entries are made, and none of my IPv6 traffic goes over the VPN. Shouldn't ::/1 and 8000::/1 routes be added when I connect? If I manually add the routes on my laptop, it can access the internet fine over the IPv6 OpenVPN link, but by default, no IPv6 traffic goes over the tunnel.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
20.1 Legacy Series / OpenVPN "Force all client generated traffic through the tunnel." IPv4 only
January 27, 2020, 12:19:04 AM #2
19.7 Legacy Series / IPv6 Outbound NAT bug?
August 20, 2019, 03:52:27 PM
I have a dynamic IPv6 address assigned to me via DHCP, that is an interface on the firewall. I use ULA space (fd00::/8) internally, and then do an outbound NAT. This works with pfsense. It does not with opnsense 19.7.2. The reason? My translation target is set to "interface address", but instead of grabbing the publicly routable IPv6 WAN address, opnsense translates my packets to the link local (fe80::) address, which obviously won't work on the internet.
root@cerberus:~ # tcpdump -Nni em0 host 2607:f8b0:4005:808::2004
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:42:07.475749 IP6 fe80::2e0:67ff:fe13:6324 > 2607:f8b0:4005:808::2004: ICMP6, echo request, seq 106, length 72
I don't know what my public IPv6 address is going to be day to day, so I can't hard code it. Is there any way to have opnsense ignore link local addresses when its doing an outbound nat? I can think of no reason that would be needed.
root@cerberus:~ # tcpdump -Nni em0 host 2607:f8b0:4005:808::2004
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:42:07.475749 IP6 fe80::2e0:67ff:fe13:6324 > 2607:f8b0:4005:808::2004: ICMP6, echo request, seq 106, length 72
I don't know what my public IPv6 address is going to be day to day, so I can't hard code it. Is there any way to have opnsense ignore link local addresses when its doing an outbound nat? I can think of no reason that would be needed.
#3
19.7 Legacy Series / IPv6 over routed IPSEC
July 13, 2019, 08:52:15 AM
I have a working Routed IPSEC (VTI) tunnel that has a IPv4 phase 2 that works fine. I'd like to add an IPv6 routed phase 2, but when I try to enter IPv6 addresses I get:
The following input errors were detected:
A valid local network IP address must be specified.
A valid remote network IP address must be specified.
Is there any plan to support IPv6 routed IPSEC?
The following input errors were detected:
A valid local network IP address must be specified.
A valid remote network IP address must be specified.
Is there any plan to support IPv6 routed IPSEC?
#4
19.7 Legacy Series / OpenVPN server clobbers IPv4 default route
July 10, 2019, 05:18:46 AM
After configuring an OpenVPN server, and adding the OpenVPN interface, default for IPv4 was changed to point through the OpenVPN interface, which killed everything:
root@aker:~ # netstat -rna4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 10.10.10.2 UGS ovpns1
10.0.0.0/24 10.10.10.2 UGS ovpns1
10.10.10.0/24 10.10.10.2 UGS ovpns1
10.10.10.1 link#11 UHS lo0
10.10.10.2 link#11 UH ovpns1
73.140.16.0/23 link#1 U em0
73.140.16.217 link#1 UHS lo0
127.0.0.1 link#7 UH lo0
192.168.42.0/24 link#2 U em1
192.168.42.1 link#2 UHS lo0
I disabled the OpenVPN server, and the default was pulled, but nothing replaced it:
root@aker:~ # netstat -rna4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
73.140.16.0/23 link#1 U em0
73.140.16.217 link#1 UHS lo0
127.0.0.1 link#7 UH lo0
192.168.42.0/24 link#2 U em1
192.168.42.1 link#2 UHS lo0
root@aker:~ # netstat -rna4
After a reboot, all is back to normal (OpenVPN is still turned off):
root@aker:~ # netstat -rna4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 73.140.16.1 UGS em0
73.140.16.0/23 link#1 U em0
73.140.16.217 link#1 UHS lo0
127.0.0.1 link#7 UH lo0
192.168.42.0/24 link#2 U em1
192.168.42.1 link#2 UHS lo0
This worked in 19.1.10. I upgraded that version to 19.7r1, but ran into this problem. I then reinstalled a fresh 19.7r1 and ran into the same problem. Why would the OpenVPN *server* install a default route?
root@aker:~ # netstat -rna4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 10.10.10.2 UGS ovpns1
10.0.0.0/24 10.10.10.2 UGS ovpns1
10.10.10.0/24 10.10.10.2 UGS ovpns1
10.10.10.1 link#11 UHS lo0
10.10.10.2 link#11 UH ovpns1
73.140.16.0/23 link#1 U em0
73.140.16.217 link#1 UHS lo0
127.0.0.1 link#7 UH lo0
192.168.42.0/24 link#2 U em1
192.168.42.1 link#2 UHS lo0
I disabled the OpenVPN server, and the default was pulled, but nothing replaced it:
root@aker:~ # netstat -rna4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
73.140.16.0/23 link#1 U em0
73.140.16.217 link#1 UHS lo0
127.0.0.1 link#7 UH lo0
192.168.42.0/24 link#2 U em1
192.168.42.1 link#2 UHS lo0
root@aker:~ # netstat -rna4
After a reboot, all is back to normal (OpenVPN is still turned off):
root@aker:~ # netstat -rna4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 73.140.16.1 UGS em0
73.140.16.0/23 link#1 U em0
73.140.16.217 link#1 UHS lo0
127.0.0.1 link#7 UH lo0
192.168.42.0/24 link#2 U em1
192.168.42.1 link#2 UHS lo0
This worked in 19.1.10. I upgraded that version to 19.7r1, but ran into this problem. I then reinstalled a fresh 19.7r1 and ran into the same problem. Why would the OpenVPN *server* install a default route?
#5
19.7 Legacy Series / WAN_DHCP6 Gateway missing
July 10, 2019, 02:54:42 AM
Under System -> Gateways -> Single only my WAN_DHCP gateway is listed after upgrading to RC1. I've tried this on two different machines, and reset config to factory. They both are getting IPv6 addresses via DHCPv6, which I can see on the cli.... I just don't have a gateway
#6
18.1 Legacy Series / problem with /30 and peer-to-peer OpenVPN tunnel
May 07, 2018, 08:06:22 AM
I have a peer-to-peer OpenVPN tunnel between two sites. It works fine, with an exception. If I make the IPv4 tunnel network a /29 or larger, the route gets added correctly:
root@opn:~ # netstat -rna | grep 172.16.1.0
172.16.1.0/29 172.16.1.2 UGS ovpns1
However, if I make the IPv4 tunnel network a /30 (which is all that's needed for a point to point VPN), oddness occurs:
root@opn:~ # netstat -rna | grep 172.16.1.0
172.16.1.0&0xac100102 172.16.1.2 UGS ovpns1
This ends up sending all 172/8 traffic across the tunnel, and possibly more.
I'm running opnsense 18.1.7. Suggestions?
root@opn:~ # netstat -rna | grep 172.16.1.0
172.16.1.0/29 172.16.1.2 UGS ovpns1
However, if I make the IPv4 tunnel network a /30 (which is all that's needed for a point to point VPN), oddness occurs:
root@opn:~ # netstat -rna | grep 172.16.1.0
172.16.1.0&0xac100102 172.16.1.2 UGS ovpns1
This ends up sending all 172/8 traffic across the tunnel, and possibly more.
I'm running opnsense 18.1.7. Suggestions?
Pages1
