OpenVPN dual-stack deployment not possible

manuel19k · February 28, 2024, 2:14pm

Hello everyone,

I’ve just build 1.4.0-epa1 and it works fine in many cases!

After configuring the openvpn-client (without setting “local-host”), it should be accept connections on all addresses.

manuel@fe73651# show interfaces openvpn vtun0 
 encryption {
     cipher aes256
 }
 local-port 1195
 mode server
 offload {
     dco
 }
 persistent-tunnel
 protocol udp
 server {
     name-server 10.13.0.3
     push-route 192.168.0.0/16 {
     }
     subnet 10.49.6.0/24
 }
 tls {
     ca-certificate xxxxxxxxxx-ca
     certificate ovpn1195
     dh-params dh1
 }

But it’s actually listening only on all ipv4-addresses, not ipv6:

manuel@fe73651# sudo netstat -lnup | grep openvpn
udp        0      0 0.0.0.0:1195            0.0.0.0:*                           105300/openvpn

In general, openvpn works fine with both, ipv6 and ipv4. When I use the “local-host” statement with the routers ipv6-address, openvpn is bond correctly to it. But, openvpn cannot be bond to both addresses. So a dualstack-deployment will not be possible, because I have to decide whether to assign v4 or v6?

fernando · March 3, 2024, 6:16pm

I’m not sure if enable dco-offload with ipv6 it works , Did you try without dco-offload ?

manuel19k · March 4, 2024, 7:09am

After disabling dco-offload, it is still bound only to udp4:

manuel@fe73651# show interfaces openvpn 
 openvpn vtun0 {
     encryption {
         cipher aes256
     }
     local-port 1195
     mode server
     offload {
     }
     persistent-tunnel
     protocol udp
     server {
         name-server 10.13.0.3
         push-route 192.168.0.0/16 {
         }
         subnet 10.49.6.0/24
     }
     tls {
         ca-certificate xxxxxxxxxx-ca
         certificate ovpn1195
         dh-params dh1
     }
 }
[edit]
manuel@fe73651# sudo netstat -lnup | grep openvpn
udp        0      0 0.0.0.0:1195            0.0.0.0:*                           4431/openvpn        
[edit]
manuel@fe73651#

Maybe it is related to the --multihome option, which is mentioned here? ⚓ T2222 openvpn: requires "multihome" option to listen on all addresses with udp protocol

manuel19k · May 19, 2024, 10:49am

Should I just open a feature-request, or is it a bug?

I sometimes ran into this issue, because a openvpn-client tried connecting with a FQDN. Since the openvpn-device was resovleable for both stacks (v4 and v6), the Client tried connecting with v6 - which was not possible, because the server didn’t listen on v6. So the only way is, to modify the Host-Entry at client-side to something like: ovpnserver.com:1195:udp4

fernando · May 19, 2024, 9:00pm

there is a bug related this issues :

https://vyos.dev/T6183

i think it’s why you see that problem.

system · June 18, 2024, 9:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.