Yourboy
By:
Yourboy

Configure OpenVPN on digitalocean for Ipv6

July 16, 2017 863 views
IPv6 Networking Ubuntu 16.04

I have searched several tutorials but many of them are vague, incomplete, or do not give enough help to actually configure openvpn for ipv6 connectivity. My goal is to be able to connect to both ipv4 and ipv6 services/websites.

3 Answers
Want to access the Internet safely and securely from your smartphone or laptop when connected to an untrusted network such as the WiFi of a hotel or coffee shop? A Virtual Private Network (VPN) allows you to traverse...

I have tried but something never goes right. I don't really have a full understand of ipv6 despite reading a lot about it. I have looked up many tutorials on ipv6 & openvpn but all of them, as I said, are outdated and vague.

  • @Yourboy
    Without seeing your error logs and configurations, then it's difficult to help further.

    • I will try the solution you linked and then post the logs if it doesn't work! Thank you for the help!

    • @hansen
      I disabled ufw since I am not 100% sure how to set up the rules and I'd rather just get the basic bare-bones part of it working. I am connecting but I timeout when I load webpages. I made sure that udp/1194 was allowed in windows firewall.

      ifconfig:

      eth0      Link encap:Ethernet  HWaddr c2:78:d8:3d:cf:da
                inet addr:104.131.112.65  Bcast:104.131.127.255  Mask:255.255.192.0
                inet6 addr: fe80::c078:d8ff:fe3d:cfda/64 Scope:Link
                inet6 addr: 2604:a880:800:10::3827:e001/64 Scope:Global
                UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                RX packets:500 errors:0 dropped:0 overruns:0 frame:0
                TX packets:1576 errors:0 dropped:0 overruns:0 carrier:0
                collisions:0 txqueuelen:1000
                RX bytes:83517 (83.5 KB)  TX bytes:286409 (286.4 KB)
      
      lo        Link encap:Local Loopback
                inet addr:127.0.0.1  Mask:255.0.0.0
                inet6 addr: ::1/128 Scope:Host
                UP LOOPBACK RUNNING  MTU:65536  Metric:1
                RX packets:160 errors:0 dropped:0 overruns:0 frame:0
                TX packets:160 errors:0 dropped:0 overruns:0 carrier:0
                collisions:0 txqueuelen:1
                RX bytes:11840 (11.8 KB)  TX bytes:11840 (11.8 KB)
      
      tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
                inet addr:192.168.226.1  P-t-P:192.168.226.1  Mask:255.255.255.0
                inet6 addr: fd00:c0a8:e200::1/64 Scope:Global
                UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
                RX packets:18 errors:0 dropped:0 overruns:0 frame:0
                TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
                collisions:0 txqueuelen:100
                RX bytes:24382 (24.3 KB)  TX bytes:152 (152.0 B)
      
      

      server.conf

      dev tun
      dev-type tun
      remote 104.131.112.65 1194 udp
      remote 2604:a880:800:10::3827:e001 1194 udp6
      push "dhcp-option DNS 208.67.222.222"
      push "dhcp-option DNS 208.67.220.220"
      push "route-ipv6 2000::/3"
      push "dhcp-option DNS 2001:4860:4860::8888"
      push "dhcp-option DNS 2001:4860:4860::8844"
      remote-random
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      ca ca.crt
      cert client.crt
      key client.key
      remote-cert-tls server
      tls-auth ta.key 1
      key-direction 1
      tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
      reneg-sec 60
      tls-version-min 1.2
      auth SHA512
      verb 3
      

      client.conf:

      dev tun
      dev-type tun
      remote 104.131.112.65 1194 udp
      remote 2604:a880:800:10::3827:e001 1194 udp6
      remote-random
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      ca ca.crt
      cert client.crt
      key client.key
      remote-cert-tls server
      tls-auth ta.key 1
      key-direction 1
      tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
      reneg-sec 60
      tls-version-min 1.2
      auth SHA512
      verb 3
      

      Client connection logs:

      Mon Jul 17 00:19:11 2017 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 20 2017
      Mon Jul 17 00:19:11 2017 Windows version 6.2 (Windows 8 or greater) 64bit
      Mon Jul 17 00:19:11 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
      Enter Management Password:
      Mon Jul 17 00:19:11 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
      Mon Jul 17 00:19:11 2017 Need hold release from management interface, waiting...
      Mon Jul 17 00:19:11 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
      Mon Jul 17 00:19:11 2017 MANAGEMENT: CMD 'state on'
      Mon Jul 17 00:19:11 2017 MANAGEMENT: CMD 'log all on'
      Mon Jul 17 00:19:11 2017 MANAGEMENT: CMD 'echo all on'
      Mon Jul 17 00:19:11 2017 MANAGEMENT: CMD 'hold off'
      Mon Jul 17 00:19:11 2017 MANAGEMENT: CMD 'hold release'
      Mon Jul 17 00:19:11 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
      Mon Jul 17 00:19:11 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
      Mon Jul 17 00:19:11 2017 TCP/UDP: Preserving recently used remote address: [AF_INET6]2604:a880:800:10::3827:e001:1194
      Mon Jul 17 00:19:11 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
      Mon Jul 17 00:19:11 2017 UDPv6 link local: (not bound)
      Mon Jul 17 00:19:11 2017 UDPv6 link remote: [AF_INET6]2604:a880:800:10::3827:e001:1194
      Mon Jul 17 00:19:11 2017 MANAGEMENT: >STATE:1500265151,WAIT,,,,,,
      Mon Jul 17 00:19:17 2017 MANAGEMENT: >STATE:1500265157,AUTH,,,,,,
      Mon Jul 17 00:19:17 2017 TLS: Initial packet from [AF_INET6]2604:a880:800:10::3827:e001:1194, sid=dd4e4ad1 ddc76950
      Mon Jul 17 00:19:18 2017 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=server, emailAddress=me@myhost.mydomain
      Mon Jul 17 00:19:18 2017 VERIFY KU OK
      Mon Jul 17 00:19:18 2017 Validating certificate extended key usage
      Mon Jul 17 00:19:18 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
      Mon Jul 17 00:19:18 2017 VERIFY EKU OK
      Mon Jul 17 00:19:18 2017 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
      Mon Jul 17 00:19:18 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
      Mon Jul 17 00:19:18 2017 [server] Peer Connection Initiated with [AF_INET6]2604:a880:800:10::3827:e001:1194
      Mon Jul 17 00:19:19 2017 MANAGEMENT: >STATE:1500265159,GET_CONFIG,,,,,,
      Mon Jul 17 00:19:19 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
      Mon Jul 17 00:19:19 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route-ipv6 2000::/3,dhcp-option DNS 2001:4860:4860::8888,dhcp-option DNS 2001:4860:4860::8844,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,tun-ipv6,route-gateway 192.168.226.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fd00:c0a8:e200::1000/64 fd00:c0a8:e200::1,ifconfig 192.168.226.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
      Mon Jul 17 00:19:19 2017 Options error: dhcp-option parameter DNS '2001:4860:4860::8888' must be an IP address
      Mon Jul 17 00:19:19 2017 Options error: dhcp-option parameter DNS '2001:4860:4860::8844' must be an IP address
      Mon Jul 17 00:19:19 2017 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
      Mon Jul 17 00:19:19 2017 OPTIONS IMPORT: timers and/or timeouts modified
      Mon Jul 17 00:19:19 2017 OPTIONS IMPORT: --ifconfig/up options modified
      Mon Jul 17 00:19:19 2017 OPTIONS IMPORT: route options modified
      Mon Jul 17 00:19:19 2017 OPTIONS IMPORT: route-related options modified
      Mon Jul 17 00:19:19 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
      Mon Jul 17 00:19:19 2017 OPTIONS IMPORT: peer-id set
      Mon Jul 17 00:19:19 2017 OPTIONS IMPORT: adjusting link_mtu to 1624
      Mon Jul 17 00:19:19 2017 OPTIONS IMPORT: data channel crypto options modified
      Mon Jul 17 00:19:19 2017 Data Channel: using negotiated cipher 'AES-256-GCM'
      Mon Jul 17 00:19:19 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
      Mon Jul 17 00:19:19 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
      Mon Jul 17 00:19:19 2017 interactive service msg_channel=832
      Mon Jul 17 00:19:19 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=13 HWADDR=4c:cc:6a:69:34:4d
      Mon Jul 17 00:19:19 2017 GDG6: remote_host_ipv6=2604:a880:800:10::3827:e001
      Mon Jul 17 00:19:19 2017 GetBestInterfaceEx() returned if=3
      Mon Jul 17 00:19:19 2017 GDG6: II=3 DP=::/0 NH=::
      Mon Jul 17 00:19:19 2017 GDG6: Metric=256, Loopback=0, AA=1, I=0
      Mon Jul 17 00:19:19 2017 ROUTE6_GATEWAY :: ON_LINK I=3
      Mon Jul 17 00:19:19 2017 ROUTE6: 2000::/3 overlaps IPv6 remote 2604:a880:800:10::3827:e001, adding host route to VPN endpoint
      Mon Jul 17 00:19:19 2017 open_tun
      Mon Jul 17 00:19:19 2017 TAP-WIN32 device [Ethernet 5] opened: \\.\Global\{7107AB13-951B-45C0-89BC-F42FA942EAE5}.tap
      Mon Jul 17 00:19:19 2017 TAP-Windows Driver Version 9.21 
      Mon Jul 17 00:19:19 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.226.0/192.168.226.2/255.255.255.0 [SUCCEEDED]
      Mon Jul 17 00:19:19 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.226.2/255.255.255.0 on interface {7107AB13-951B-45C0-89BC-F42FA942EAE5} [DHCP-serv: 192.168.226.254, lease-time: 31536000]
      Mon Jul 17 00:19:19 2017 Successful ARP Flush on interface [6] {7107AB13-951B-45C0-89BC-F42FA942EAE5}
      Mon Jul 17 00:19:19 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
      Mon Jul 17 00:19:19 2017 MANAGEMENT: >STATE:1500265159,ASSIGN_IP,,192.168.226.2,,,,,fd00:c0a8:e200::1000
      Mon Jul 17 00:19:19 2017 add_route_ipv6(fd00:c0a8:e200::/64 -> fd00:c0a8:e200::1000 metric 0) dev Ethernet 5
      Mon Jul 17 00:19:19 2017 IPv6 route addition via service succeeded
      Mon Jul 17 00:19:22 2017 write UDPv6: Network is unreachable (WSAENETUNREACH) (code=10051)
      Mon Jul 17 00:19:23 2017 write UDPv6: Network is unreachable (WSAENETUNREACH) (code=10051)
      Mon Jul 17 00:19:24 2017 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
      Mon Jul 17 00:19:24 2017 ROUTE remote_host protocol differs from tunneled
      Mon Jul 17 00:19:24 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.226.1
      Mon Jul 17 00:19:24 2017 Route addition via service succeeded
      Mon Jul 17 00:19:24 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.226.1
      Mon Jul 17 00:19:24 2017 Route addition via service succeeded
      Mon Jul 17 00:19:24 2017 add_route_ipv6(2604:a880:800:10::3827:e001/128 -> :: metric 1) dev Ethernet 5
      Mon Jul 17 00:19:24 2017 IPv6 route addition via service succeeded
      Mon Jul 17 00:19:24 2017 add_route_ipv6(2000::/3 -> fd00:c0a8:e200::1 metric -1) dev Ethernet 5
      Mon Jul 17 00:19:24 2017 IPv6 route addition via service succeeded
      Mon Jul 17 00:19:24 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
      Mon Jul 17 00:19:24 2017 Initialization Sequence Completed
      Mon Jul 17 00:19:24 2017 MANAGEMENT: >STATE:1500265164,CONNECTED,SUCCESS,192.168.226.2,2604:a880:800:10::3827:e001,1194,,,fd00:c0a8:e200::1000
      Mon Jul 17 00:19:24 2017 write UDPv6: Network is unreachable (WSAENETUNREACH) (code=10051)
      Mon Jul 17 00:20:18 2017 TLS: soft reset sec=0 bytes=92492/-1 pkts=441/0
      Mon Jul 17 00:21:18 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Mon Jul 17 00:21:18 2017 TLS Error: TLS handshake failed
      Mon Jul 17 00:21:18 2017 TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1
      Mon Jul 17 00:21:19 2017 [UNDEF] Inactivity timeout (--ping-restart), restarting
      Mon Jul 17 00:21:19 2017 SIGUSR1[soft,ping-restart] received, process restarting
      Mon Jul 17 00:21:19 2017 MANAGEMENT: >STATE:1500265279,RECONNECTING,ping-restart,,,,,
      Mon Jul 17 00:21:19 2017 Restart pause, 5 second(s)
      Mon Jul 17 00:21:24 2017 TCP/UDP: Preserving recently used remote address: [AF_INET6]2604:a880:800:10::3827:e001:1194
      Mon Jul 17 00:21:24 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
      Mon Jul 17 00:21:24 2017 UDPv6 link local: (not bound)
      Mon Jul 17 00:21:24 2017 UDPv6 link remote: [AF_INET6]2604:a880:800:10::3827:e001:1194
      Mon Jul 17 00:21:24 2017 MANAGEMENT: >STATE:1500265284,WAIT,,,,,,
      Mon Jul 17 00:22:24 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Mon Jul 17 00:22:24 2017 TLS Error: TLS handshake failed
      Mon Jul 17 00:22:24 2017 SIGUSR1[soft,tls-error] received, process restarting
      Mon Jul 17 00:22:24 2017 MANAGEMENT: >STATE:1500265344,RECONNECTING,tls-error,,,,,
      Mon Jul 17 00:22:24 2017 Restart pause, 5 second(s)
      Mon Jul 17 00:22:29 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]104.131.112.65:1194
      Mon Jul 17 00:22:29 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
      Mon Jul 17 00:22:29 2017 UDP link local: (not bound)
      Mon Jul 17 00:22:29 2017 UDP link remote: [AF_INET]104.131.112.65:1194
      Mon Jul 17 00:22:29 2017 MANAGEMENT: >STATE:1500265349,WAIT,,,,,,
      Mon Jul 17 00:22:38 2017 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 192.168.226.1
      Mon Jul 17 00:22:38 2017 Route deletion via service succeeded
      Mon Jul 17 00:22:38 2017 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 192.168.226.1
      Mon Jul 17 00:22:38 2017 Route deletion via service succeeded
      Mon Jul 17 00:22:38 2017 delete_route_ipv6(2604:a880:800:10::3827:e001/128)
      Mon Jul 17 00:22:38 2017 IPv6 route deletion via service succeeded
      Mon Jul 17 00:22:38 2017 delete_route_ipv6(2000::/3)
      Mon Jul 17 00:22:38 2017 IPv6 route deletion via service succeeded
      Mon Jul 17 00:22:38 2017 Closing TUN/TAP interface
      Mon Jul 17 00:22:38 2017 TAP: DHCP address released
      Mon Jul 17 00:22:38 2017 SIGTERM[hard,] received, process exiting
      Mon Jul 17 00:22:38 2017 MANAGEMENT: >STATE:1500265358,EXITING,SIGTERM,,,,,
      
      
  • @Yourboy
    Can you also supply your server log. Which version are you using on the server?
    Does the VPN work if you've setup OpenVPN with IPv4-only?

Have another answer? Share your knowledge.