Hi all,
I run OpenVPN for my virtual private networking as it's a workhorse I've
gotten to know well over the years and is also one of the few that
supports layer 2 networking (that is, forwarding Ethernet frames over
the VPN).
I also use it in L3 mode with Android clients for forwarding VoIP traffic.
OpenVPN circa release 2.3 introduced `proto udp6`, which is supposed to
bind to the port dual-stack. I notice when I do this though,
connections via IPv4 get refused.
Relevant software versions:
> vk4msl-gap# openvpn --version
> OpenVPN 2.6.12 x86_64-unknown-openbsd7.6 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD]
> library versions: LibreSSL 4.0.0, LZO 2.10
> Originally developed by James Yonan
> Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=no enable_debug=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_gtk_doc=no enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=no with_mem_check=no with_openssl_engine=no with_sysroot=no
> vk4msl-gap# uname -a
> OpenBSD vk4msl-gap.dmz.longlandclan.id.au 7.6 GENERIC.MP#1 amd64
I've kludged around this in L2 configurations by running two OpenVPN
daemons on different `tap` interfaces and bridging them (along with the
Ethernet they connect to), but I cannot do this with a `tun` device, and
it's a really icky way to work around an issue that shouldn't exist in
2025 anyway. One daemon can do both on Linux simultaneously, it should
likewise be able to do both on OpenBSD.
When I use `proto udp6` I see the following in `netstat`:
> vk4msl-gap# netstat -nl | grep 1194
> udp6 0 0 *.1194 *.*
In this situation from OpenVPN on my Android 10 phone, I see connection
refusals on IPv4 (and strangely, "network is unreachable" on IPv6… I'll
blame Telstra's 4G network for that).
Obviously, `proto udp4` does what it says on the tin. `proto udp` seems
to behave as an alias for `proto udp4`. `proto udp6` is supposed to
listen dual-stack, making it possible to connect via either, however on
OpenBSD, it seems to be IPv6-exclusive.
How do I get it to bind to both IPv4 and IPv6?
--
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
...it's backed up on a tape somewhere.
No comments:
Post a Comment