Page MenuHomeVyOS Platform

OpenVPN IPv6 fixes
Closed, ResolvedPublicBUG

Description

With some help from @c-po my IPv6 OpenVPN setup got closer to working after some template tweaks. After working on it a bit more it the nopool option isn't compatible when IPv6 is in operation. Along with that the ifconfig-pool statement that is generated for IPv4 should be left out.

My config is:
set interfaces openvpn vtun0 encryption cipher 'aes256'
set interfaces openvpn vtun0 hash 'sha512'
set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 server domain-name 'example.com'
set interfaces openvpn vtun0 server name-server '172.16.252.1'
set interfaces openvpn vtun0 server name-server 'fda8:c8dd:ab6a:570e::1'
set interfaces openvpn vtun0 server subnet '172.16.252.0/24'
set interfaces openvpn vtun0 server subnet 'fda8:c8dd:ab6a:570e::/64'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/vpn.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/dh.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/vpn.key'

When I edit the generated config to remove nopool on server line and the ifconfig-pool statement the daemon starts and I have an OpenVPN setup that will pass IPv4 and IPv6 traffic.

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

@shaferstockton can you please post your entire generated openvpn.conf file?

Uploaded the config as generated.

Also recorded log messages and changes I made to the generated config so openvpn would start.

First start I got:

openvpn-vtun0[3276]: Options error: --server-ipv6 is incompatible with 'nopool' option

Removed nopool from server line from generated config.

After that I got:

openvpn-vtun0[3324]: Options error: --server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly

Removed ifconfig-pool line from generated config.

Can you try any 1.3 rolling version before 2020-10-30 commit c8b7e5c ?

That commit marks the point where a lot of the code I wrote for handling IP pools was - without good reason - removed. I'm personally still running on 1.3-rolling-202008301049 and I can guarantee everything regarding openvpn, including IPv6, works in that version.

If you don't have old isos that you can try, you'll have to wait until the things that were removed and broken with that date, get readded and fixed. Unfortunately, while I had the time to contribute the original code, I don't have the time any more to fix the current mess, as it's not even my fault it got into this state.

syncer triaged this task as Normal priority.Oct 17 2021, 3:17 PM
syncer changed the subtype of this task from "Task" to "Bug".
syncer removed a project: VyOS 1.3 Equuleus.

I created a PR to solve this specific issue (and some more related to this): https://github.com/vyos/vyos-1x/pull/1637

Viacheslav changed the task status from Open to Needs testing.Sep 23 2023, 1:55 PM
Viacheslav assigned this task to ordex.
c-po set Issue type to Unspecified (please specify).