Page MenuHomeVyOS Platform

OpenVPN IPv6 server: Unable to establish connection without local-host parameter
Closed, ResolvedPublicBUG

Description

When trying to establish a connection by connecting to the IPv6 address of server and without mentioning the local-host option, then the connection is not establishing

Server configuration:

set interfaces openvpn vtun20 encryption cipher 'aes256'
set interfaces openvpn vtun20 hash 'sha512'
set interfaces openvpn vtun20 mode 'server'
set interfaces openvpn vtun20 persistent-tunnel
set interfaces openvpn vtun20 server subnet '2001:db8:abcd:10::/64'
set interfaces openvpn vtun20 server subnet '10.10.2.0/24'
set interfaces openvpn vtun20 server topology 'subnet'
set interfaces openvpn vtun20 tls ca-certificate 'root-ca'
set interfaces openvpn vtun20 tls certificate 'server1'
set interfaces openvpn vtun20 tls dh-params 'dh-1

Client Configuration:

set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 mode 'client'
set interfaces openvpn vtun10 remote-host '2001:db8::1'
set interfaces openvpn vtun10 remote-port '1194'
set interfaces openvpn vtun10 tls ca-certificate 'root-ca'
set interfaces openvpn vtun10 tls certificate 'cbranch1'

After adding option "proto udp6" , connection establishes:

set interfaces openvpn vtun20 openvpn-option 'proto udp6'

Listening port with 'proto udp6'

udp     UNCONN   0        0                                                   *:1194                                                     *:*

and without the 'proto udp6' option:

udp     UNCONN   0        0                                             0.0.0.0:1194                                               0.0.0.0:*

When mentioned the local-host with ipv6 address

udp     UNCONN   0        0                                       [2001:db8::1]:1194                                                  [::]:*

In the OpenVPN server logs, it shows unable to determine the protocol:

Mar 21 09:17:20 openvpn-vtun20[97459]: net_addr_v6_add: 2001:db8:abcd:10::1/64 dev vtun20
Mar 21 09:17:20 openvpn-vtun20[97459]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mar 21 09:17:20 openvpn-vtun20[97459]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Mar 21 09:17:20 openvpn-vtun20[97459]: UDPv4 link local (bound): [AF_INET][undef]:1194
Mar 21 09:17:20 openvpn-vtun20[97459]: UDPv4 link remote: [AF_UNSPEC]
Mar 21 09:17:20 openvpn-vtun20[97459]: MULTI: multi_init called, r=256 v=256
Mar 21 09:17:20 openvpn-vtun20[97459]: IFCONFIG POOL IPv6: base=2001:db8:abcd:10::1000 size=65536 netbits=64
Mar 21 09:17:20 openvpn-vtun20[97459]: Initialization Sequence Completed
Mar 21 09:21:02 openvpn-vtun20[97459]: read UDPv4 [CMSG=8|ECONNREFUSED|CMSG=8|ECONNREFUSED]: Connection refused (fd=7,code=111)
Mar 21 09:21:06 openvpn-vtun20[97459]: read UDPv4 [CMSG=8|ECONNREFUSED|CMSG=8|ECONNREFUSED]: Connection refused (fd=7,code=111)
Mar 21 09:21:14 openvpn-vtun20[97459]: read UDPv4 [CMSG=8|ECONNREFUSED|CMSG=8|ECONNREFUSED]: Connection refused (fd=7,code=111)
Mar 21 09:21:30 openvpn-vtun20[97459]: read UDPv4 [CMSG=8|ECONNREFUSED|CMSG=8|ECONNREFUSED]: Connection refused (fd=7,code=111)

On client side:

Mar 21 09:17:20 openvpn-vtun20[97459]: net_addr_v6_add: 2001:db8:abcd:10::1/64 dev vtun20
Mar 21 09:17:20 openvpn-vtun20[97459]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mar 21 09:17:20 openvpn-vtun20[97459]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Mar 21 09:17:20 openvpn-vtun20[97459]: UDPv4 link local (bound): [AF_INET][undef]:1194
Mar 21 09:17:20 openvpn-vtun20[97459]: UDPv4 link remote: [AF_UNSPEC]
Mar 21 09:17:20 openvpn-vtun20[97459]: MULTI: multi_init called, r=256 v=256
Mar 21 09:17:20 openvpn-vtun20[97459]: IFCONFIG POOL IPv6: base=2001:db8:abcd:10::1000 size=65536 netbits=64
Mar 21 09:17:20 openvpn-vtun20[97459]: Initialization Sequence Completed
Mar 21 09:21:02 openvpn-vtun20[97459]: read UDPv4 [CMSG=8|ECONNREFUSED|CMSG=8|ECONNREFUSED]: Connection refused (fd=7,code=111)
Mar 21 09:21:06 openvpn-vtun20[97459]: read UDPv4 [CMSG=8|ECONNREFUSED|CMSG=8|ECONNREFUSED]: Connection refused (fd=7,code=111)

Working logs from the server side:

Mar 21 10:23:38 openvpn-vtun20[99360]: TUN/TAP device vtun20 opened
Mar 21 10:23:38 openvpn-vtun20[99360]: net_iface_mtu_set: mtu 1500 for vtun20
Mar 21 10:23:38 openvpn-vtun20[99360]: net_iface_up: set vtun20 up
Mar 21 10:23:38 openvpn-vtun20[99360]: net_addr_v6_add: 2001:db8:abcd:10::1/64 dev vtun20
Mar 21 10:23:38 openvpn-vtun20[99360]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Mar 21 10:23:38 openvpn-vtun20[99360]: setsockopt(IPV6_V6ONLY=0)
Mar 21 10:23:38 openvpn-vtun20[99360]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Mar 21 10:23:38 openvpn-vtun20[99360]: UDPv6 link remote: [AF_UNSPEC]
Mar 21 10:23:38 openvpn-vtun20[99360]: MULTI: multi_init called, r=256 v=256
Mar 21 10:23:38 openvpn-vtun20[99360]: IFCONFIG POOL IPv6: base=2001:db8:abcd:10::1000 size=65536 netbits=64
Mar 21 10:23:38 openvpn-vtun20[99360]: Initialization Sequence Completed

Details

Version
1.5-rolling-202403210836
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

Upstream issue/bug

the conclusion is that this message is printed when no IPv4/v6 preference is given in the config (i.e. proto udp/tcp is used) and OpenVPN is running as a server. In this case OpenVPN falls back on what the OS prefers (based on getaddrinfo() result) - in my case AF_INET - and the message is printed to show the decision.
When using udp4/udp6 (or tcp4/tcp6) no message is printed because the socket family to use has been provided by the user.

https://community.openvpn.net/openvpn/ticket/805

c-po subscribed.