Project

General

Profile

Actions

Bug #3033

closed

Static IPv6 route to OpenVPN tunnel ignored

Added by Lakin Lowrey over 11 years ago. Updated over 11 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
06/08/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:
amd64

Description

I have an openvpn tunnel to a remote server which works correctly for IPv4 traffic but not for IPv6. When the remote sends IPv6 traffic over the tunnel I can see (via traceroute) that the openvpn packets arrive on the wan interface but I don't see them arrive on the tun interface (ovpnc2).

When I traceroute6 a remote IPv6 address on the pfsense box the packets go out the WAN (not ovpnc2). When I do any IPv6 to the remote from the LAN side I get "No route to host". The static route to the destination is clearly in the route table so I can see no reason why pfsense would route that traffic to 'default' or why it would send back 'no route to host' to LAN devices.

I am quite sure this used to work (~3-4 months ago) and the only change has been to pfsense (updating to latest RC0 snapshot). I've tried 'pfctl -d' but that didn't make any difference.

I'm running:
2.1-RC0 (amd64)
built on Sat Jun 8 09:20:03 EDT 2013
FreeBSD 8.3-RELEASE-p8

The remote server is CentOS release 6.4 running OpenVPN 2.3.2

pfsense client2.conf:

dev ovpnc2
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local XXX.XXX.248.236
lport 0
management /var/etc/openvpn/client2.sock unix
remote titan.XXXX.com 1194
ifconfig 10.0.8.2 10.0.8.1
ifconfig-ipv6 fe80::2 fe80::1
route XXX.XXX.96.186 255.255.255.255
route-ipv6 2607:XXXX:a404::1:0/112
secret /var/etc/openvpn/client2.secret
route XXX.XXX.96.187 255.255.255.255

server conf:

dev ovpnc0
dev-type tun
tun-ipv6

proto udp

ifconfig 10.0.8.1 10.0.8.2
ifconfig-ipv6 fe80::1 fe80::2

secret home.key
cipher AES-128-CBC

keepalive 10 60
ping-timer-rem
persist-tun
persist-key

#route all of home network
route 10.0.0.0 255.255.255.0
route-ipv6 2002:XXXX:f8ec::/64

pfsense routes:

Internet6:
Destination                       Gateway                       Flags      Netif Expire
default                           2002:XXXX:6301::              UGS     wan_stf
::1                               ::1                           UH          lo0
2002::/16                         link#8                        U       wan_stf
2002:XXXX:f8ec::                  link#8                        UHS         lo0 =>
2002:XXXX:f8ec::/64               link#3                        U           re1
2002:XXXX:f8ec::1                 link#3                        UHS         lo0
2607:XXXX:a404::1:0/112           ovpnc2                        US       ovpnc2
2607:XXXX:a404::3:0/112           ovpnc3                        US       ovpnc3
fe80::%re0/64                     link#1                        U           re0
fe80::230:18ff:fea8:da5f%re0      link#1                        UHS         lo0
fe80::%re1/64                     link#3                        U           re1
fe80::1:1%re1                     link#3                        UHS         lo0
fe80::%lo0/64                     link#6                        U           lo0
fe80::1%lo0                       link#6                        UHS         lo0
fe80::2%ovpnc2                    link#9                        UHS         lo0
fe80::230:18ff:fea8:da5f%ovpnc2   link#9                        UHS         lo0
fe80::2%ovpnc3                    link#10                       UHS         lo0
fe80::230:18ff:fea8:da5f%ovpnc3   link#10                       UHS         lo0
ff01::%re0/32                     fe80::230:18ff:fea8:da5f%re0  U           re0
ff01::%re1/32                     fe80::1:1%re1                 U           re1
ff01::%lo0/32                     ::1                           U           lo0
ff01::%ovpnc2/32                  fe80::230:18ff:fea8:da5f%ovpnc2 U        ovpnc2
ff01::%ovpnc3/32                  fe80::230:18ff:fea8:da5f%ovpnc3 U        ovpnc3
ff02::%re0/32                     fe80::230:18ff:fea8:da5f%re0  U           re0
ff02::%re1/32                     fe80::1:1%re1                 U           re1
ff02::%lo0/32                     ::1                           U           lo0
ff02::%ovpnc2/32                  fe80::230:18ff:fea8:da5f%ovpnc2 U        ovpnc2
ff02::%ovpnc3/32                  fe80::230:18ff:fea8:da5f%ovpnc3 U        ovpnc3

Traceroute showing the traffic to 2607:XXXX:a404::1:0 is not going out the tunnel:

[2.1-RC0][root@router.XXXX.com]/var/etc/openvpn(84): traceroute6 -n 2607:XXXX:a404::1:0
traceroute6 to 2607:XXXX:a404::1:0 (2607:XXXX:a404::1:0) from 2002:XXXX:f8ec::, 64 hops max, 12 byte packets
 1  2002:XXXX:6301::  32.798 ms  35.819 ms  38.400 ms
 2  2001:XXXX:fe16:1::1  35.254 ms  32.235 ms  32.371 ms
 3  2001:XXXX:d0:7::2  34.637 ms  35.470 ms  31.939 ms
 4  2001:XXXX:d0:4001::1  37.673 ms  35.178 ms  35.770 ms
 5  2001:XXXX:0:f851::1  37.526 ms  35.963 ms  47.988 ms
...

No route to host when trying to SSH to 2607:XXXX:a404::1:0 from a host on the LAN:

# ssh -6 2607:XXXX:a404::1:0
ssh: connect to host 2607:XXXX:a404::1:0 port 22: No route to host

Actions #1

Updated by Chris Buechler over 11 years ago

  • Status changed from New to Rejected

not a bug, config issue somewhere.

Actions

Also available in: Atom PDF