Dual stack (IPv4/IPv6) enabled on beta.vpn

Advanced feature discussion, beta programs and unsupported "Labs" features.
15 posts Page 1 of 2
by cdkeen » Mon Aug 17, 2020 5:34 pm
We have updated the configuration of our beta.vpn.sonic.net server to now include dual stack functionality. When connecting to this vpn your client device will now be issued a v4 and v6 address. If you encounter any problems or issues that you believe may be attributed to this update please let me know by replying to this forum post or sending an email to support@sonic.net. Thanks for choosing Sonic!
cdkeen - Sonic.net System Operations
by cdkeen » Tue Aug 25, 2020 9:49 am
I am planning to implement this additional functionality on our production vpn server in the near future and if anyone wants to test, this is a reminder that beta.vpn is currently setup and handing out a v4 and v6 ip address to clients! As always please let me know if you have any issues to report (support can't help with the vpn). Thanks!
cdkeen - Sonic.net System Operations
by forest » Wed Sep 02, 2020 12:47 am
Does this mean VPN clients will have a routable IPv6 address that will accept incoming connections?
by cdkeen » Wed Sep 02, 2020 10:37 am
No, your client will receive an ipv6 address however externally other hosts will see your IP as the v6 address of the vpn server, since the configuration is using NAT.
cdkeen - Sonic.net System Operations
by forest » Wed Sep 02, 2020 11:04 am
Sonic VPN clients do get routable IPv4 addresses, though. (Thank goodness.) Can you explain why you chose an inconsistent policy for IPv6?

That routable IPv4 address is important to some of us running home servers, doing development work, hosting online games, or using various VoIP services. IPv6 isn't important to me yet, but I expect it will be eventually. When that day arrives, being unable to accept incoming connections would be a real problem.

On the other hand, I imagine that some customers might not yet be aware of the need for IPv6 restrictions in their firewalls or VPN clients, so suddenly opening a new address space with incoming connections allowed might create a security hazard. Is this why you chose to withhold it for now? Is there a plan to eventually allow incoming, after raising awareness with VPN users and giving them time to update their VPN/firewall settings?
by cdkeen » Wed Sep 02, 2020 11:30 am
The VPN server software does not support that capability at this time. In the future if the software is modified to allow that change we will likely revisit the issue then.
cdkeen - Sonic.net System Operations
by forest » Wed Sep 02, 2020 11:35 am
Thanks, cdkeen, for keeping us informed and for the new functionality.
by kevink00 » Thu Sep 03, 2020 11:05 am
I was hoping to find a post like this here. I found my VPN clients to be failing since 9/1/2020. Here's a more detailed description of my environment and a question:

I use openvpn-2.4.9-1.el7.x86_64 on CentOS Linux release 7.8.2003 running as a VM, serving as an proxy for outbound HTTP traffic. I've intentionally disabled ipv6 on the OS as my LAN is 10/8 only. Just recently I found the following error (addrs obfuscated) in the openvpn logs:

Code: Select all

Sep  1 23:52:52 proxy03 openvpn: /sbin/ip link set dev tun0 up mtu 1500
Sep  1 23:52:52 proxy03 openvpn: /sbin/ip addr add dev tun0 123.23.222.160/25 broadcast 123.23.222.255
Sep  1 23:52:52 proxy03 openvpn: /sbin/ip -6 addr add 2002:2a6:601:f:4000::20/68 dev tun0
Sep  1 23:52:52 proxy03 systemd: Unit openvpn-client@sonic.service entered failed state.
Sep  1 23:52:52 proxy03 openvpn: RTNETLINK answers: Permission denied
Sep  1 23:52:52 proxy03 systemd: openvpn-client@wowsa.service failed.


A quick solution I found was to apply the following to the client config:

Code: Select all

#
# https://askubuntu.com/questions/440302/how-to-disable-ipv6-when-connecting-to-an-openvpn-server-using-network-manager-o/1168366#1168366
#
pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "route-ipv6 "



My question is whether this is the best method for addressing the issue?

Thank you!
by cdkeen » Thu Sep 03, 2020 12:57 pm
Of all the solutions listed here https://askubuntu.com/questions/440302/ ... 66#1168366 I think that is an excellent solution.
cdkeen - Sonic.net System Operations
by wkeller » Thu Sep 03, 2020 4:21 pm
Sadly, this solution isn't working for me (OpenVPN 2.3.4 on DD-WRT), and I am no longer able to connect to the Sonic VPN with a configuration what was working.:

Code: Select all

pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "route-ipv6 "


After adding these to my config I get the following when running openvnc from the command line:

Code: Select all

Options error: Unrecognized option or missing parameter(s) in /tmp/openvpncl/openvpn.conf:1: pull-filter (2.3.4)
Use --help for more information.


With or without thouse lines in my config, my logs always end with

Code: Select all

Thu Sep  3 22:33:11 2020 us=132313 /sbin/ifconfig tun1 add 2001:5a8:601:c:4000::39af/68
ifconfig: socket: Address family not supported by protocol
Thu Sep  3 22:33:11 2020 us=141813 Linux ifconfig inet6 failed: external program exited with error status: 1
Thu Sep  3 22:33:11 2020 us=141885 Exiting due to fatal error


:cry:
15 posts Page 1 of 2

Who is online

In total there are 6 users online :: 0 registered, 0 hidden and 6 guests (based on users active over the past 5 minutes)
Most users ever online was 964 on Tue Sep 29, 2020 11:23 pm

Users browsing this forum: No registered users and 6 guests