Re: [Openvpn-users] dual-stack setup on OpenBSD?

[Gert D. <ge...@gr...>]

Hi,

On Sun, Jun 18, 2017 at 10:56:19AM +0200, Harald Dunkel wrote:
> I would like to run a single openvpn service in a dual-stack setup on
> OpenBSD 6.1.
> 
> According to the man page there is a "multihome" support, but it doesn't
> work in this case. The logfile on the client shows

More interesting than the client log would be the server log...

> Sat Jun 17 15:13:44 2017 TCP/UDP: Incoming packet rejected from [AF_INET6]::ffff:5.145.xx.yy:1194[10], expected peer address: [AF_INET6]2001:db80:13b0:ffff::60:1195 (allow this incoming source address/port by removing --remote or adding --float)

This basically means "the server is talking to you from its IPv4 address".

> Is there hope?

Maybe, maybe not.  I'm afraid, the answer is "no", because your problem
is likely not --multihome but "dual-stack".

OpenVPN's dual-stack handling on the server side today is "open a v6 socket
and make this a dual-stack socket", which some operating systems just do
not support - well, which *OpenBSD* does not support.  So to get dual-stack
there, we need to open two listening sockets, which we can't do today.

One possible workaround might be to use pf(4) on the server to setup a
v6/v4 rdr NAT rule and have the firewall provide the "dual-stacking", but
I'm not sure it actually works - never tried.

But let's see the server logs first.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             ge...@gr...
fax: +49-89-35655025                        ge...@ne...