Sachin Garg
2016-06-26 04:25:17 UTC
Hi all,
I am having a strange problem with my Windows 7 Client machine running
OpenVPN 2.3.8. Earlier, I was running a single OpenVPN server in UDP
mode (port 1194) without issues. However, recently I also added another
server running in TCP mode (port 443).
I am running this OpenVPN server to primarily provide IPv6 to my clients
over VPN. To do this, I have got a /64 that I have partitioned into 2
/112 ranges. The IPv4 and IPv6 subnets are as follows:
UDP: 192.168.25.1/24 and 2001:0db8:dead:beef:beef:dead:2525::/112
TCP: 192.168.75.1/24 and 2001:0db8:dead:beef:beef:dead:2575::/112
(The main difference is that UDP uses 2525 as the last network part, and
TCP uses 2575)
Further, as UDP mode is my primary mode of operation, I have created
static client configuration files for the clients as below:
ifconfig-push 192.168.25.24 255.255.255.0
ifconfig-ipv6-push 2001:0db8:dead:beef:beef:dead:2525:1018/64
2001:0db8:dead:beef:beef:dead:2525:1
For TCP, I have not created any files and the client gets a dynamic
address from the pool starting from <prefix>:d000. So far, so good. This
setup works fine for my GNU/Linux clients.
However, on Windows 7, when testing if the TCP connection works, I got
the address 2001:0db8:dead:beef:beef:dead:2575:d000. Also,
simultaneously, I got the UDP address
(2001:0db8:dead:beef:beef:dead:2525:1018) also, which I *should not*
have gotten! This resulted in routing table issues :(. Anyways, as I do
not need the TCP for this particular host, I let this be and
re-connected over UDP.
However, this time, I continue to get the old address (TCP subnet:
2001:0db8:dead:beef:beef:dead:2575:d000),
along with actual address (UDP) as shown in the IPv6 related output of
"ipconfig /all" below. Both are also flagged as "Preferred"!
=============================================================================================
Ethernet adapter WinTAP:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-55-23-AA-A4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . .
2001:0db8:dead:beef:beef:dead:2525:1018(Preferred)
IPv6 Address. . . . . . . . . . . :
2001:0db8:dead:beef:beef:dead:2575:d000(Preferred)
Link-local IPv6 Address . . . . . :
fe80::9880:dead:beef:beef%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.25.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, June 25, 2016 3:09:57 AM
Lease Expires . . . . . . . . . . : Sunday, June 25, 2017 3:09:59 AM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.25.254
DHCPv6 IAID . . . . . . . . . . . : XXXXXXXXXXXXXXXXX
DHCPv6 Client DUID. . . . . . . . : XXXXXXXXXXXXXXXXX
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled
=============================================================================================
The IPv6 routing tables shows 2 routes both through the same interface:
=============================================================================================
IPv6 Route Table
=============================================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
13 276 2000::/3 fe80::8
13 276 2001:0db8:dead:beef::/64 fe80::8
13 276 2001:0db8:dead:beef:beef:dead:2525:0/112
fe80::8
13 276 2001:0db8:dead:beef:beef:dead:2525:1018/128
On-link
13 276 2001:0db8:dead:beef:beef:dead:2575:0/112
fe80::8
13 276 2001:0db8:dead:beef:beef:dead:2575:d000/112
On-link
11 266 fe80::/64 On-link
13 276 fe80::/64 On-link
15 266 fe80::/64 On-link
15 266 fe80::dead:face:beef:b003/128
On-link
13 276 fe80::beef:dead:beef:face/128
On-link
11 266 fe80::dead:face:beef:b003/128
On-link
1 306 ff00::/8 On-link
11 266 ff00::/8 On-link
13 276 ff00::/8 On-link
15 266 ff00::/8 On-link
=============================================================================================
Persistent Routes:
If Metric Network Destination Gateway
0 4294967295 2000::/3 fe80::8
=============================================================================================
Ideally, Windows should forget the old IPv6 address and only use the
new, current one? What can I do for this? Any specific configuration
needed to make Windows forget its old IPv6 addresses when the connection
no longer exists?
This is how the OpenVPN server is configured.
UDP port 1149 IP config:
------------------------
ifconfig 192.168.25.1 255.255.255.0
ifconfig-pool 192.168.25.150 192.168.25.249 255.255.255.0
ifconfig-ipv6 2001:0db8:dead:beef:beef:dead:2525:1
2001:0db8:dead:beef:beef:dead:2525:2
ifconfig-ipv6-pool 2001:0db8:dead:beef:beef:dead:2525:d000/112
push "route-gateway 192.168.25.1"
push "route-ipv6 2001:0db8:dead:beef:beef:dead:2525::/112"
push "route-ipv6 2000::/3" # tell the client to route
Internet IPv6 traffic through the VPN
TCP port 443 IP config:
-----------------------
ifconfig 192.168.75.1 255.255.255.0
ifconfig-pool 192.168.75.150 192.168.75.249 255.255.255.0
ifconfig-ipv6 2001:0db8:dead:beef:beef:dead:2575:1
2001:0db8:dead:beef:beef:dead:2575:2
ifconfig-ipv6-pool 2001:0db8:dead:beef:beef:dead:2575:d000/112
push "route-gateway 192.168.75.1"
push "route-ipv6 2001:0db8:dead:beef:beef:dead:2575::/112"
push "route-ipv6 2000::/3" # tell the client to route
Internet IPv6 traffic through the VPN
Thanks,
Sachin
I am having a strange problem with my Windows 7 Client machine running
OpenVPN 2.3.8. Earlier, I was running a single OpenVPN server in UDP
mode (port 1194) without issues. However, recently I also added another
server running in TCP mode (port 443).
I am running this OpenVPN server to primarily provide IPv6 to my clients
over VPN. To do this, I have got a /64 that I have partitioned into 2
/112 ranges. The IPv4 and IPv6 subnets are as follows:
UDP: 192.168.25.1/24 and 2001:0db8:dead:beef:beef:dead:2525::/112
TCP: 192.168.75.1/24 and 2001:0db8:dead:beef:beef:dead:2575::/112
(The main difference is that UDP uses 2525 as the last network part, and
TCP uses 2575)
Further, as UDP mode is my primary mode of operation, I have created
static client configuration files for the clients as below:
ifconfig-push 192.168.25.24 255.255.255.0
ifconfig-ipv6-push 2001:0db8:dead:beef:beef:dead:2525:1018/64
2001:0db8:dead:beef:beef:dead:2525:1
For TCP, I have not created any files and the client gets a dynamic
address from the pool starting from <prefix>:d000. So far, so good. This
setup works fine for my GNU/Linux clients.
However, on Windows 7, when testing if the TCP connection works, I got
the address 2001:0db8:dead:beef:beef:dead:2575:d000. Also,
simultaneously, I got the UDP address
(2001:0db8:dead:beef:beef:dead:2525:1018) also, which I *should not*
have gotten! This resulted in routing table issues :(. Anyways, as I do
not need the TCP for this particular host, I let this be and
re-connected over UDP.
However, this time, I continue to get the old address (TCP subnet:
2001:0db8:dead:beef:beef:dead:2575:d000),
along with actual address (UDP) as shown in the IPv6 related output of
"ipconfig /all" below. Both are also flagged as "Preferred"!
=============================================================================================
Ethernet adapter WinTAP:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-55-23-AA-A4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . .
2001:0db8:dead:beef:beef:dead:2525:1018(Preferred)
IPv6 Address. . . . . . . . . . . :
2001:0db8:dead:beef:beef:dead:2575:d000(Preferred)
Link-local IPv6 Address . . . . . :
fe80::9880:dead:beef:beef%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.25.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, June 25, 2016 3:09:57 AM
Lease Expires . . . . . . . . . . : Sunday, June 25, 2017 3:09:59 AM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.25.254
DHCPv6 IAID . . . . . . . . . . . : XXXXXXXXXXXXXXXXX
DHCPv6 Client DUID. . . . . . . . : XXXXXXXXXXXXXXXXX
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled
=============================================================================================
The IPv6 routing tables shows 2 routes both through the same interface:
=============================================================================================
IPv6 Route Table
=============================================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
13 276 2000::/3 fe80::8
13 276 2001:0db8:dead:beef::/64 fe80::8
13 276 2001:0db8:dead:beef:beef:dead:2525:0/112
fe80::8
13 276 2001:0db8:dead:beef:beef:dead:2525:1018/128
On-link
13 276 2001:0db8:dead:beef:beef:dead:2575:0/112
fe80::8
13 276 2001:0db8:dead:beef:beef:dead:2575:d000/112
On-link
11 266 fe80::/64 On-link
13 276 fe80::/64 On-link
15 266 fe80::/64 On-link
15 266 fe80::dead:face:beef:b003/128
On-link
13 276 fe80::beef:dead:beef:face/128
On-link
11 266 fe80::dead:face:beef:b003/128
On-link
1 306 ff00::/8 On-link
11 266 ff00::/8 On-link
13 276 ff00::/8 On-link
15 266 ff00::/8 On-link
=============================================================================================
Persistent Routes:
If Metric Network Destination Gateway
0 4294967295 2000::/3 fe80::8
=============================================================================================
Ideally, Windows should forget the old IPv6 address and only use the
new, current one? What can I do for this? Any specific configuration
needed to make Windows forget its old IPv6 addresses when the connection
no longer exists?
This is how the OpenVPN server is configured.
UDP port 1149 IP config:
------------------------
ifconfig 192.168.25.1 255.255.255.0
ifconfig-pool 192.168.25.150 192.168.25.249 255.255.255.0
ifconfig-ipv6 2001:0db8:dead:beef:beef:dead:2525:1
2001:0db8:dead:beef:beef:dead:2525:2
ifconfig-ipv6-pool 2001:0db8:dead:beef:beef:dead:2525:d000/112
push "route-gateway 192.168.25.1"
push "route-ipv6 2001:0db8:dead:beef:beef:dead:2525::/112"
push "route-ipv6 2000::/3" # tell the client to route
Internet IPv6 traffic through the VPN
TCP port 443 IP config:
-----------------------
ifconfig 192.168.75.1 255.255.255.0
ifconfig-pool 192.168.75.150 192.168.75.249 255.255.255.0
ifconfig-ipv6 2001:0db8:dead:beef:beef:dead:2575:1
2001:0db8:dead:beef:beef:dead:2575:2
ifconfig-ipv6-pool 2001:0db8:dead:beef:beef:dead:2575:d000/112
push "route-gateway 192.168.75.1"
push "route-ipv6 2001:0db8:dead:beef:beef:dead:2575::/112"
push "route-ipv6 2000::/3" # tell the client to route
Internet IPv6 traffic through the VPN
Thanks,
Sachin