Ubuntu & OpenVPN - ipv4 preferred over ipv6

Discussion in 'Services - Questions & Answers (Q&A)' started by atreyu, Jun 3, 2017.

Tags:
  1. atreyu

    atreyu New Member

    I have recently signed up PP, and used the great howto guide on getting OpenVPN working with PP, however I've come across an unusual problem After I establish the OpenVPN tunnel, my system appears to prefer IPv4 over IPv6.

    Before establishing tunnel:

    root@gmork:/# host google.com
    google.com has address 216.58.209.142
    google.com has IPv6 address 2a00:1450:400f:804::200e

    root@gmork:/# ping -c 2 google.com
    PING google.com(arn09s05-in-x0e.1e100.net (2a00:1450:400f:804::200e)) 56 data bytes
    64 bytes from arn09s05-in-x0e.1e100.net (2a00:1450:400f:804::200e): icmp_seq=1 ttl=54 time=20.7 ms
    64 bytes from arn09s05-in-x0e.1e100.net (2a00:1450:400f:804::200e): icmp_seq=2 ttl=54 time=19.3 ms

    --- google.com ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 19.309/20.020/20.732/0.725 ms


    After establishing tunnel:

    root@gmork:~# host google.com
    google.com has address 216.58.209.142
    google.com has IPv6 address 2a00:1450:400f:804::200e

    root@gmork:~# ping -c 2 google.com
    PING google.com (216.58.209.142) 56(84) bytes of data.
    64 bytes from arn09s05-in-f14.1e100.net (216.58.209.142): icmp_seq=1 ttl=53 time=62.6 ms
    64 bytes from arn09s05-in-f14.1e100.net (216.58.209.142): icmp_seq=2 ttl=53 time=62.8 ms

    --- google.com ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1002ms
    rtt min/avg/max/mdev = 62.688/62.775/62.863/0.265 ms


    The thing is - IPv6 is working and being tunneled. If I specify the IPv6 address manually, I can ping it.

    root@gmork:~# ping -c 2 2a00:1450:400f:804::200e
    PING 2a00:1450:400f:804::200e(2a00:1450:400f:804::200e) 56 data bytes
    64 bytes from 2a00:1450:400f:804::200e: icmp_seq=1 ttl=53 time=63.1 ms
    64 bytes from 2a00:1450:400f:804::200e: icmp_seq=2 ttl=53 time=63.4 ms

    --- 2a00:1450:400f:804::200e ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1002ms
    rtt min/avg/max/mdev = 63.134/63.305/63.477/0.304 ms


    I have also verified that IPv6 tunnelling is working using mtr and traceroute.

    According to the IPv6 RFC, IPv6 should be the preferred protocol when using dual-stack. It's not only ping which is preferring IPv4 - wget is also only using IPv4, as is the ssh client. What is causing my Linux machine to prefer legacy IP after OpenVPN establishes the tunnel?

    Ubuntu 16.10 64 bit edition
    Linux gmork 4.8.0-22-generic #24-Ubuntu SMP Sat Oct 8 09:15:00 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
    OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2016
    library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
     
  2. MixMaster

    MixMaster New Member

    As far as I know, Linux prefers global IPv6 address over v4 but gives local addresses (like the one assigned by the VPN server) a lower precedence.
    I'm not quite clear on the details but "ip addrlabel" might be able to change the preference. I didn't get it to do that in my tests, though.

    Something like "ip addrlabel add prefix fc00::/7 label 1" might do the trick.
    See https://tools.ietf.org/html/rfc6724
     
  3. atreyu

    atreyu New Member

    Thanks for the hint. Sadly it did not give me the results I was hoping for...

    root@gmork:~# ip addrlabel
    prefix ::1/128 label 0
    prefix ::/96 label 3
    prefix ::ffff:0.0.0.0/96 label 4
    prefix 2001::/32 label 6
    prefix 2001:10::/28 label 7
    prefix 3ffe::/16 label 12
    prefix 2002::/16 label 2
    prefix fec0::/10 label 11
    prefix fc00::/7 label 5


    Had to remove it to re add it.. it's now:

    root@gmork:~# ip addrlabel
    prefix ::1/128 label 0
    prefix ::/96 label 3
    prefix ::ffff:0.0.0.0/96 label 4
    prefix 2001::/32 label 6
    prefix 2001:10::/28 label 7
    prefix 3ffe::/16 label 12
    prefix 2002::/16 label 2
    prefix fec0::/10 label 11
    prefix fc00::/7 label 1
    prefix ::/0 label 1


    Still, when I "ping google.com" it goes IPv4. Also, this shows wget only operating on v4.

    root@gmork:~# wget -q -O - http://icanhazip.com
    178.255.148.169


    This should have returned a v6 address. Good try though!
     
  4. anajames

    anajames Member

    Is not Ipsec a more secure protocol then IPv6?
     
  5. atreyu

    atreyu New Member

    IPSec is an encryption layer on top of IPv6 (or IPv4), it's not a replacement for IPv6. You cannot have IPSec without IP. IPSec is not part of the encryption method used by the OpenVPN client - it uses SSL/TLS. A SSL VPN is not compatible with IPSec/L2TP or PPTP.