Answered: Ubuntu & OpenVPN - ipv4 preferred over ipv6

atreyu

New Member
I have recently signed up PP, and used the great howto guide on getting OpenVPN working with PP, however I've come across an unusual problem After I establish the OpenVPN tunnel, my system appears to prefer IPv4 over IPv6.

Before establishing tunnel:

root@gmork:/# host google.com
google.com has address 216.58.209.142
google.com has IPv6 address 2a00:1450:400f:804::200e

root@gmork:/# ping -c 2 google.com
PING google.com(arn09s05-in-x0e.1e100.net (2a00:1450:400f:804::200e)) 56 data bytes
64 bytes from arn09s05-in-x0e.1e100.net (2a00:1450:400f:804::200e): icmp_seq=1 ttl=54 time=20.7 ms
64 bytes from arn09s05-in-x0e.1e100.net (2a00:1450:400f:804::200e): icmp_seq=2 ttl=54 time=19.3 ms

--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 19.309/20.020/20.732/0.725 ms


After establishing tunnel:

root@gmork:~# host google.com
google.com has address 216.58.209.142
google.com has IPv6 address 2a00:1450:400f:804::200e

root@gmork:~# ping -c 2 google.com
PING google.com (216.58.209.142) 56(84) bytes of data.
64 bytes from arn09s05-in-f14.1e100.net (216.58.209.142): icmp_seq=1 ttl=53 time=62.6 ms
64 bytes from arn09s05-in-f14.1e100.net (216.58.209.142): icmp_seq=2 ttl=53 time=62.8 ms

--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 62.688/62.775/62.863/0.265 ms


The thing is - IPv6 is working and being tunneled. If I specify the IPv6 address manually, I can ping it.

root@gmork:~# ping -c 2 2a00:1450:400f:804::200e
PING 2a00:1450:400f:804::200e(2a00:1450:400f:804::200e) 56 data bytes
64 bytes from 2a00:1450:400f:804::200e: icmp_seq=1 ttl=53 time=63.1 ms
64 bytes from 2a00:1450:400f:804::200e: icmp_seq=2 ttl=53 time=63.4 ms

--- 2a00:1450:400f:804::200e ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 63.134/63.305/63.477/0.304 ms


I have also verified that IPv6 tunnelling is working using mtr and traceroute.

According to the IPv6 RFC, IPv6 should be the preferred protocol when using dual-stack. It's not only ping which is preferring IPv4 - wget is also only using IPv4, as is the ssh client. What is causing my Linux machine to prefer legacy IP after OpenVPN establishes the tunnel?

Ubuntu 16.10 64 bit edition
Linux gmork 4.8.0-22-generic #24-Ubuntu SMP Sat Oct 8 09:15:00 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2016
library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
 
Solution
As far as I know, Linux prefers global IPv6 address over v4 but gives local addresses (like the one assigned by the VPN server) a lower precedence.
I'm not quite clear on the details but "ip addrlabel" might be able to change the preference. I didn't get it to do that in my tests, though.

Something like "ip addrlabel add prefix fc00::/7 label 1" might do the trick.
See https://tools.ietf.org/html/rfc6724
As far as I know, Linux prefers global IPv6 address over v4 but gives local addresses (like the one assigned by the VPN server) a lower precedence.
I'm not quite clear on the details but "ip addrlabel" might be able to change the preference. I didn't get it to do that in my tests, though.

Something like "ip addrlabel add prefix fc00::/7 label 1" might do the trick.
See https://tools.ietf.org/html/rfc6724
 
Solution
Thanks for the hint. Sadly it did not give me the results I was hoping for...

root@gmork:~# ip addrlabel
prefix ::1/128 label 0
prefix ::/96 label 3
prefix ::ffff:0.0.0.0/96 label 4
prefix 2001::/32 label 6
prefix 2001:10::/28 label 7
prefix 3ffe::/16 label 12
prefix 2002::/16 label 2
prefix fec0::/10 label 11
prefix fc00::/7 label 5


Had to remove it to re add it.. it's now:

root@gmork:~# ip addrlabel
prefix ::1/128 label 0
prefix ::/96 label 3
prefix ::ffff:0.0.0.0/96 label 4
prefix 2001::/32 label 6
prefix 2001:10::/28 label 7
prefix 3ffe::/16 label 12
prefix 2002::/16 label 2
prefix fec0::/10 label 11
prefix fc00::/7 label 1
prefix ::/0 label 1


Still, when I "ping google.com" it goes IPv4. Also, this shows wget only operating on v4.

root@gmork:~# wget -q -O - http://icanhazip.com
178.255.148.169


This should have returned a v6 address. Good try though!
 
IPSec is an encryption layer on top of IPv6 (or IPv4), it's not a replacement for IPv6. You cannot have IPSec without IP. IPSec is not part of the encryption method used by the OpenVPN client - it uses SSL/TLS. A SSL VPN is not compatible with IPSec/L2TP or PPTP.
 
Back
Top