Jump to content
Not connected, Your IP: 3.17.179.132
Staff

IPv6 support - Experimental phase

Recommended Posts

UPDATE: EXPERIMENTAL PHASE ENDED. PLEASE SEE HERE: https://airvpn.org/topic/28153-ipv6-support/

 

We are glad to inform you that a new experimental server called Castor is now publicly available, with a series of new features:

  • Standard protocols/ports with IPv6 support, updated OpenVPN server, better cipher negotiation
  • Additional protocols/ports with IPv6 support, updated OpenVPN server, better cipher negotiation, 'tls-crypt' directive, TLS 1.2 forced
    These additional protocols/ports require OpenVPN 2.4 or higher version
  • Internal load balancing between OpenVPN daemons
  • New DNS server engine

You can experiment with Castor in two modes:

Notes:

  • The new server is marked as 'Experimental' and will not be proposed by default (opt-in).
  • Don't rely on Castor during the experimental period, we might need to reboot it to fix newest issues.
  • There is a bug related to Castor IPv6 DNS that occasionally affects only Windows. See the topic Why in special cases DNS of IPv6 are not pushed by our server.
    For this reason IPv6 DNS is disabled by default only with Config Generator. Eddie implements a workaround for this issue.
  • A lot of websites that perform IPv6 check can report false-positive, or in general browser may not use IPv6. See the topic The issue "Your browser is avoiding IPv6." for more information.

After the experimental period and when Eddie 2.14 is released as stable, we will upgrade every VPN server (where possible, since some of our ISPs don't have IPv6 infrastructure) to be based on Castor server-side software.

Please talk in this thread only about Castor issues, Config Generator or Eddie related to IPv6. Rely on Eddie 2.14beta topic for other issues related to Eddie

Share this post


Link to post

So, tls-crypt requires no explicit line in the config but I guess will be pushed to us if we connect to entry IP 3 or 4?  I guess I should just test and find out.

 

edit: nevermind.  I see the tls-crypt down at the (different) tls static key

 

if using pfsense be sure to adjust tls key usage mode to encryption and authentication.

Share this post


Link to post

If logs say

 

Jan 31 10:26:02 openvpn 29617 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

 

Jan 31 10:26:02

openvpn 29617 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

 

an 31 10:26:02

openvpn 29617 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

 

Jan 31 10:26:02

openvpn 29617 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

 

Then tls-crypt is working properly?

Share this post


Link to post

if using pfsense be sure to adjust tls key usage mode to encryption and authentication.

Are you using pfSense? Do you know what version of OpenVPN use?

What score you obtain here: http://ipv6-test.com/ ?

 

If logs say

... 

Then tls-crypt is working properly?

This logs are related to cipher negotiation, common in any protocols/mode.

If you are using 3' or 4' entry-IP, it's under tls-crypt. If you have in your .ovpn, it's under tls-crypt.

Share this post


Link to post

 

if using pfsense be sure to adjust tls key usage mode to encryption and authentication.

Are you using pfSense? Do you know what version of OpenVPN use?

What score you obtain here: http://ipv6-test.com/ ?

 

>If logs say

... 

Then tls-crypt is working properly?

This logs are related to cipher negotiation, common in any protocols/mode.

If you are using 3' or 4' entry-IP, it's under tls-crypt. If you have <tls-crypt> in your .ovpn, it's under tls-crypt.

 

 

 

pfsense 2.4.2 with openvpn 2.4.4.  However, I have all IPv6 turned off.  My testing was simply for tls-crypt.  Sorry I'm not more help with regard to IPv6 testing.

Share this post


Link to post

I'm connecting fine over UDP6, which is great. However I've already experienced a few problems with the actual IPv6 connectivity provided on the tunnel interface.

 

In troubleshooting I looked at the tunnel interface.

 

utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.18.0.8 --> 10.18.0.8 netmask 0xffff0000 
inet6 fe80::426c:8fff:fe48:6c0e%utun1 prefixlen 64 scopeid 0x10 
inet6 fde6:7a:7d20:18::1006 prefixlen 64 
 
It shows "fde6:7a:7d20:18::1006", which is a ULA. So my first thought is that it's network prefix translation (NPTv6). Nope, it's actually overloading NAT, which is causing problems with the app I'm using over the VPN.
 
No developers are implementing STUN for IPv6 so using NAT (overloading) is a really bad practice and will cause problems. Your server/colocation provider should be routing you a IPv6 address block, which you can then use directly in the VPN config, or use NPTv6.

Share this post


Link to post

Installed Eddie beta 14 on Win 10 64bit. Attempted a connection to Castor server to see what would happen with IPv6 and the routing check continuously failed only for IPv6. After Eddie auto-ended the Castor session and reconnected to Canada servers because of the Speed preference setting, download speeds were greatly affected with speed tests of only around 1 mbps. After uninstalling beta 14 and cleaning everything including the User/AirVPN folder and then reinstalling Eddie 13 did speeds return to the expected norm for AirVPN connection. Windows IPv6 is enabled and is detected without Eddie.

Share this post


Link to post

Important note:

Don't turn IPv6 on if you are concerned with potential leaks, especially if your ISP provides IPv6

connectivity and your router/machine is configured to use  it.

There are still some issues with OpenVPN  (On Windows) to solve.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

if using pfsense be sure to adjust tls key usage mode to encryption and authentication.

That doesn't work for me in pfsense. Only TLS Authentication works

Share this post


Link to post

 

if using pfsense be sure to adjust tls key usage mode to encryption and authentication.

That doesn't work for me in pfsense. Only TLS Authentication works

 

I'm guessing you weren't using a tls-crypt config.

Share this post


Link to post

 

 

if using pfsense be sure to adjust tls key usage mode to encryption and authentication.

That doesn't work for me in pfsense. Only TLS Authentication works

 

I'm guessing you weren't using a tls-crypt config.

Yes. This was it. The new config generator takes a while to get used to.

I'm now able to connect, but gateway monitor says I'm offline (whereas other 2 AirVPN gateways are on). Is there anything specific in Pfsense client config I'm missing? I have the following:

 

IP address

UDP 443

UDP on IPv4 only

TLS key with new key from generated config

TLS encryption and authentication

CA and client certificates from newly generated config

AES-256-cbc

Enable NCP

Auth Digest SHA512

Comp-LZO no

 

I'm only looking to test TLS-crypt. Not IPv6

Share this post


Link to post

NOW  how to change the static key from <tls-auth> to <tls-crypt>
for an .opvn file on the client side. <tls-crypt> is included when -Entry3 of 4 is selected. If the default is picked meaning udp-443 or tcp-443 <tls-auth> is used for the static key...

I'm only looking to test TLS-crypt. Not IPv6

same here

Share this post


Link to post

NOW  how to change the static key from <tls-auth> to <tls-crypt>

for an .opvn file on the client side. <tls-crypt> is included when -Entry3 of 4 is selected. If the default is picked meaning udp-443 or tcp-443 <tls-auth> is used for the static key...

I'm only looking to test TLS-crypt. Not IPv6

same here

Castor works fine on IPv4 and IPv6 with <tls-crypt> as the static key.

Share this post


Link to post

Weird I had it working earlier, just about 30 minutes ago in fact. Connected through both Eddie 2.13.6 using Homebrew's OpenVPN 2.4.4 on MacOS 10.13 and Tunnelblick, both using UPD Entry 3. Now every time I connect to Castor, I can see in the log its disabling IPv6 for my network adapter right before it starts the connection. Was working fine until I updated my Little Snitch app and rebooted. Just went to ipv6-test.com and only got a score of 4. The whole IPv6 section says "Unreachable". I tested it several times when I first got it working and hit 19/20. The only thing that didn't show up was the IPv4 hostname for Castor. When I connect in Tunnelblick now, it connects fine, but it appears I have no DNS servers because it won't actually connect to a website. The only thing I did in between it working and not was update the Little Snitch app and then rebooted. Dont see how that would affect either connection app cause all that does is monitor incoming and outgoing network connections so you can see who your Mac is talking to and block those IPs/ports as needed. It has a rule I made to allow OpenVPN and Eddie to connect to anything. I went and connected to a Canadian server, just so I could finish typing this, and even that disabled IPv6 on my adapter before it connected too, its the first thing Eddie does when I hit Connect. As soon as the connection is terminated, it restores IPv6.

Share this post


Link to post

If I'm seeing this right, no matter which Port I connect, I always get an IP from the 10.6 Subnet.

This kills my setup, can this be adjusted, so I can test it ?

Share this post


Link to post
Posted ... (edited)

When using the experimental server 'Castor', all my browsers favor ipv4 over ipv6. Is this intentional or is it still the behavior mentioned in https://airvpn.org/topic/25140-the-issue-your-browser-is-avoiding-ipv6/ ?

The connections via my ISP (dual stack) as well as via my own private OpenVPN server both happily make use of ipv6, whenever it's available. A fine example is your very own site 'airvpn.org'.

I tested this using the latest versions of 'Firefox', 'Google Chrome' and 'Chromium', all under Ubuntu 16.04.

When using 'Castor', the site 'test-ipv6.com' reports timeouts for ipv6 with and without DNS and for large packets and a 'bad' for DNS server ipv6 usage. The final rating is 0/10.

However, I don't find this assessment all that reliable, since connections to ipv6-only sites, like 'ipv6.google.com', work just fine.

 

I have also tested things on Windows 10 now, and unfortunately I have to report the same unsatisfying results. IPv6 is present and works, but it normally isn't used. :-(
Native connections via my ISP and connections using my personal VPN always favor IPv6 and everything is peachy. 'Castor' on the other hand always uses IPv4, unless it's an IPv6-only site.
The 'Castor' phenomenon isn't restricted to browsers either, 'mtr' on Linux also uses IPv4, unless explicitly told to use IPv6 for tracing any given route.
What am I missing here?

Edited ... by radolkin

Share this post


Link to post

YAY got it working!!! Took a few steps though, one I figured out from another Castor thread in the troubleshooting section. Downloaded the portable 2.14 to give it another shot, but it appears its not really "portable" and uses the same airvpn.xml file that 2.13 is using in ~/.airvpn. Since the disable IPv6 option is gone in 2.14, this value was left on disabled and there was no way to change it. Had to reopen 2.13, change the v6 setting from 'Disabled' to 'None' and after reopening 2.14, it finally stopped shutting down IPv6 for my adapter and let me connect. However, it was only using IPv4. Googles test site told me I could access v6 sites but I wasn't using v6. So went into the Protocols page in the prefs, unchecked Auto, and manually picked UPD Entry 3 (the one with TLS). Closed/reopened Eddie, reconnected and now Im full IPv6. Passed ipv6-test.com with 18/20 (it didn't get the hostnames for either v4 or v6), and at all the test-ivy.x.x sites I tried I passed with 10/10. Even Googles ipv6test.google.com said I was good to go and using v6. Connection speed isn't the greatest in the Speedtest.net app, but then again, Im on the other side of the planet from Castor so not too bad. At least it works so when the switch over happens, Ill be ready to go!

Share this post


Link to post

Since the disable IPv6 option is gone in 2.14, this value was left on disabled and there was no way to change it.

Exactly. Apologies for that, a new 2.14 release that fix this issue will be available soon.

Share this post


Link to post
Posted ... (edited)

Connections to 'Castor' via UDP with IP 3 or 4 (the ones using tls-crypt) stopped working on all ports all of a sudden (checking route IPv4 results in curl timeouts). UDP with IP 1 and 2 and TCP seem to work fine for all IPs. Is this, because you guys at AirVPN are working on something specific, or is it just me? I'm using Eddie 2.14.1 on Ubuntu 16.04.
 
Edit:
Woohoo! It's working again, at least for now. Let's hope, it will stay that way. I didn't do anything on my system, mind you.
 
Edit 2:
Unfortunately, my hopes were in vain. UDP with IPs 3 and 4 stopped working for me again. Timeouts (curl 28) while checking route IPv4. No changes on my side. Yesterday it was working flawlessly. 

 

Edit 3:

For the last few days UDP with <tls-crypt> has been working fine again. No timeouts, no nothing. Now if only 'Castor' would be nice and prefer IPv6 over IPv4, then all would be well.

Edited ... by radolkin

Share this post


Link to post

Hi !

Any chance of upgrading one of the servers in NL ( there's tons of them ) to the IPv6 version ?

 

As a secondary test server / not in normal auto-connect pool ?

 

I'm curious what impact it would have for speed, to connect from NL to NL (VPN) v6 and to NL (Website) v6. Right now going through Castor... for a short round-trip around BeNeLux

Share this post


Link to post

How much longer is the planned experimental phase?  When should we expect all this to roll out to all servers?

 

Hello,

 

it is not set as a date but as a conditional events sequence, We will start IPv6 widespread deployment after Eddie 2.14.x stable has been released, and after any investigation on various feedback pertaining to IPv6 is over.

 

Kind regards

Share this post


Link to post

As a secondary test server / not in normal auto-connect pool ?

 

I'm curious what impact it would have for speed, to connect from NL to NL (VPN) v6 and to NL (Website) v6. Right now going through Castor... for a short round-trip around BeNeLux :)

 

Hello,

 

yes, you will be able to connect to Chara. In the next few hours it will be restarted with a full IPv6 and tls-crypt supporting configuration and set as "Experimental". Your feedback will be much appreciated.

 

EDIT: Chara now works in IPv6 too and supports tls-crypt as well.

 

Kind regards

Share this post


Link to post

First round of tests:

http://www.speedtest.net/result/7090222137

http://www.speedtest.net/result/7090224793

http://www.speedtest.net/result/7090250326 <- 253 Mbps holy s*** !!

 

What is most impressing is the ping time. Basically, it's somewhat smaller than when NOT using VPN ! (Apparently Chara's routing is slightly faster than Ziggo's CGN - DS Lite)

Ran a few more tests to different servers in NL, getting results of 12-15ms consistently)

 

Will come back with more info/observations later, but so far it appears to be working fine in connecting both IPv6 "only", and also IPv6/IPv4

 

---

p.s. - I love you guys !

+3 months added to my subscription \o/

 

 

EDIT:

Getting some DNS problems with this server, and unable to access certain websites which are IPv4 only (they work with the other servers still on IPv4)

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...