Jump to content


Photo

IPv6 support - Experimental phase


  • This topic is locked This topic is locked
67 replies to this topic

#1 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7249 posts

Posted 31 January 2018 - 03:01 PM

UPDATE: EXPERIMENTAL PHASE ENDED. PLEASE SEE HERE: https://airvpn.org/topic/28153-ipv6-support/

 

We are glad to inform you that a new experimental server called Castor is now publicly available, with a series of new features:

  • Standard protocols/ports with IPv6 support, updated OpenVPN server, better cipher negotiation
  • Additional protocols/ports with IPv6 support, updated OpenVPN server, better cipher negotiation, 'tls-crypt' directive, TLS 1.2 forced
    These additional protocols/ports require OpenVPN 2.4 or higher version
  • Internal load balancing between OpenVPN daemons
  • New DNS server engine

You can experiment with Castor in two modes:

Notes:

  • The new server is marked as 'Experimental' and will not be proposed by default (opt-in).
  • Don't rely on Castor during the experimental period, we might need to reboot it to fix newest issues.
  • There is a bug related to Castor IPv6 DNS that occasionally affects only Windows. See the topic Why in special cases DNS of IPv6 are not pushed by our server.
    For this reason IPv6 DNS is disabled by default only with Config Generator. Eddie implements a workaround for this issue.
  • A lot of websites that perform IPv6 check can report false-positive, or in general browser may not use IPv6. See the topic The issue "Your browser is avoiding IPv6." for more information.

After the experimental period and when Eddie 2.14 is released as stable, we will upgrade every VPN server (where possible, since some of our ISPs don't have IPv6 infrastructure) to be based on Castor server-side software.

Please talk in this thread only about Castor issues, Config Generator or Eddie related to IPv6. Rely on Eddie 2.14beta topic for other issues related to Eddie



#2 go558a83nk

go558a83nk

    Advanced Member

  • Members
  • PipPipPip
  • 1513 posts

Posted 31 January 2018 - 04:06 PM

So, tls-crypt requires no explicit line in the config but I guess will be pushed to us if we connect to entry IP 3 or 4?  I guess I should just test and find out. :)

 

edit: nevermind.  I see the tls-crypt down at the (different) tls static key

 

if using pfsense be sure to adjust tls key usage mode to encryption and authentication.



#3 go558a83nk

go558a83nk

    Advanced Member

  • Members
  • PipPipPip
  • 1513 posts

Posted 31 January 2018 - 04:32 PM

If logs say

 

Jan 31 10:26:02 openvpn 29617 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

 

Jan 31 10:26:02

openvpn 29617 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

 

an 31 10:26:02

openvpn 29617 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

 

Jan 31 10:26:02

openvpn 29617 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

 

Then tls-crypt is working properly?



#4 Clodo

Clodo

    AirVPN Team

  • Staff
  • PipPipPip
  • 273 posts
  • LocationItaly

Posted 31 January 2018 - 11:00 PM

if using pfsense be sure to adjust tls key usage mode to encryption and authentication.

Are you using pfSense? Do you know what version of OpenVPN use?
What score you obtain here: http://ipv6-test.com/ ?
 

If logs say
... 
Then tls-crypt is working properly?

This logs are related to cipher negotiation, common in any protocols/mode.
If you are using 3' or 4' entry-IP, it's under tls-crypt. If you have <tls-crypt> in your .ovpn, it's under tls-crypt.

#5 go558a83nk

go558a83nk

    Advanced Member

  • Members
  • PipPipPip
  • 1513 posts

Posted 31 January 2018 - 11:10 PM

if using pfsense be sure to adjust tls key usage mode to encryption and authentication.

Are you using pfSense? Do you know what version of OpenVPN use?
What score you obtain here: http://ipv6-test.com/ ?
 

>If logs say
... 
Then tls-crypt is working properly?

This logs are related to cipher negotiation, common in any protocols/mode.
If you are using 3' or 4' entry-IP, it's under tls-crypt. If you have <tls-crypt> in your .ovpn, it's under tls-crypt.

 

 

 

pfsense 2.4.2 with openvpn 2.4.4.  However, I have all IPv6 turned off.  My testing was simply for tls-crypt.  Sorry I'm not more help with regard to IPv6 testing.



#6 go558a83nk

go558a83nk

    Advanced Member

  • Members
  • PipPipPip
  • 1513 posts

Posted 01 February 2018 - 04:08 PM

Where's everybody who's been begging for IPv6?  Not testing or just not posting here?  :dunno:



#7 drddevil

drddevil

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 01 February 2018 - 04:39 PM

I'm connecting fine over UDP6, which is great. However I've already experienced a few problems with the actual IPv6 connectivity provided on the tunnel interface.

 

In troubleshooting I looked at the tunnel interface.

 

utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.18.0.8 --> 10.18.0.8 netmask 0xffff0000 
inet6 fe80::426c:8fff:fe48:6c0e%utun1 prefixlen 64 scopeid 0x10 
inet6 fde6:7a:7d20:18::1006 prefixlen 64 
 
It shows "fde6:7a:7d20:18::1006", which is a ULA. So my first thought is that it's network prefix translation (NPTv6). Nope, it's actually overloading NAT, which is causing problems with the app I'm using over the VPN.
 
No developers are implementing STUN for IPv6 so using NAT (overloading) is a really bad practice and will cause problems. Your server/colocation provider should be routing you a IPv6 address block, which you can then use directly in the VPN config, or use NPTv6.


#8 Fly AirVPN

Fly AirVPN

    Advanced Member

  • Members
  • PipPipPip
  • 52 posts

Posted 02 February 2018 - 07:47 AM

Installed Eddie beta 14 on Win 10 64bit. Attempted a connection to Castor server to see what would happen with IPv6 and the routing check continuously failed only for IPv6. After Eddie auto-ended the Castor session and reconnected to Canada servers because of the Speed preference setting, download speeds were greatly affected with speed tests of only around 1 mbps. After uninstalling beta 14 and cleaning everything including the User/AirVPN folder and then reinstalling Eddie 13 did speeds return to the expected norm for AirVPN connection. Windows IPv6 is enabled and is detected without Eddie.



#9 zhang888

zhang888

    Donald Trump of IT/Security

  • Moderators
  • 2195 posts

Posted 02 February 2018 - 08:47 PM

Important note:

Don't turn IPv6 on if you are concerned with potential leaks, especially if your ISP provides IPv6

connectivity and your router/machine is configured to use  it.

There are still some issues with OpenVPN  (On Windows) to solve.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.


#10 lordlukan

lordlukan

    Member

  • Members
  • PipPip
  • 18 posts

Posted 05 February 2018 - 12:39 AM

if using pfsense be sure to adjust tls key usage mode to encryption and authentication.

That doesn't work for me in pfsense. Only TLS Authentication works



#11 go558a83nk

go558a83nk

    Advanced Member

  • Members
  • PipPipPip
  • 1513 posts

Posted 05 February 2018 - 12:59 AM

if using pfsense be sure to adjust tls key usage mode to encryption and authentication.

That doesn't work for me in pfsense. Only TLS Authentication works

 

I'm guessing you weren't using a tls-crypt config.



#12 lordlukan

lordlukan

    Member

  • Members
  • PipPip
  • 18 posts

Posted 05 February 2018 - 08:17 AM

 

if using pfsense be sure to adjust tls key usage mode to encryption and authentication.

That doesn't work for me in pfsense. Only TLS Authentication works

 

I'm guessing you weren't using a tls-crypt config.

Yes. This was it. The new config generator takes a while to get used to.

I'm now able to connect, but gateway monitor says I'm offline (whereas other 2 AirVPN gateways are on). Is there anything specific in Pfsense client config I'm missing? I have the following:

 

IP address

UDP 443

UDP on IPv4 only

TLS key with new key from generated config

TLS encryption and authentication

CA and client certificates from newly generated config

AES-256-cbc

Enable NCP

Auth Digest SHA512

Comp-LZO no

 

I'm only looking to test TLS-crypt. Not IPv6



#13 Flx

Flx

    Advanced Member

  • Members
  • PipPipPip
  • 121 posts

Posted 05 February 2018 - 11:26 PM

NOW  how to change the static key from <tls-auth> to <tls-crypt>
for an .opvn file on the client side. <tls-crypt> is included when -Entry3 of 4 is selected. If the default is picked meaning udp-443 or tcp-443 <tls-auth> is used for the static key...

I'm only looking to test TLS-crypt. Not IPv6

same here



#14 Flx

Flx

    Advanced Member

  • Members
  • PipPipPip
  • 121 posts

Posted 09 February 2018 - 11:20 PM

NOW  how to change the static key from <tls-auth> to <tls-crypt>
for an .opvn file on the client side. <tls-crypt> is included when -Entry3 of 4 is selected. If the default is picked meaning udp-443 or tcp-443 <tls-auth> is used for the static key...

I'm only looking to test TLS-crypt. Not IPv6

same here

Castor works fine on IPv4 and IPv6 with <tls-crypt> as the static key. :good:



#15 Monotremata

Monotremata

    Advanced Member

  • Members
  • PipPipPip
  • 46 posts

Posted 10 February 2018 - 07:02 AM

Weird I had it working earlier, just about 30 minutes ago in fact. Connected through both Eddie 2.13.6 using Homebrew's OpenVPN 2.4.4 on MacOS 10.13 and Tunnelblick, both using UPD Entry 3. Now every time I connect to Castor, I can see in the log its disabling IPv6 for my network adapter right before it starts the connection. Was working fine until I updated my Little Snitch app and rebooted. Just went to ipv6-test.com and only got a score of 4. The whole IPv6 section says "Unreachable". I tested it several times when I first got it working and hit 19/20. The only thing that didn't show up was the IPv4 hostname for Castor. When I connect in Tunnelblick now, it connects fine, but it appears I have no DNS servers because it won't actually connect to a website. The only thing I did in between it working and not was update the Little Snitch app and then rebooted. Dont see how that would affect either connection app cause all that does is monitor incoming and outgoing network connections so you can see who your Mac is talking to and block those IPs/ports as needed. It has a rule I made to allow OpenVPN and Eddie to connect to anything. I went and connected to a Canadian server, just so I could finish typing this, and even that disabled IPv6 on my adapter before it connected too, its the first thing Eddie does when I hit Connect. As soon as the connection is terminated, it restores IPv6.



#16 JacksonLee

JacksonLee

    Member

  • Members
  • PipPip
  • 20 posts

Posted 10 February 2018 - 09:41 PM

If I'm seeing this right, no matter which Port I connect, I always get an IP from the 10.6 Subnet.

This kills my setup, can this be adjusted, so I can test it ?



#17 radolkin

radolkin

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 11 February 2018 - 12:17 AM

When using the experimental server 'Castor', all my browsers favor ipv4 over ipv6. Is this intentional or is it still the behavior mentioned in https://airvpn.org/topic/25140-the-issue-your-browser-is-avoiding-ipv6/ ?

The connections via my ISP (dual stack) as well as via my own private OpenVPN server both happily make use of ipv6, whenever it's available. A fine example is your very own site 'airvpn.org'.

I tested this using the latest versions of 'Firefox', 'Google Chrome' and 'Chromium', all under Ubuntu 16.04.

When using 'Castor', the site 'test-ipv6.com' reports timeouts for ipv6 with and without DNS and for large packets and a 'bad' for DNS server ipv6 usage. The final rating is 0/10.

However, I don't find this assessment all that reliable, since connections to ipv6-only sites, like 'ipv6.google.com', work just fine.

 

I have also tested things on Windows 10 now, and unfortunately I have to report the same unsatisfying results. IPv6 is present and works, but it normally isn't used. :-(
Native connections via my ISP and connections using my personal VPN always favor IPv6 and everything is peachy. 'Castor' on the other hand always uses IPv4, unless it's an IPv6-only site.
The 'Castor' phenomenon isn't restricted to browsers either, 'mtr' on Linux also uses IPv4, unless explicitly told to use IPv6 for tracing any given route.
What am I missing here?


Edited by radolkin, 13 February 2018 - 07:48 PM.


#18 Monotremata

Monotremata

    Advanced Member

  • Members
  • PipPipPip
  • 46 posts

Posted 11 February 2018 - 03:19 AM

YAY got it working!!! Took a few steps though, one I figured out from another Castor thread in the troubleshooting section. Downloaded the portable 2.14 to give it another shot, but it appears its not really "portable" and uses the same airvpn.xml file that 2.13 is using in ~/.airvpn. Since the disable IPv6 option is gone in 2.14, this value was left on disabled and there was no way to change it. Had to reopen 2.13, change the v6 setting from 'Disabled' to 'None' and after reopening 2.14, it finally stopped shutting down IPv6 for my adapter and let me connect. However, it was only using IPv4. Googles test site told me I could access v6 sites but I wasn't using v6. So went into the Protocols page in the prefs, unchecked Auto, and manually picked UPD Entry 3 (the one with TLS). Closed/reopened Eddie, reconnected and now Im full IPv6. Passed ipv6-test.com with 18/20 (it didn't get the hostnames for either v4 or v6), and at all the test-ivy.x.x sites I tried I passed with 10/10. Even Googles ipv6test.google.com said I was good to go and using v6. Connection speed isn't the greatest in the Speedtest.net app, but then again, Im on the other side of the planet from Castor so not too bad. At least it works so when the switch over happens, Ill be ready to go!



#19 Clodo

Clodo

    AirVPN Team

  • Staff
  • PipPipPip
  • 273 posts
  • LocationItaly

Posted 11 February 2018 - 05:23 PM

Since the disable IPv6 option is gone in 2.14, this value was left on disabled and there was no way to change it.

Exactly. Apologies for that, a new 2.14 release that fix this issue will be available soon.

#20 radolkin

radolkin

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 14 February 2018 - 05:25 PM

Connections to 'Castor' via UDP with IP 3 or 4 (the ones using tls-crypt) stopped working on all ports all of a sudden (checking route IPv4 results in curl timeouts). UDP with IP 1 and 2 and TCP seem to work fine for all IPs. Is this, because you guys at AirVPN are working on something specific, or is it just me? I'm using Eddie 2.14.1 on Ubuntu 16.04.
 
Edit:
Woohoo! It's working again, at least for now. Let's hope, it will stay that way. I didn't do anything on my system, mind you.
 
Edit 2:
Unfortunately, my hopes were in vain. UDP with IPs 3 and 4 stopped working for me again. Timeouts (curl 28) while checking route IPv4. No changes on my side. Yesterday it was working flawlessly.  :think:

 

Edit 3:

For the last few days UDP with <tls-crypt> has been working fine again. No timeouts, no nothing. Now if only 'Castor' would be nice and prefer IPv6 over IPv4, then all would be well. ;)


Edited by radolkin, 21 February 2018 - 09:34 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 13669 - BW: 46574 Mbit/sYour IP: 54.224.255.17Guest Access.