On Sat, Jun 17, 2017 at 3:41 PM, Harald Dunkel <ha...@afaics.de> wrote: > Hi folks, > > AFAICS the openvpn 2.4.2 man page recommends a "multihome" feature > for dual stack setups, but I can't make it work on OpenBSD (the > openvpn server) in this case. > > The logfile on the client shows > > Sat Jun 17 15:13:40 2017 OpenVPN 2.4.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] > [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 17 2017 > Sat Jun 17 15:13:40 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO > 2.08 > Enter Private Key Password: ****** > Sat Jun 17 15:13:43 2017 WARNING: No server certificate verification method > has been enabled. See http://openvpn.net/howto.html#mitm for more info. > Sat Jun 17 15:13:43 2017 NOTE: the current --script-security setting may > allow this configuration to call user-defined scripts > Sat Jun 17 15:13:43 2017 WARNING: this configuration may cache passwords in > memory -- use the auth-nocache option to prevent this > Sat Jun 17 15:13:43 2017 TCP/UDP: Preserving recently used remote address: > [AF_INET6]2001:db80:13b0:ffff::60:1195 > Sat Jun 17 15:13:43 2017 Socket Buffers: R=[212992->212992] S=[212992->212992] > Sat Jun 17 15:13:43 2017 setsockopt(IPV6_V6ONLY=0) > Sat Jun 17 15:13:43 2017 UDP link local (bound): [AF_INET6][undef]:1194 > Sat Jun 17 15:13:43 2017 UDP link remote: > [AF_INET6]2001:db80:13b0:ffff::60:1195 > Sat Jun 17 15:13:44 2017 TCP/UDP: Incoming packet rejected from > [AF_INET6]::ffff:5.145.xx.yy:1194[10], expected peer address: > [AF_INET6]2001:db80:13b0:ffff::60:1195 (allow this incoming source > address/port by removing --remote or adding --float) > Sat Jun 17 15:13:44 2017 or from peer address: [AF_INET]5.145.xx.yy:1195 > Sat Jun 17 15:13:48 2017 TCP/UDP: Incoming packet rejected from > [AF_INET6]::ffff:5.145.xx.yy:1194[10], expected peer address: > [AF_INET6]2001:db80:13b0:ffff::60:1195 (allow this incoming source > address/port by removing --remote or adding --float) > Sat Jun 17 15:13:48 2017 or from peer address: [AF_INET]5.145.xx.yy:1195 > Sat Jun 17 15:13:51 2017 TCP/UDP: Incoming packet rejected from > [AF_INET6]::ffff:5.145.xx.yy:1194[10], expected peer address: > [AF_INET6]2001:db80:13b0:ffff::60:1195 (allow this incoming source > address/port by removing --remote or adding --float) > Sat Jun 17 15:13:51 2017 or from peer address: [AF_INET]5.145.xx.yy:1195 > Sat Jun 17 15:13:54 2017 TCP/UDP: Incoming packet rejected from > [AF_INET6]::ffff:5.145.xx.yy:1194[10], expected peer address: > [AF_INET6]2001:db80:13b0:ffff::60:1195 (allow this incoming source > address/port by removing --remote or adding --float) > Sat Jun 17 15:13:54 2017 or from peer address: [AF_INET]5.145.xx.yy:1195 > Sat Jun 17 15:13:56 2017 event_wait : Interrupted system call (code=4) > Sat Jun 17 15:13:56 2017 SIGINT[hard,] received, process exiting > > > Please note the weird IPv6 addresses "::ffff:5.145.xx.yy". 5.145.xx.yy > is the OpenBSD server's IPv4 address, but it is not running IPv4 over > IPv6. ???? > > I tried the most recent openvpn in stable, of course. Every helpful > comment is highly appreciated > Harri > >
Hey Harri, Those are ipv4-mapped ipv6 addresses (RFC 4291, https://tools.ietf.org/html/rfc4291). Sterling