Tag: IP

What happens if an IPv4 client tries to access an IPv6-only server (SOLVED)

Question:

Hey! The article says that IPv6 is a completely different protocol, I had a question. If my recipient's email works only on IPv6 (that is, his mail server listens only through the IPv6 protocol), does this mean that when sending a letter from a mail server that is connected only to IPv4, the letter simply will not reach the recipient, that is, I will have to choose some kind of mail service whose mail server works with both IPv6 and IPv4 so that my friend can read my letter?

Answer:

The considered situation, when one server has only an IPv4 address, and the second server has only an IPv6 address, is purely theoretical. ISPs that use IPv6 and provide IPv6 addresses to customers also provide IPv4 addresses at the same time.

For example, this router is connected to an ISP that supports IPv6. However, a router has two types of IP addresses:

  • 10.241.24.29
  • 2001:fb1:fc0:135:20e8:31d0:4821:6624

My computer is connected to this router, so it also has two types of IP addresses:

  • 192.168.1.58
  • 2001:fb1:139:20d8:82c0:cb25:b750:24d4

Note that IPv4 and IPv6 are such separate networks that for IPv6, the router has its own DNS server IP – 2001:fb0:100::207:49.

The same is true for hosting providers. For example, ISPs in my country do not support IPv6. But at the same time, hosting providers in my country have been supporting IPv6 for a very long time (for example, I set up IPv6 for SuIP.biz back in 2016, while one rented VPS server came with one free IPv4 and 3 free IPv6).

You can search for websites with IPv6 support and look at their DNS records – you will see that in addition to the AAAA record (IPv6 address of the site), there is also an A record for the site (IPv4 address of the site).

That is, yes, if one of the computers (client or server1) is connected only to an IPv4 network, and the second computer (server or server2) is connected only to an IPv6 network, then theoretically it is simply impossible to build a network route between them from the first to the second. But in practice, this problem does not arise simply for the reason that absolutely all clients and servers support IPv4, and some also support IPv6. That is, all possible combinations work according to one of the following options:

  • client and server support IPv6 – IPv6 is used
  • client supports IPv6 and server does not support IPv6 – IPv4 is used
  • client does not support IPv6 and server supports IPv6 – IPv4 is used
  • client does not support IPv6 and server does not support IPv6 – IPv4 is used

However, it is possible to isolate an IPv6-enabled server from an IPv4 network, which is what I talk about in the section “How to configure SSH to work with IPv6 only”.

In short: IPv4 and IPv6 are two different networks, even though they run on the same wires and on the same hardware.

If you're interested in a specific error, when you try to open an IPv6-only site from an IPv4-only client, you get the “Network is unreachable” error.

Another example of an error: if you try to run the following command from an IPv6-enabled network:

sudo nmap -6 suip.biz

then the host suip.biz will be scanned.

If you run the same command from a network without IPv6 support, an error will be displayed: “setup_target: failed to determine route to suip.biz (2a02:f680:1:1100::3d60)”.

See also detailed IPv6 guides:

Online services with IPv6 support:

Script to connect and disconnect from OpenVPN depending on server availability

Task:

Branch subnets are connected via OpenVPN. All clients connect to the server and routes to the Internet are set through the OpenVPN server. Everything works, but there is a problem. If the OpenVPN server for some reason loses Internet connection, then all other branches also lose Internet access, because the traffic does not go through its gateway, but through the OpenVPN server. Is there any way to write a script to:

1. If there was no connection to the OpenVPN server, the routes were restored and worked through their own gateway.

2. Once every 2-3 minutes the client would try to connect to the OpenVPN server.

3. When the connection is restored, the routes would be registered again through the OpenVPN server.

Solution:

In theory, it is quite possible to write a script in Bash (for Linux) or PowerShell (for Windows) that would ping the OpenVPN server and if the server is online connecting to it or if the connection is already present, it would do nothing. And if the OpenVPN server is offline, then it would disconnect from it or do nothing if the server is already offline. On Linux, such a script can be added to startup and then run regularly using Systemd timers or Cron. In Windows, too, this can be solved using the Windows Task Scheduler.

But, IMHO, this is a radically wrong approach. It is necessary to strive to ensure that the OpenVPN server is always online. Because for some reason it is needed in the work of users if they connect to it, right? And if so, then when users disconnect from OpenVPN, there will be failures in connecting to local resources.

And nevertheless, here are examples of scripts.

For Windows, the script is written in PowerShell, create the vpn.ps1 file and copy it into it (replace the IP address of the OpenVPN server and the path to the configuration file with yours):

# OpenVPN server IP address
$openvpnIP='185.117.153.79'
# path to the configuration file for connecting the client to the OpenVPN server
$openvpnFILE='C:\Users\MiAl\client1.ovpn'

if (Test-Connection -TargetName $openvpnIP -IPv4 -Count 1 -Quiet -TimeoutSeconds 1)
{
	'OpenVPN server is up'
	if (Get-Process | Where-Object { $_.Name -eq "openvpn" })
	{
		'OpenVPN connection is active.  Nothing to do'
	}
		else
	{
		Write-Warning 'No OpenVPN connections, trying to connect...'
		 & "C:\Program Files\OpenVPN\bin\openvpn.exe" --config $openvpnFILE &
	}
}
else
{
	Write-Warning 'OpenVPN server is down'
	if (Get-Process | Where-Object { $_.Name -eq "openvpn" })
	{
		'OpenVPN connection is active, let us kill it'
		Get-Process | Where-Object { $_.Name -eq "openvpn" } | Select-Object -First 1 | Stop-Process
	}
	else
	{
		Write-Warning 'No OpenVPN connections. Nothing to do'
	}
}

Check like this:

.\vpn.ps1

The OpenVPN server is online, so the script connects to it and does nothing on subsequent checks. Checking the client's IP shows that Internet access is really through OpenVPN:

OpenVPN is offline, so the script disconnects from it. On subsequent checks, the script does nothing until the OpenVPN server is available. When OpenVPN is online again, a connection is made to it.

Use Windows Task Manager to run your script like this:

powershell -File vpn.ps1 -WindowStyle Hidden

Furthermore create the script that it runs under a specific user account and not only when that user is logged on. Otherwise you'll see a console window.

Sample script for Linux – create a vpn.sh file and copy into it:

#!/bin/bash

# OpenVPN server IP address
openvpnIP='185.117.153.79'
# path to the configuration file for connecting the client to the OpenVPN server
openvpnFILE='/home/mial/bin/OpenVPNassistent-конфигурации/configs/client1.ovpn'

isOpenVPNActive=`pgrep openvpn`

timeout 1 ping -c 1 $openvpnIP > /dev/null;
if [ $? -eq 0 ]; then
	echo 'OpenVPN server is up'
	if [ -z "$isOpenVPNActive" ]; then
		echo 'No OpenVPN connections, trying to connect.'
		sudo openvpn "$openvpnFILE" &
	else
		echo 'OpenVPN connection is active. Nothing to do'	 
	fi	
else
	echo 'OpenVPN server is down'
	if [ -z "$isOpenVPNActive" ]; then
		echo 'No OpenVPN connections. Nothing to do.'
	else
		echo 'OpenVPN connection is active, let us kill it.'
		kill "$isOpenVPNActive"
	fi 
fi

Run like this:

sudo bash vpn.sh

The OpenVPN server is online, so the script connects to it and does nothing on subsequent checks. Checking the client's IP shows that Internet access is really through OpenVPN. OpenVPN is offline, so the script disconnects from it. On subsequent checks, the script does nothing until the OpenVPN server is available. When OpenVPN is online again, a connection is made to it.

To run regularly, use systemd's .timer or cron.

See also:

How to manage VPN Settings in GNOME 3

A popular example of a Linux distribution using GNOME 3 is Ubuntu.

Install NetworkManager VPN plugin for OpenVPN

In order for you to have the menu item shown in this manual in NetworkManager, you must have the NetworkManager VPN plugin for OpenVPN installed.

Some distributions have it installed by default. If you don't have it, run one of the following commands to install it.

  • Installation on Debian and derivative distributions (Linux Mint, Ubuntu, Kali Linux and others):
sudo apt install network-manager-openvpn-gnome
  • Installation on Arch Linux and derivative distributions (Manjaro, BlackArch and others):
sudo pacman -S networkmanager-openvpn

In order for the changes to take effect (for NetworkManager to start using the installed plugin), restart the NetworkManager service with the following command:

sudo systemctl restart NetworkManager

How to add OpenVPN connection settings to GNOME 3

To add an OpenVPN connection, click on the network connection icon and expand the connections section.

Select “Wired Settings”:

You will find yourself in the OS settings. On the “Network” tab, you can add a new VPN connection or manage existing ones. Click the plus sign (+) to add a new one.

You can enter the data manually, or import the OpenVPN connection settings from the .ovpn file.

With manual configuration, you do not need to change anything in the “IPv4” and “IPv6” tabs. Some of the settings are located on the “Identity” tab, to access other settings, click the “Advanced” button:

How to connect to OpenVPN on GNOME 3

You can enable OpenVPN connection by clicking on the network connections button, then selecting the desired VPN connection.

You can also go to Network Settings and enable the selected OpenVPN connection there.

How to change OpenVPN connection settings in GNOME 3

To edit VPN connections, click on the network connections button, then expand the VPN list and select “VPN Settings”.

Select the connection you want to change and press the gear.

How to remove OpenVPN connection in GNOME 3

To remove an OpenVPN connection, go to its settings, as shown just above, and click the “Remove VPN” button.

How to manage VPN Settings in Xfce

Popular distributions with Xfce include Kali Linux and Xubuntu.

In Xfce, networks are managed in the “Network Connections” window.

Install NetworkManager VPN plugin for OpenVPN

In order for you to have the menu item shown in this manual in NetworkManager, you must have the NetworkManager VPN plugin for OpenVPN installed.

Some distributions have it installed by default. If you don't have it, run one of the following commands to install it.

  • Installation on Debian and derivative distributions (Linux Mint, Ubuntu, Kali Linux and others):
sudo apt install network-manager-openvpn-gnome
  • Installation on Arch Linux and derivative distributions (Manjaro, BlackArch and others):
sudo pacman -S networkmanager-openvpn

In order for the changes to take effect (for NetworkManager to start using the installed plugin), restart the NetworkManager service with the following command:

sudo systemctl restart NetworkManager

How to add OpenVPN connection settings to Xfce

There are two ways to add a new OpenVPN connection:

1) Right-click on the network connection icon and select “Edit Connections”:

In the Network Connections, click the plus sign (+).

2) Or left-click on the network connection icon and select “VPN Connections”→ “Add a VPN Connection”.

Select your preferred VPN connection type.

To import a VPN connection from a file, select “Import a saved VPN configuration”.

Click the “Create” button and specify the settings file.

With manual configuration, you do not need to change anything on the “General”, “Proxy”, “IPv4 Settings”, and “IPv6 Settings” tabs. Some of the settings are located on the “VPN” tab, to access other settings, click the “Advanced” button.

How to connect to OpenVPN in Xfce

To connect to OpenVPN, left-click on the network connection icon and select “VPN Connections” and then select the desired connection.

If the connection is successful, a check mark will appear next to the VPN connection name.

How to change or remove OpenVPN connection settings in Xfce

To add, change and remove VPN connections, go to Network Connections, for this, right-click on the network connection icon and select “Edit Connections”.

How to manage VPN Settings in Cinnamon

The Cinnamon desktop environment is primarily characteristic of Linux Mint.

Install NetworkManager VPN plugin for OpenVPN

In order for you to have the menu item shown in this manual in NetworkManager, you must have the NetworkManager VPN plugin for OpenVPN installed.

Some distributions have it installed by default. If you don't have it, run one of the following commands to install it.

  • Installation on Debian and derivative distributions (Linux Mint, Ubuntu, Kali Linux and others):
sudo apt install network-manager-openvpn-gnome
  • Installation on Arch Linux and derivative distributions (Manjaro, BlackArch and others):
sudo pacman -S networkmanager-openvpn

In order for the changes to take effect (for NetworkManager to start using the installed plugin), restart the NetworkManager service with the following command:

sudo systemctl restart NetworkManager

Network Connections and Network Settings in Cinnamon

When you click on the network connection icon (its appearance depends on whether you are using a wired or wireless connection), two options will be available to manage networks:

  • Network Settings – featured by Cinnamon (therefore, it is present only in this desktop environment)
  • Network Connections – featured by NetworkManager (hence, it is present in any distribution with NetworkManager)

In general, these settings allow you to do the same things: add, edit and remove network connections.

Network Settings contains a list of Wi-Fi networks available for connection, as well as a list of OpenVPN settings, proxies, wired connections. In Network Settings, you can activate a particular network connection.

Network Connections does not show Wi-Fi networks available for connection, but it stores the settings of the networks to which the computer has ever connected.

Managing OpenVPN Connections in Network Settings

To remove an OpenVPN connection, select it and click the minus sign (-).

The connection will be dropped without confirmation.

Click the plus sign (+) to add an OpenVPN connection.

You will be presented with 2 options:

  • OpenVPN (compatible with the OpenVPN server) – you will need to enter the settings manually and specify the certificate files
  • Import from file – import settings from an .ovpn file

With manual configuration, you don't need to change anything in the “IPv4” and “IPv6” tabs. Some of the settings are located on the “Identity” tab, to access other settings, click the “Advanced” button:

To edit an OpenVPN connection, select it and click the gear icon.

Some of the settings are located on the “Identity” tab.

To access other settings, click the “Advanced” button.

Managing OpenVPN Connections in Network Connections

To remove an OpenVPN connection, select it and click the minus sign (-).

Click the plus sign (+) to add an OpenVPN connection.

In the drop-down list, you will have many options available, 2 of them are related to OpenVPN:

  • OpenVPN – you will need to enter the settings manually and specify the certificate files
  • Import a saved VPN configuration

With manual configuration, you do not need to change anything on the “General”, “Proxy”, “IPv4 Settings”, and “IPv6 Settings” tabs. Some of the settings are located on the “VPN” tab, to access other settings, click the “Advanced” button.

To edit an OpenVPN connection, select it and click the gear icon.

Connecting to OpenVPN server

You can add multiple OpenVPN connections and enable any of them depending on your needs. You can enable them as in the main NetworkManager panel – click on the selected connection:

You can also enable VPN connections in Network Settings, to do this, select the desired VPN connection and click the switch:

Simultaneous use of multiple OpenVPNs on one server

You can simultaneously use several OpenVPN processes on the same server, while they will work on different ports and provide separate virtual private networks that do not overlap with each other.

Multiple instances of OpenVPN are provided out of the box, but additional configuration is required.

1. OpenVPN services must use different ports

All OpenVPN services must use a free port. Remember that the same UDP and TCP port numbers are different ports, that is, you can use the same port number in two instances of OpenVPN, provided that one of them is a UDP port and the other is a TCP port.

If two OpenVPN services use the same port, then the OpenVPN instance that is started first will work without error, and the second instance will not start due to the error “TCP/UDP: Socket bind failed on local address [AF_INET][undef]:…: Address already in use (errno=98)”, for example:

2021-11-02 09:26:50 us=736094 TCP/UDP: Socket bind failed on local address [AF_INET][undef]:53: Address already in use (errno=98)
2021-11-02 09:26:50 us=736216 Exiting due to fatal error

2. Range of addresses of the virtual private network

By default, a range of IP addresses for a virtual private network is specified in the server configuration file, for example:

server 10.8.0.0 255.255.255.0

Additional instances of the OpenVPN service must use different ranges. For example, for the second service, you can specify the following range:

server 10.8.1.0 255.255.255.0

For the third service, you can specify the following range of IP addresses, and so on:

server 10.8.2.0 255.255.255.0

3. Traffic routing for all virtual private networks

The section “Enable traffic routing on the OpenVPN server” shows how to enable NAT for VPN traffic so that clients can make connections to the Internet. The example in the above section shows how to configure routing for traffic from the 10.8.1.0/24 subnet. Since additional instances of the OpenVPN service use different subnets (for example, 10.8.1.0/24), in order for the clients of these virtual networks to access the Internet, you must configure routing for each of these networks.

An example of the original contents of the /root/bin/vpn_route.sh file:

#!/bin/sh

# specify the name of the interface, otherwise the script will try to select it automatically
#DEV='eth0'
DEV='ens3'
PRIVATE=10.8.0.0/24
 
if [ -z "$DEV" ]; then
	DEV="$(ip route | grep default | head -n 1 | awk '{print $5}')"
fi
# Turn forwarding packets on from the tunnel interface
# they got to the external interface
sysctl net.ipv4.ip_forward=1
# Make sure iptables do not block redirected traffic:
iptables -I FORWARD -j ACCEPT
# Network Address Translation (NAT) for packets coming from the tunnel
# When forwarding is enabled, packets are forwarded by default.
# with the original address unchanged, that is, in our case 10.8.0.*
# such packages are either deleted at the ISP gateway, or even if they are
# go to the destination, the answer never finds a way back.
# These private addresses are not routed to the Internet.
#
# The solution is Network Address Translation (NAT) of outgoing traffic,
# i.e. replace private 10.8.0.* address with the public IP address of the VPN server.
# This will allow responses to reach the VPN server,
# and there they will be sent back to the tunnel.
iptables -t nat -I POSTROUTING -s $PRIVATE -o $DEV -j MASQUERADE

The file /root/bin/vpn_route.sh which has added NAT for subnets 10.8.1.0/24, 10.8.2.0/24, and 10.8.3.0/24:

#!/bin/sh
 
DEV='ens3'
PRIVATE=10.8.0.0/24
 
if [ -z "$DEV" ]; then
	DEV="$(ip route | grep default | head -n 1 | awk '{print $5}')"
fi

sysctl net.ipv4.ip_forward=1

iptables -I FORWARD -j ACCEPT

iptables -t nat -I POSTROUTING -s $PRIVATE -o $DEV -j MASQUERADE

iptables -t nat -I POSTROUTING -s 10.8.1.0/24 -o $DEV -j MASQUERADE

iptables -t nat -I POSTROUTING -s 10.8.2.0/24 -o $DEV -j MASQUERADE

To check the NAT settings, run the command

iptables -L -t nat

4. Configuring local static addresses

If you used the section “How to make static IPs for OpenVPN clients” and added entries like “ifconfig-push 10.8.0.10 255.255.255.0” to the file “/etc/openvpn/ccd/client1”, then you need to use different client names for the second and subsequent OpenVPN networks as they use different VPN IP ranges.

5. Starting and adding the second and subsequent OpenVPN services to startup

Note that with systemctl you can use a command like

openvpn-server@<configuration>.service

where <configuration> is a configuration file located in the /etc/openvpn/server/ folder, but without the .conf extension

For example, the second configuration file for the second instance of the OpenVPN service is placed in the /etc/openvpn/server/server-tcp.conf file, then the program for starting the service is as follows:

sudo systemctl start openvpn-server@server-tcp.service

Checking the status of the service with the server-tcp.conf configuration file:

systemctl status openvpn-server@server-tcp.service

View OpenVPN service errors with server-tcp.conf config file:

journalctl -xeu openvpn-server@server-tcp.service

Add service to startup:

sudo systemctl enable openvpn-server@server-tcp.service

See also:

Comparison of performance (data transfer rate) of OpenVPN over UDP and TCP

The previous article showed how to use OpenVPN with TCP instead of the default UDP. It is also known that the use of the TCP protocol is not recommended because, due to the “overhead” of the TCP transport protocol, less payload will be transmitted, since part of the channel will be occupied by the transmission of overhead information necessary to control the integrity of transmitted packets. But how exactly will switching from UDP to TCP affect the performance of the OpenVPN server and the speed of receiving and sending data? This article is devoted to the answer to this question.

My internet connection speed without using OpenVPN:

My internet connection speed using OpenVPN over UDP:

My internet connection speed using OpenVPN over TCP:

As you can see, the speed loss when migrating from UDP to TCP is quite significant. The difference in speed between the absence of OpenVPN and OpenVPN over UDP is negligible – in fact, in both cases, the speed is practically limited by the maximum bandwidth of my network.

See also:

How to use OpenVPN with TCP protocol

By default, OpenVPN uses UDP and it is officially recommended to use it. However, TCP also works great with OpenVPN and you can use it if needed. Theoretically, the TCP protocol has more “overhead”, that is, some part of the transmitted data will not carry the payload, but is only necessary for the normal operation of TCP, which monitors the safety and integrity of transmitted packets.

In my case, the need to add TCP support arose due to the fact that with some ISPs OpenVPN on the UDP protocol could not connect due to an error (the error will be discussed later), but it worked fine on the TCP protocol.

To configure OpenVPN to work with TCP, you need to know the following points:

1. The protocol must be specified explicitly

In the settings of the configuration files, instead of the line

;proto tcp

use on the server the line

proto tcp-server

and on the client the line

proto tcp-client

For reference: UDP protocol on both the server and the client is denoted the same way:

proto udp

2. The TCP protocol must be specified in the configuration files of both the server and the client

Protocol settings are not transferred from the server and must be explicitly specified not only on the server itself, but also for each client in the configuration file.

3. Do not use the explicit-exit-notify option

In the server config file, don't use the setting (just remove this line):

explicit-exit-notify 1

Otherwise, you will encounter the error:

Options error: --explicit-exit-notify can only be used with --proto udp

4. The port must be free

This applies equally to how OpenVPN works with UDP and TCP: the selected port must be free, otherwise you will encounter the error “TCP/UDP: Socket bind failed on local address [AF_INET][undef]:…: Address already in use (errno=98)”, for example:

2021-11-02 09:26:50 us=736094 TCP/UDP: Socket bind failed on local address [AF_INET][undef]:53: Address already in use (errno=98)
2021-11-02 09:26:50 us=736216 Exiting due to fatal error

See also: 

How to change configuration files when migrating from OpenVPN 2.4.* to OpenVPN 2.5.*

As of fall 2021, OpenVPN has moved to the new major branch 2.5.* for almost a year. If you were slow to update, now the new branch can be considered time-tested. However, if you are upgrading from the 2.4 branch, you may need to adjust the configuration files.

1. In the server and client configuration files, replace the line

cipher AES-256-CBC

with

data-ciphers AES-256-GCM:AES-128-GCM

2. If you are using the TCP protocol (which is not recommended), then instead of the line

;proto tcp

use the line on the server

proto tcp-server

and the line on the client

proto tcp-client

The UDP protocol is the same on the server and on the client:

proto udp

3. When configuring static IP addresses within a virtual private network, the following entry is now used:

ifconfig-push client_IP SUBNET_MASK

for example:

ifconfig-push 10.8.0.10 255.255.255.0

See the section “How to make static IPs for OpenVPN clients” for details.

See also: 

How to configure Squid proxy to work with multiple users

For example, the task is to organize the work of Squid with several users, each of which received an IP address (the same for all) and a port number (individual for each user) as proxy settings. Also, users have an individual username and password. The server has several external IP (in this case, IPv6) addresses, you need to make sure that each of the users goes to an individual IP address.

Let's say at the input we have 127.0.0.1:1000:test1:pass1, and at the output 2a02:f680:1:1100::3d60.

And at the input 127.0.0.1:1001:test2:pass2 and at the output 2a02:f680:1:1100::3d61.

Solution:

We start by filling in user credentials (see also “How to configure HTTP Digest Authentication in Squid”):

sudo htpasswd -c /etc/squid/passwd test1
sudo htpasswd /etc/squid/passwd test2

In the following config file, you need to replace:

  • usernames to names of your choice
  • indicate the desired ports
  • indicate the desired IPv6 or IPv4 addresses both for listening and as outgoing addresses
  • duplicate similar entries for each username (port, IP address)

Content of my /etc/squid/squid.conf file:

# Authentication settings
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on
auth_param basic realm Squid proxy for HackWare.ru
 
Listening ports
http_port 185.117.153.79:1000
http_port 185.117.153.79:1001
 
# For each port, create an acl with the localport type
acl portA localport 1000
acl portB localport 1001
 
# Link ports and IP addresses
tcp_outgoing_address 2a02:f680:1:1100::3d60 portA
tcp_outgoing_address 2a02:f680:1:1100::3d61 portB

# For each user, create an acl with the proxy_auth type
acl test1_user proxy_auth test1
acl test2_user proxy_auth test2

# Allow two acl bindings to access:
# user test1 and port 1000
# user test2 and port 1001
http_access allow test1_user portA
http_access allow test2_user portB

Continue reading:

Loading...
X