Re: Betreff: Enabling VPN on R7000 using IPv6

elBlocco · ‎2019-06-05

Hello Community,

regarding FAQ VPN should work with the R7000 with IPv6.

From https://kb.netgear.com/23794/R7000-FAQs:

"Should the VPN feature still work if I have IPv6 connection?
It should work as long as it is a static IP address. Make sure that the WAN IP is accessible from the Internet, whether it is IPv4 or IPv6."

But I'm missing any information how to get this running.

Because of Carrier NAT I do not have a public IPv4 adress, only IPv6.

At the moment VPN (IPv4) with a windows client in my LAN seems to work, but using an Android client fails. IPv6 doesn't work with both clients, doesn't matter if in the LAN or from Internet...

Searching for help...

Thanks in advance,

el Blocco

elBlocco · ‎2019-08-04

Hello,

because I wasn't able to get VPN (with IPv6) running with Genie I decided,

after reading much about the alternatives, to install FreshTomato.

Now VPN is working like a charme, the only issue still exists is,

that I do not get an /56 prefix, too. But I hope I can fix this, too.

Best regards,

el Blocco

View solution in original post

elBlocco · ‎2019-06-09

Nobody able to help me?

I have now installed my second R7000 as second router in my LAN to get a better test suite.

- VPN-Service enabled with Defaults (TUN: UDP, 12973, TAP: UDP, 12974)

- Downloaded the configuration files for windows

=> Works fine with IPv4 (from my internal network to the second one)

- Tried to enable IPv6 on the second router...

- ...but which configuration should I use?

- Automatic detect leads to "Pass Through", but do I get an IPv6 adress for the router in this case?

- "Auto Config"with the IP of the primary router as DNS server seems to work, at least I get an IPv6 adress on WAN.

- And i am able to ping that adress from my LAN (outside of my second router).

- But VPN connection fails with

- TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

- TLS Error: TLS handshake failed

This is my current configuration for the windows client (client.ovpn):

client

dev tap

tun-ipv6

proto udp6

redirect-gateway ipv6

dev-node NETGEAR-VPN

remote 2a00:6020:... 12974

...

I'm not familiar with OpenVPN or IPv6 at the moment, but I'm willing to learn :).

So I'm looking forward to your assistance.

Best regards

DarrenM · ‎2019-06-12

I was able to find a guide on how to setup Open VPN this may help you.

https://www.smallnetbuilder.com/other/security/security-howto/32542-setting-up-and-using-openvpn-on-...

DarrenM

elBlocco · ‎2019-06-12

Hello Darren,

thank you very much for the reply. I checked it out...

I built up a similiar test environment:

- Router 1: 192.168.1.X

- Router 2: 10.0.0.X

- Client connected to router1 tries to connect to router2 by VPN.

This works pretty forward with IPv4, but my internet provider doesn't provide a public IPv4 adress. So, as far as I understand, I have to use IPv6 to connect by VPN.

And this still doesn't work :(.

I was able to enable telnet by downgrading the firmware to 1.0.9.42. So I could check the configuration of the router:

- There are running two OpenVPN services:

- /usr/local/sbin/openvpn /tmp/server_tap.conf (for Windows clients?)

- /usr/local/sbin/openvpn /tmp/server_tun.conf (for Smartphone clients?)

Here's the content of server_tap.conf:

dh /tmp/openvpn/dh1024.pem

ca /tmp/openvpn/ca.crt

cert /tmp/openvpn/server.crt

key /tmp/openvpn/server.key

dev tap

server-bridge

proto udp

port 12974

keepalive 10 120

verb 5

mute 5

log-append /tmp/openvpn_log_tap

status /tmp/openvpn-status_tap.log

writepid /tmp/openvpnd_tap.pid

mtu-disc yes

topology subnet

script-security 2

cipher AES-128-CBC

auth sha1

tls-server

client-to-client

duplicate-cn

comp-lzo

fast-io

Push "route 10.0.0.0 255.255.255.0"

Push "route-delay 5"

As far as I can see there are missing at least two settings for IPv6:

server-ipv6 2a03:4000:6:11cd:bbbb::/112

push "route-ipv6 2000::/3 2a03:4000:6:11cd:bbbb::1 1"

I searched in this forum and found that in 2016 Netgear didn't support IPv6 at all:

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Need-help-setting-up-VPN-on-Nighthawk-R7000-...

But then I found the FAQ where IPv6 is mentioned as possible:

https://kb.netgear.com/23794/R7000-FAQs

So I had hope that this has changed in the last 3 years...

I expect I have to investigate OpenVPN configuration files in more detail, now...

Any hints or information on this topic is welcome :).

Best regards,

el Blocco

elBlocco · ‎2019-07-15

Hello,

it took a while to establish a working test environment, because the Nighthawk only gets a /64 prefix when working with IPv6 as DHCP (auto detect). A Fritzbox, e.g gets a /56 prefix, which enables me to build up subnets in an easy way. Does anybody know how to get a /56 prefix with the R700, too?

But now it seems I noticed the problem, seems for me like an error in the firmware:

When enabling VPN and activating IPv6 the VPN ports are not opened, so I'm not able to connect via IPv6.

On the other hand, when I activate the remote control on the router, port 8443 (default) is opened for IPv4 and IPv6.

This works for both, IPv4 and IPv6.

Does anybody know how to open the VPN ports for IPv6, too?

Otherwise I will not be able to use VPN on my R7000 :(...

Thanks in advance and best regards,

el Blocco

elBlocco · ‎2019-08-04

Hello,

because I wasn't able to get VPN (with IPv6) running with Genie I decided,

after reading much about the alternatives, to install FreshTomato.

Now VPN is working like a charme, the only issue still exists is,

that I do not get an /56 prefix, too. But I hope I can fix this, too.

Best regards,

el Blocco