×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

Orbi50 IPv6 OpenVPN accessible?

thel1th
Aspirant
Aspirant
‎2023-02-01 05:43 AM
‎2023-02-01 05:43 AM

Orbi50 IPv6 OpenVPN accessible?

Dear community,

 

since I have a new fiber broadband access to the internet I did not try to use my OpenVPN from the Orbi anymore, because the new ISP only provides my router an IPv6 adresses with a dual stack light connection.

 

I also want to access my VPN from my mobile and therefore I need IPv4 access. Thats why I use a VPS with a socat port mapping that should map

VPS IPv4 -> Router IPv6 -> Orbi VPN

 

The VPN has tun/tap ports 12973 and 12974 on my router.

The IPv6 config page tells me I have an IPv6 address, which i try to map the IPv6 traffic to like this:

 

sudo socat -d -d UDP4-LISTEN:12973,fork, UDP6:[<IPv6 address displayed on IPv6 page>]:12973

 

I changed the smartphone configuration to point to my VPS instead of my DynDNS name from NETGEAR and the debugging mode of socat tells me that there are connections incoming which it is trying to forward:

2023/02/01 13:13:07 socat[5563] N listening on UDP AF=2 0.0.0.0:12973
2023/02/01 13:13:16 socat[5563] N accepting UDP connection from AF=2 109.43....:11335
2023/02/01 13:13:16 socat[5563] N forked off child process 5564
2023/02/01 13:13:16 socat[5563] N listening on UDP AF=2 0.0.0.0:12973
2023/02/01 13:13:16 socat[5564] N opening connection to AF=10 [2a02:02f4:...]:12973
2023/02/01 13:13:16 socat[5564] N successfully connected from local address AF=10 [2a00:6800:...]:50087

 

I also tried to use TCP instead of UDP but it does make no change.

I tried to gather information from the routers debug logs but I could no hints that there was an incoming connection. Also the VPN log does not list any connection attempts.

 

Maybe I am trying something that is impossible. I am unsure as I am not a network specialist especially IPv6 is new to me. Has anyone experience with this?

After hours of attempts I am fed up. If this won't work I will flip to host the VPN server on the VPS and connect all clients to it instead.

 

Thank you

Message 1 of 7
0 Kudos
Reply
CrimpOn
Guru Guru
Guru
‎2023-02-01 08:16 AM
‎2023-02-01 08:16 AM

Re: Orbi50 IPv6 OpenVPN accessible?

My guess regarding IPv6 access to the OpenVPN Server bundled with Netgear routers is, "no".

Found articles talking about IPv6 traffic going "through the tunnel", but this one was pretty specific:

https://4sysops.com/archives/openvpn-ipv6-minimal-configuration/ 

 

There is no user control of the OpenVPN settings that would allow the user to change any of the settings described in this article.

Message 2 of 7
Reply
thel1th
Aspirant
Aspirant
‎2023-02-02 01:30 AM
‎2023-02-02 01:30 AM

Re: Orbi50 IPv6 OpenVPN accessible?

Thank you for your feedback. I read a few articles about other OpenVPN integrations with IPv6. When I started working on this I was expecting that the configuration of the VPN may not be IPv6 compatible.

I will try if I can map/enable public ports on IPv6. If this is possible I could host a wireguard service. Otherwise I will switch to my fallback solution and use a VPS as my VPN and connect all required devices to it.

 

Message 3 of 7
0 Kudos
Reply
CrimpOn
Guru Guru
Guru
‎2023-02-02 04:27 PM
‎2023-02-02 04:27 PM

Re: Orbi50 IPv6 OpenVPN accessible?

@thel1th wrote:

since I have a new fiber broadband access to the internet I did not try to use my OpenVPN from the Orbi anymore, because the new ISP only provides my router an IPv6 adresses with a dual stack light connection.

This situation is "a new one" for me.  The way I read Dual Stack Lite, it appears that the Internet Service Provider assigns a private IP to the customer router, which is entirely unaware that anything is going on at all.

https://en.wikipedia.org/wiki/IPv6_transition_mechanism Thus it is impossible for anything on the internet to connect to the router using IPv4. (Cannot reach a private IP address across the internet.)

 

I wonder if it is worth looking at installing OpenVPN Server on a local computer (not the router).

OpenVPN seems to have a method to support IPv6 on both the host and client side: https://community.openvpn.net/openvpn/wiki/IPv6 

 

 

Message 4 of 7
0 Kudos
Reply
CrimpOn
Guru Guru
Guru
‎2023-02-07 03:18 PM
‎2023-02-07 03:18 PM

Re: Orbi50 IPv6 OpenVPN accessible?

Sorry to take so long.....  If you've already solved the problem, I'd like to know how you did it.

 

IPv6 is a "learning opportunity" for me.  From what I have picked up so far, it appears that placing the Orbi into IPv6 Passthrough mode should enable connections from the internet directly to specific devices on the LAN.  Before investing too much time in this direction*, I wonder if you could share some aspects of the goal:

  • Do the devices that you want to reach on the LAN have public IPv6 addresses?
    If they do, then my impression is that connections can be made directly to each device without involving a VPN.
  • Are the devices secure enough to tolerate exposure to the internet?  With IPv6 addresses being 8 segments of FFFF (about 3.40+38 individual possibilities), it would seem that brute force searches of IPv6 address space are unlikely.  If the open port is secured with a strong password or other type of authentication, even knowing the IPv6 address would not guarantee access.
  • While it appears my Spectrum connection supports IPv6 Passthrough, I have no experience with Dual Stack - Lite.  Does it also support direct access to Public IPv6 addresses?

* Have considered downloading OpenVPN for Windows, configuring it for IPv6, and "seeing what happens" when I connect to this version of OpenVPN rather than the neutered version on the Orbi.

Message 5 of 7
0 Kudos
Reply
thel1th
Aspirant
Aspirant
‎2023-02-08 10:52 PM
‎2023-02-08 10:52 PM

Re: Orbi50 IPv6 OpenVPN accessible?

Also sorry for my late response... I was on holiday when I worked on this and now got back to work.

I tried something like a port forwarding (which I expected not to work as it is IPv4). I have a web app on my local server. I opened the port for the application on the port mappings tab.

Also I made sure that the linux container is IPv6 compatible and it had a public IPv6 address with my IPv6 Prefix and the MAC-derived local address. I forgot the name.

 

Expecting this would not work I tried to expose it and asked a friend to access it. He did not have success.

 

Requirements

  1. The one that I gave a try to access from outside I assigned an IPv6 address and made sure it has a public IPv6 address. But it did not seem to work. I guess because of the IPv6 filtering? I was expecting the port mapping not to work because it's IPv4-based. It did not make sense to enter it, but if you are trying out things you give all you can 🙂
    I saw that Fritzboxes allow such exposure on IPv6-level. In general no device is exposed, but the ones I want to expose I would like to expose on a port-based level.
  2. I only want to expose selected devices. I still want the functionality of a router to filter traffic.
  3. A lot of Germany ISP nowadays reserve their IPv4 addresses for business customers and provide DS lite access to private customers. You pay a lot more for business contracts.
    My router/devices should be accessible using IPv6 as long as I exposed them.

 

I have a feeling that the Orbi will not be able to fulfil my wishes and I will have to switch my router. AVM is aware of the issues Germany internet users have and is working on this topic. I guess this seems to be a regional problem.

Message 6 of 7
0 Kudos
Reply
CrimpOn
Guru Guru
Guru
‎2023-02-10 04:17 PM
‎2023-02-10 04:17 PM

Re: Orbi50 IPv6 OpenVPN accessible?

I posed the question in the forum for Voxel's third party forum:

https://www.snbforums.com/threads/configure-openvpn-for-ipv6-on-voxel-orbi.83484/unread?new=1 

 

The conclusion is that there is a "good chance" that OpenVPN host will work on the RBR50.

(whether it will work on this specific implementation of IPv6 is unknown.)

 

Voxel is a software engineer (I believe in Russia - - or not) who reverse engineered the firmware for several Netgear routers: R7500, R7800, R9000, LBR20, and RBR50.  He has changed compile options, updated nearly every package to the latest versions, supports Entware, Nano editor, WireGuard, and a lot more.  There are README and Quick Start files which explain.

http://www.voxel-firmware.com/Downloads/Voxel/html/orbi.html 

 

The point is that since he unlocked everything, the user can do whatever he wants to configuration files and make them persist over reboots. Those OpenVPN config files can be edited.  iptables and ip6tables can be modified.  There are references on the OpenVPN web site for what to change to support IPv6 access.

 

Third party software is not for everyone.  I actually have a spare RBR50 that I experiment with and found that Voxel loaded up and ran fine. Many of the features are waaaay beyond me.  If you have only a single Orbi and a single ISP modem, it would be a challenge to balance a transition against family needs for internet.

 

On the topic of accessing Orbi LAN resources directly by public IPv6 address, I remain stymied. On the LAN, I can open LAN web sites, LAN FTP servers just fine.  The Orbi Debug setting allows me to ICMP (ping) LAN resources from the internet. But, when I attempt to actually access any LAN resource by IPv6, it fails.

Message 7 of 7
0 Kudos
Reply
Top Contributors
See All
Discussion stats
  • 6 replies
  • ‎2023-02-01 05:43 AM
  • 662 views
  • 1 kudo
  • 2 in conversation
Announcements

Orbi WiFi 7