Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Subscribers 28 subscribers
  • Views 5219 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Support for IPv6 VPNs | DS-Lite | Unitymedia WAN Connection

Jonnie

Hey together, 

Simple Question: Does the XG supports VPN access with SSL or IPSec VPN and IPv6 ?

Background: We have several users which must use a WAN connection from Unitymedia or Vodafone (cable based) in their homeoffice.

The issue is, that these carriers are using DS-Lite, which is breaking the SSL VPN connection. No vpn connection is possible.

As a workaround we could use IPv6 VPN, if it possible with the XG. I didn't find any useful information regarding the documentation.

If there any other solutions, i'm happy for any ideas. 

Regards,

Jonny



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LHerzog

    Thanks for your reply.
    In fact we have several users which are using DS-Lite in their Homeoffice. None of them is able to connect via SSL VPN. 
    If they switch to a hotspot from their smartphone the SSL VPN will work without any issues. So it's not a configuration issue.
    There are different routers in use like Fritzbox 7490 or Vodafone Station, so I would exclude that it's router related. Users with a Telekom DSL Connection are without any issues, stable and fast. 

    Our XG is behind an LWL-Gateway from Telekom. Public IP etc. 

    Are you sure that you using DS-Lite and not maybe Dual Stack with IPv4 and IPv6? Could share you SSL VPN configuration with me? 

    I'm using Port 443 UDP for SSL VPN. 

  • 0 in reply to Jonnie

    My home connection is a DS-Lite Vodafone connection with a Vodafone station and Sophos Connect (SSLVPN) works fine for me.

    You should check with the OpenVPN Community to find some workarounds for this problem, if you have issues. 

    There are several threads in openVPN and in the unitymedia/vodafone community. Simply watch out for OpenVPN, as Sophos Connect uses the openVPN backend. 

  • 0 in reply to LuCar Toni

     Thanks for the info. 
    I actually don't want to ask in other forums if we use a XG and this is the Sophos Support Forum? Beside that I already searched for this issue on many sites. But let us be honest, the Unitymedia or any other carrier forum is not that helpful. I'm looking for an technical appropriate answer from experts and not from some dudes who just click the connect button. Other XG customers like LHerzog is also looking for solutions, so I think it's the best place to ask here? At the OpenVPN Forum they suggest IPv6 VPN.

    From my description above you should have noticed that the behaviour is kinda strange, or isn't it? I have two other colleagues which were not able to connect, they switched to a business contract with IPv4 at Vodafone and after that the VPN is fine. So it seems like it's related to the WAN connection itself and not to the configuration or router. 

    If your vpn is working fine, could you please share your ssl vpn configuration? I'm wondering what could be the issue. It's no help for me if you say "I'm cool with my vpn" and don't answer a single question from me. 


    Beside that, does the XG supports IPv6 to avoid DS-Lite issues? 

  • 0 in reply to Jonnie

    Basically you need to start to begin the debugging with packet captures of both ends. As my connection works fine, i am still expecting some issues with those Connect boxes of the ISP, but never could reproduce this. 

    If you do a tcpdump on XG and dump the same connection on the Endpoint, you should be able to figure out, what could possible go wrong. 

    I assume there is a issue with the general experience. See: https://www.borncity.com/blog/2020/03/27/breitband-anschluss-und-kein-vpn-im-home-office/

  • 0 in reply to LuCar Toni

    Yes, I already read this article and also the comments, but there are so many different solutions which may help. I can't do this kind of extensive troubleshooting with every of my "cable" users. I need one simple solution for all of them. So I was thinking of an IPv6 VPN

    As you already mentioned, this kind of issues are nuts, because it seems like there is no single root cause. You are using the same router and carrier, also DS-Lite and there are no issues. We using the the "same" setup, but it fails though the configuration and client is working fine with a LTE hotspot. 

    I will try to dump a connection and check it. Do you use UDP or TCP for your ssl vpn?

  • 0 in reply to Jonnie

    I can use basically every different kind of connection with no problem. So i tried in the last month nearly everything on XG end, and could connect. Same for colleagues.

  • 0 in reply to Jonnie

    Hi,

    this setting is running for all our users. Lots of Unitymedia/Vodafone Cable Users in BW though.

    Maybe this is somehow related to UDP 443 you have set up, but I would wonder why this should make the difference. We're using TCP 443 - wonder what LuCar Toni is using in his settings.

    My personal router is FB 6940 Cable (non ISP device) which is using DS Lite, not dual stack.

    ssl_vpn_config.ovpn:

    ip-win32 dynamic
client
dev tun
proto tcp
verify-x509-name "C=DE, .......... CN=*.xxxxxxx.de"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
Bag Attributes
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
auth-user-pass
cipher AES-256-CBC
auth SHA256
comp-lzo no
route-delay 4
verb 3
reneg-sec 0
remote xxxxxxx.xxxxxxx.de 443

    I would suggest you post client and XG log of one failing connection here.

  • 0 in reply to LHerzog

    That's awesome! Thank you very much for sharing your config. My config is nearly the same, except UDP. 

    Do you have any speed impediments through the use of TCP instead of UDP? For example: 100k VDSL at home, is this speed also possible through the tunnel depending on your WAN connection at your company? 

    I'm afraid to use TCP regarding the documentation from OpenVPN itself. The call it TCP Meltdown. But maybe this is the issue that I set UDP 443, which is also used by the Google QUIC protocol. Further there were several rumors that UDP VPN is struggling with DS-LITE. 

    I will look for an tcpdump

    What do you use? TCP or UDP and which Port?

  • 0 in reply to Jonnie

    I cannot tell about the performance impact between TCP and UDP in my situation because this has spimply been setup this way.

    I can tell this works very fine with web meetings and VoIP to SIP Server behind the firewall. There are no delays or quality issues due to VPN connection. And I would think that you'd usually see performance issues in audio if there were any. From my point of view this is working solid.

  • +1 in reply to LHerzog

    Hey together,

    After some further troubleshooting I finally found the issue. It belongs to basic network fundamentals which I didn't think about.  Zipper mouth 

    Through the encapsulation from IPv4 to IPv6 the header is using more bytes (40 instead of 20) which is not expected by the ssl vpn. Pakets are getting fragmented and no useful data is flowing between the xg and client. 
    I've added the parameter "tun-mtu 1300" at the client config and the vpn is working flawless. You can check your actual MTU here.

    Is there any chance to set the MTU at XG? IF we want to use Sophos Connect Client the configuration is obtain automatically and I can't change the MTU correct?