Posted on: 2017-11-18
Recently we set up a new VPN at work. The old Cisco Anyconnect VPN isn't well supported anymore, has lots of weird quirks and needs some extra steps to get going on Windows 10 ... so we are transitioning over to OpenVPN.
However, if you've ever set up a VPN you'll know that no matter which subnet you pick, you'll always clash with some clients local network. So 192.168.0.x or 192.168.1.x is definitely out. Even if you get creative with things like 10.70.80.90.x - I'll guarantee, SOME network will clash with this. Of course you can just route all traffic through the VPN, but that puts extra load on the Internet connection at work and might have privacy issues. Also users won't be able to access local resources anymore - like WiFi printers, which are becoming increasingly more common in home networks.
If you get creative (like one of our other clients did) you can put your internal and VPN network in the public IP range of a some DSL provider halfway across the globe which you will never have to interface with directly. But IP blocks change ownership, business changes, and if this starts causing you trouble, good luck cleaning up THAT mess .... Renumbering all your internal networks is tedious.
Luckily, we have another option not everyone has: We have an IPv6 capable Internet connection! And we have IPv6 deployed in all our networks! :)
Our provider gives us a /48-subnet which we've sliced up into a few /64s for the (wired) internal network, WiFi, a guest network and a few others. So it was pretty straight forward to set another /64 aside for the VPN range which is guaranteed to not clash with anyone's local networks. All internal resources are IPv6 capable, as are all modern operating systems.
A few things I learned along the way:
- OpenVPN doesn't support IPv6 only VPNs yet. Our workaround is to also assign a dummy v4 network: 0.0.1.0/24
- If you have the VPN-Server (Ubuntu) separately from the Firewall (Cisco) things get a bit tricky to set up. The best way for our network was to push a static route through the VPN server into the internal network. Luckily there's radvd to push the route out to all devices automatically
After everything was set up and I was happy to get my first ping through to my PC at home. At home I don't have a v6 capable Internet connection but the OS deals with it just fine, having only a route into the subnet at work. Then I wanted to access our offices main internal webserver - aaaand, Chrome smashed a DNS error into my face :(
And with IPv6 you really need DNS. IPv4 addresses are somewhat easier to remember, but on IPv6 .. well .. The human mind just isn't designed for remembering weird hex strings.
So I tried various lookups - which all succeeded - and switched nameservers - which did nothing. It seemed like Chrome just wouldn't even try to connect. Then I put the v6 address in the address bar - after all the tinkering I now memorized our network prefix - and it loaded up right away. Also Firefox displays the page just fine when entering the DNS name. Samba has no problem connecting to our shares with the DNS name as well. What the hell is going on??
Some digging around led me to this bug report: https://bugs.chromium.org/p/chromium/issues/detail?id=530482
It seems that Chrome checks for IPv6 Internet connectivity and if it detects that it can't connect to the Internet using IPv6 it won't even try to resolve AAAA records. Apparently that makes things faster (TM). Of course connection errors display faster if you don't even try to connect. The key issue here is that Chrome uses its own weird DNS resolver instead of relying on what the operating system provides.
This has bitten me before already. Like I mentioned, I didn't have IPv6 connectivity at home - but I really wanted to try out IPv6 stuff even before we got it at work. So I got the "IPv6 Launcher (PPTP)" Tunnel from Portunity (they are an excellent ISP, by the way!). I wanted to stay connected to the Tunnel all the time but have the OS prefer IPv4 traffic and only route IPV6-only sites through the PPTP tunnel. This is easily configured in /etc/gai.conf - and all applications respect that, except Chrome!
Anyway, getting back to the issue at hand: Telling my colleagues to memorize IPv6 addresses is kind of out of the question. Also telling them, no you can't use Chrome, use Firefox, wouldn't sit well with most people because Chrome is really popular. I use it myself as well. So we need a workaround. The thread linked above also mentions how Chrome checks for IPv6 connectivity. it does it by checking if it can reach Googles public DNS (2001:4860:4860::8888 and 2001:4860:4860::8844). Hmmm... What if we just gave Chrome what it wants by adding this to the VPN config?
push "route-ipv6 2001:4860:4860::/112"
Yep, that works. I didn't notice any slowdowns in Chrome so far, and no that's not kludgy at all ....