Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 8882 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

T-Mobile, NAT64 and OpenVPN

KentCalero

Team,

I decided to start my own post to try and address this issue, I'm having issues with SSL VPN, T-Mobile, and their nat64 IPv6 implementation.

 

I'm using a FQDN in my ovpn profile for VPN access, I'm connecting via UDP. A few weeks ago, while still able to establish a VPN connection, I lost the ability to route traffict between my VPN network and my iOS device, while on the T-Mobile network.

After a little research, I noticed that although I'm using a FQDN with a valid A record (IPv4), connecting to an OpenVPN server that in no way supports IPv6...somehow, my OpenVPN client was obtaining an IPv6 address for my IPv4 FQDN.

After more research, it turns out this is T-Mobile using nat64 to map IPv4 to IPv6 or vise versa, I am in no way an IPv6 expert, but I can only conclude that because the ovpn client thinks it's connecting to an IPv6 address, that there must be a missing route somewhere.

I tried changing UDP ports, I then tried cycling through TCP ports, couldn't get ovpn to connect to my true IPv4 address. While looking at the OpenVPN Client settings, I found an option to enabled "Seamless Tunnel", for whatever reason, enabling this option fixed the problem...my client stopped showing the T-Mobile nat64 IPv6 problem when connecting, and instead, showed my true IPv4 address.

I considered the problem fixed...until tonight, it came back!

At this point, I'm unsure as to what to do to fix the issue. I've found numerous reports of the same problem all over the web, dating back almost 2 years and the fix seems to be to either hack the T-Mobile carrier settings to force an ipv4 APN, or to use an IP address instead of a FQDN, both of which are not acceptable solutions for me.

 

It seems OpenVPN has implemented a new directive to solve the problem (I think), push-remove ifconfig-ipv6
push-remove route-ipv6

 

Please read here for some more background on the issue:

https://support.t-mobile.com/thread/117341?start=0&tstart=0

https://www.myopenrouter.com/article/vpn-connections-not-working-t-mobile-heres-how-fix

https://forums.openvpn.net/viewtopic.php?t=21989

http://community.openvpn.net/openvpn/ticket/614

 

Some other help posts I've started:
https://www.reddit.com/r/tmobile/comments/5le5s7/tmobile_openvpn_connect_ipv6_nat64/
https://forums.openvpn.net/viewtopic.php?f=36&t=23109



This thread was automatically locked due to age.
  • 0 in reply to KentCalero

    Kent, have you tried adding those lines to /var/chroot-openvpn/etc/openvpn/openvpn.conf?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob, I have not, but in looking through vpn logs, it looks like that option is already being pushed and it shows some message about it being deprecated and no longer needed.

  • 0
    Here is an older Reddit post with people having the same issue www.reddit.com/.../
  • +1
    Just wanted to add that my issue is resolved. I realized that I was able to access network resources using the fqdn but not via IP. Also, yesterday, I received a carrier update notification and after that, IPv4 was re-enabled in my device. I'm now able to access these resources both via IP and FQDN. I have been working with T-Mobile for weeks to get the updated carrier profile but nothing has come through and I gave up on that. This was what prompted further research and led me to find the fqdn solution, but, unexpectedly, i received the carrier update yesterday. I'm not sure if the carrier update was a coincidence or as a result of my insistence and persistence with T-Mobile tech support. In any case, I wanted to thank everyone that lent their time to help me resolve this problem!
Unfiltered HTML