iOS users unable to use IPv6: "IPv6 routes/DNS disabled because the agent is not openconnect."
#ocserv -v
ocserv 0.12.4
Compiled with: oath, radius, PAM, PKCS#11, AnyConnect
GnuTLS version: 3.6.10
#uname -a
OpenBSD 6.6 GENERIC.MP#4 amd64
Client is iOS 13 using AnyConnect version 4.8.02046
When connecting, I'm unable to access any site over IPv6, and receive the following in the debug log:
#ocserv -f -d1
Parsing plain auth method subconfig using legacy format
note: setting 'plain' as primary authentication method
note: setting 'file' as supplemental config option
listening (TCP) on 0.0.0.0:443...
listening (TCP) on [::]:443...
listening (UDP) on 0.0.0.0:8443...
listening (UDP) on [::]:8443...
ocserv[58557]: main: initialized ocserv 0.12.4
ocserv[28243]: sec-mod: reading supplemental config from files
ocserv[28243]: sec-mod: sec-mod initialized (socket: /var/run/ocserv-socket.ddc20e3f)
error in setrlimit(4096): Invalid argument (cur: 128)
ocserv[58557]: main:10.50.3.208:53690 user disconnected (reason: unspecified, rx: 0, tx: 0)
ocserv[58557]: main:10.50.3.208:53720 user disconnected (reason: unspecified, rx: 0, tx: 0)
ocserv[28243]: sec-mod: using 'plain' authentication to authenticate user (session: GxgHLq)
ocserv[58557]: main:10.50.3.215:53426 user disconnected (reason: unspecified, rx: 0, tx: 0)
ocserv[58557]: main:10.50.3.215:53427 user disconnected (reason: unspecified, rx: 0, tx: 0)
ocserv[28243]: sec-mod: initiating session for user 'user' (session: GxgHLq)
ocserv[58557]: main[user]:10.50.3.215:53428 new user session
ocserv[58557]: main[user]:10.50.3.215:53428 user logged in
ocserv[26608]: worker[user]: 10.50.3.215 suggesting DPD of 1800 secs
ocserv[26608]: worker[user]: 10.50.3.215 configured link MTU is 1420
ocserv[26608]: worker[user]: 10.50.3.215 peer's link MTU is 1500
ocserv[26608]: worker[user]: 10.50.3.215 sending IPv4 192.168.1.177
ocserv[26608]: worker[user]: 10.50.3.215 sending IPv6 2601:282:302:1407:693a:de63:d7:4d82/128
ocserv[26608]: worker[user]: 10.50.3.215 IPv6 routes/DNS disabled because the agent is not openconnect.
ocserv[26608]: worker[user]: 10.50.3.215 adding DNS 8.8.8.8
ocserv[26608]: worker[user]: 10.50.3.215 DTLS ciphersuite: AES256-GCM-SHA384
ocserv[26608]: worker[user]: 10.50.3.215 DTLS data MTU 1354
ocserv[26608]: worker[user]: 10.50.3.215 Link MTU is 1420 bytes
ocserv[26608]: worker[user]: 10.50.3.215 setting up legacy DTLS (resumption) connection
and using the following config file:
auth = "plain[/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 8443
run-as-user = _ocserv
run-as-group = _ocserv
socket-file = /var/run/ocserv-socket
server-cert = /root/.acme.sh/vpn.example.com_ecc/vpn.example.com.cer
server-key = /root/.acme.sh/vpn.example.com_ecc/vpn.example.com.key
ca-cert = ../tests/certs/ca.pem
max-clients = 16
max-same-clients = 2
server-stats-reset-time = 604800
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = false
default-domain = example.com
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
ipv6-network = 2601:XXX:302:1407::/64
ipv6-subnet-prefix = 128
dns = 8.8.8.8
ping-leases = false
mtu = 1420
route = default
explicit-ipv6
cisco-client-compat = true
dtls-legacy = true