tls connectivity issues with DNS64 embedded ipv4 addresses
{"kernel":"4.14.123","hostname":"to","system":"ARMv7 Processor rev 1 (v7l)","model":"Turris Omnia","board_name":"armada-385-turris-omnia","release":{"distribution":"TurrisOS","version":"4.0-beta3","revision":"b826c4a","target":"mvebu/cortexa9","description":"TurrisOS 4.0-beta3 b826c4a"}}
- upstream ISP authentication PPPoE
- upstream ISP connectivity native IPv6 PD /56 range and DS-Lite for ipv4
config interface 'wan'
option ifname 'eth2'
option proto 'pppoe'
option username ''
option password ''
option peerdns '0'
option ipv6 'auto'
which netfid
spawns into
pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc cake state UNKNOWN group default qlen 3 link/ppp promiscuity 0
ppp numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
inet xxx.46.34.249 peer xxx.46.104.107/32 scope global pppoe-wan
valid_lft forever preferred_lft forever
inet6 xxxx:4540:6b00:99::f4f/128 scope global dynamic noprefixroute
valid_lft 85470sec preferred_lft 85470sec
inet6 fe80::c424:fde8:cc83:c4bb/10 scope link
valid_lft forever preferred_lft forever
ds-wan_6_4@pppoe-wan : <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
link/tunnel6 xxxx:4540:6b00:99::f4f peer xxxx:2028:ff00::1:0:3b promiscuity 0
ip6tnl ipip6 remote xxxx:2028:ff00::1:0:3b local xxxx:4540:6b00:99::f4f dev pppoe-wan hoplimit 64 encaplimit 0 tclass 0x00flowlabel 0x00000 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
inet 192.0.0.2 peer 192.0.0.1/32 brd 255.255.255.255 scope global ds-wan_6_4
valid_lft forever preferred_lft forever
inet6 fe80::2c7c:88ff:fece:6a8c/64 scope link
valid_lft forever preferred_lft forever
wget https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.gz
on the TO constantly produces
Resolving raw.githubusercontent.com... 64:ff9b::9765:c85, 151.101.12.133
Connecting to raw.githubusercontent.com|64:ff9b::9765:c85|:443... failed: Operation timed out.
Connecting to raw.githubusercontent.com|151.101.12.133|:443... connected.
Unable to establish SSL connection.
whilst compared on TO client
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 64:ff9b::9765:7085, 151.101.112.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|64:ff9b::9765:7085|:443... failed: Connection timed out.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.112.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3241 (3.2K) [application/octet-stream]
It would be expected that router would be able to establish ipv4 tls connectivity if ipv6 fails.
Since src/gz stangri_repo https://raw.githubusercontent.com/stangri/openwrt-repo/master
being a custom feeds and thus part of pkgupdate
the latter keeps failing too
Have not figured out why the ipv6 connectivity fails in the first place with that particular remote server and it does not consistently but intermittently.
ncat --ssl -v raw.githubusercontent.com 443
Ncat: Connection to 64:ff9b::9765:c85 failed: Operation timed out.
Ncat: Trying next address...
Ncat: SSL connection to 151.101.16.133:443. GitHub, Inc.
Ncat: SHA-1 fingerprint: CCAA 4848 6646 0E91 532C 9C7C 232A B174 4D29 9D33
gnutls-cli -V raw.githubusercontent.com
gnutls.log
openssl s_client -connect raw.githubusercontent.com:443 -status
openssl.log
just for comparison
wget https://repo.turris.cz/omnia/lists/base.lua
Resolving repo.turris.cz... 2001:1488:ac15:ff80::69, 217.31.192.69
Connecting to repo.turris.cz|2001:1488:ac15:ff80::69|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9237 (9.0K)
ncat --ssl -v repo.turris.cz 443
Ncat: SSL connection to 2001:1488:ac15:ff80::69:443.
Ncat: SHA-1 fingerprint: 3F1D C5A4 E7E8 B118 F929 E432 5F7A DC14 723D BC37
gnutls-cli -V repo.turris.cz
gnutls.log
openssl s_client -connect repo.turris.cz:443
-status openssl.log