I have a VPN server handling various clients; some with ipv4 only, some with ipv4 and ipv6, and some that will be ipv6 only. Some of these clients are roaming, so ideally they should connect to ipv6 if it's available, and fall back to ipv4 if it isn't.
In my current setup, OpenVPN listens to ipv4 and ipv6:
proto udp
proto udp6
dev tun
My first question is here: while this seems to work, is it safe and correct to have both proto in one config file?
My clients have two remote instances in the config:
remote vpn.domain.tld port udp6
remote vpn.domain.tld port udp
My question here, as well, as this seems to work (trying udp6 first, if that fails will fallback to udp), is this a good way to do this?
Well.
On the server side, specifying "proto" twice doesn't actually do anything - "proto udp6" will make it bind a dual-stack socket to handle v4+v6, overwriting the "proto udp" in the previous line.
On a 2.3 client, having two remotes, with "udp6" and "udp" is the way to go, as the old socket code cannot failover itself properly.
On a git master (2.4-to-be) or 3.0 (OpenVPN Connect) client, you can just use "udp" as it will properly call getaddrinfo() and use whatever IP protocol the server and network supports, trying one family first and falling over to the other one, using the preference the OS signals (via getaddrinfo() result ordering).
gert