A while back I setup a IPSEC VPN into my house with an always on RaspberryPi as the server. There were several constraints that led me to that particular setup.
- I wanted automatic connections from my iPhone when not using my home WiFi.
- I wanted IPv6 tunneled through the VPN.
Unfortunately my router did not support serving a VPN with a protocol that also worked with the built-in iPhone VPN client. So the end I configured the router to forward the required IPv4 ports for VPN to the RaspberryPi.
The router already had a DDNS setup but I wanted to make things a little more organized so I setup a DNS CNAME for use when configuring the VPN. The progression when the client tries to connect is basically:
- Client looks up VPN domain name.
- The DNS resolver sees that it is a CNAME and automatically then resolves the DNS A record for it.
- Client then connects to the IP address.
- But the VPN ports for that address are forwarded to the RaspberryPi.
- So the RaspberryPi sets up the VPN and my phone is connected to my local network.
I don’t use data on the phone when away from the house very often so I don’t know when things broke. Maybe it was on the iOS 15 upgrade. Maybe it was my router firmware update. But break it did.
Poking around, I found that the issue was IPv6. Either the iPhone started to prefer IPv6 over IPv4 when connecting. Or maybe it always did but the router firmware upgrade allowed it to start publishing a AAAA (IPv6) DNS record.
So the phone was trying to connect to the VPN using IPv6 but the router doesn’t do NAT and port forwarding on IPv6 so the phone would never connect to the RaspberryPi.
I have looked into the router controls and read up on the DDNS it supports and I don’t see a way for it to only publish the IPv4 address.
The work around I used was to change the DNS CNAME record to a A (IPv4) record and assure there was no AAAA (IPv6) record. Unfortunately, that means I will need to update the A record every time my router and my ISP renegotiate the IPv4 address and it ends up changing.