Web lists-archives.com

Re: openvpn over ipv6 /65


On Fri, Nov 23, 2018 at 03:07:01PM +0100, tony wrote:
> Thanks for your quick response, Reco,
> On 23/11/2018 13:33, Reco wrote:
> > 	Hi.
> > 
> > On Fri, Nov 23, 2018 at 01:18:45PM +0100, tony wrote:
> >> Hi,
> >>
> >> I have a Stretch VPServer with a /64 netbloch, of which only the first 2
> >> addresses are used. I've been struggling for some time to get the right
> >> stanza to split that into two /65s, using the upper half for openvpn.
> > 
> > I'd check first that some other addresses from this /64 range are routed
> > by your VPS provider.
> > 
> I'm not sure I understand what you mean. As far as I'm aware, my VPS
> provider furnishes a full native /64 netblock for my exclusive use.
> They'll provide more, at a cost, but I see no point in that.
> > 
> [snip]

Assign some other IPv6 address from your range to your VPS.
Ensure that it's reachable from the outside world.
For instance, I do not get any response from your gateway while I'm
pinging 2a03:9800:10:54::dead (which you do not have), and get a reply
from 2a03:9800:10:54::2 (which belongs to your VPS).

> > Ad-hoc configuration:
> > 
> > ### check this on your OS!
> > # ip a d igb0 2001:db8:0:123::/64
> > # ip a a igb0 2001:db8:0:123::/65
> > ###
> > ### re-assign the other aliases previously set under the /64 block
> > # ip a a igb0 2001:db8:0:123::dead/128
> > # ip a a igb0 2001:db8:0:123::ea:beef/128
> > 
> I'm not using any addresses other than the ::1 and ::2 in the /64 block,
> so presumably the last two lines are redundant.

Yes, you do not need them.

> > As for the persistent configuration, that depends on the contents of
> > /etc/network/interfaces. Can be static (it's straightforward then),
> > DHCPv6 (you won't be able to do the split) or RA (ditto).
> > 
> No, it's all static:

That simplifies things greatly.
Replace this:

iface eth0 inet6 static
           address 2a03:9800:10:54::2
           netmask 64
           gateway 2a03:9800:10:54::1

with this:

iface eth0 inet6 static
           address 2a03:9800:10:54::2
           netmask 65
           gateway 2a03:9800:10:54::1

Leave all the other entries intact.
Then invoke this as root (one-time only):

ip a d dev eth0 2a03:9800:10:54::2/64
ip a a dev eth0 2a03:9800:10:54::2/65
ip ro d default via 2a03:9800:10:54::1

> So what is igb0?

A name of interface that's used in OpenVPN documentation. Yours is called eth0.

> What do you mean by ad-hoc and persistent configuration?

ad-hoc means that you're using certain OS binaries (in this case - ip)
to create a network configuration that does not survive the reboot.
persistent means the opposite - you're trying to create a configuration
that should reproduce itself after the reboot (in this case - e/n/i).