Web lists-archives.com

Fwd: openvpn over ipv6 /65




Sorry, hit the wrong button!


-------- Forwarded Message --------
Subject: Re: openvpn over ipv6 /65
Date: Mon, 26 Nov 2018 11:25:09 +0100
From: tony <lists@xxxxxxxxxxxxxx>
To: Reco <recoverym4n@xxxxxxxxxxxx>

On 23/11/2018 15:24, Reco wrote:
> 	HI.
> 
> On Fri, Nov 23, 2018 at 03:07:01PM +0100, tony wrote:
>> Thanks for your quick response, Reco,
>>
>> On 23/11/2018 13:33, Reco wrote:
>>> 	Hi.
>>>
>>> On Fri, Nov 23, 2018 at 01:18:45PM +0100, tony wrote:
>>>> Hi,
>>>>
>>>> I have a Stretch VPServer with a /64 netbloch, of which only the first 2
>>>> addresses are used. I've been struggling for some time to get the right
>>>> stanza to split that into two /65s, using the upper half for openvpn.
>>>
>>> I'd check first that some other addresses from this /64 range are routed
>>> by your VPS provider.
>>>
>> I'm not sure I understand what you mean. As far as I'm aware, my VPS
>> provider furnishes a full native /64 netblock for my exclusive use.
>> They'll provide more, at a cost, but I see no point in that.
>>>
>> [snip]
> 
> Assign some other IPv6 address from your range to your VPS.
> Ensure that it's reachable from the outside world.
> For instance, I do not get any response from your gateway while I'm
> pinging 2a03:9800:10:54::dead (which you do not have), and get a reply
> from 2a03:9800:10:54::2 (which belongs to your VPS).
> 
> 
>>> Ad-hoc configuration:
>>>
>>> ### check this on your OS!
>>> # ip a d igb0 2001:db8:0:123::/64
>>> # ip a a igb0 2001:db8:0:123::/65
>>> ###
>>> ### re-assign the other aliases previously set under the /64 block
>>> # ip a a igb0 2001:db8:0:123::dead/128
>>> # ip a a igb0 2001:db8:0:123::ea:beef/128
>>>
>> I'm not using any addresses other than the ::1 and ::2 in the /64 block,
>> so presumably the last two lines are redundant.
> 
> Yes, you do not need them.
> 
> 
>>> As for the persistent configuration, that depends on the contents of
>>> /etc/network/interfaces. Can be static (it's straightforward then),
>>> DHCPv6 (you won't be able to do the split) or RA (ditto).
>>>
>> No, it's all static:
> 
> That simplifies things greatly.
> Replace this:
> 
> iface eth0 inet6 static
>            address 2a03:9800:10:54::2
>            netmask 64
>            gateway 2a03:9800:10:54::1
> 
> with this:
> 
> iface eth0 inet6 static
>            address 2a03:9800:10:54::2
>            netmask 65
>            gateway 2a03:9800:10:54::1
> 
> Leave all the other entries intact.
> Then invoke this as root (one-time only):
> 
> ip a d dev eth0 2a03:9800:10:54::2/64
> ip a a dev eth0 2a03:9800:10:54::2/65
> ip ro d default via 2a03:9800:10:54::1
> 
> 
>> So what is igb0?
> 
> A name of interface that's used in OpenVPN documentation. Yours is called eth0.
> 
> 
>> What do you mean by ad-hoc and persistent configuration?
> 
> ad-hoc means that you're using certain OS binaries (in this case - ip)
> to create a network configuration that does not survive the reboot.
> persistent means the opposite - you're trying to create a configuration
> that should reproduce itself after the reboot (in this case - e/n/i).
> 
> Reco
> 

Thanks so much, Reco. This has got me well on the way to setting up a
IPv6 VPN. It has also greatly enhanced my unserstanding of OpenVPN.

So, I've assigned 2a03:9800:10:54:8000::/65 to the VPN, and this appears
to work. The logs are showing the tunnel having been established.
However, I can't get any IPv6 connectivity to the internet unless I stop
OpenVPN. Have you any further suggestions as to what I might try?

Cheers, Tony