Web lists-archives.com

Re: Fwd: openvpn over ipv6 /65




	Hi.

It's been a long and an eventful day. But, 

On Mon, Nov 26, 2018 at 01:40:22PM +0100, tony wrote:
> >> Have you any further suggestions as to what I might try?
> > 
> > I'd like to see your IPv6 routing tables from your VPS and the OpenVPN client.
> > Two simple 'ip -6 ro l' will do.
> > And, for the sake of the completeness, the same 'ip -6 ro l' once OpenVPN is down.
> > 

That's weird:

> With the VPN up:
> On the host:
> 13:07:11 tony@tony-fr:~$ ip -6 ro l
...
> 2a03:9800:10:54::2 via fe80::a63e:51ff:fe32:f85d dev enp3s0 metric 1 pref medium

I understand why this route is here (openvpn needs it for its own
traffic), but routing public IPv6 through the link-local does not seem
right.


> 2a03:9800:10:54:8000::/65 dev tun0 proto kernel metric 256  pref medium
> 2a03:9800:10:54:8000::/65 dev tun0 metric 1024  pref medium
> 2a03:9800:10:54:8000::/65 dev tun0 metric 1029  pref medium

A simple route here would be enough. It seems that you're announcing
your /65 prefix through the openvpn, but at the same time you're
allocating IPv6 with full /65 mask to each openvpn client. That's
redundant.


> 2000::/3 dev tun0 metric 1024  pref medium
> 2000::/3 dev tun0 metric 1028  pref medium

Er, wat? Exterminate this travesty, you should never announce things
like these through openvpn even once, let alone twice. If you really
need to do things like GeoIP spoofing, you should announce an IPv6
default gateway with low metric.


> default via fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100
>  pref medium

And add 'less than 100 metric' to the previous sentence.


> I hope that is sufficient information

More or less. Server's routing table is good, assuming that you have
net.ipv6.conf.all.forwarding set to 1 there.

Client's routing table is a mess. What you should get with openvpn
stared is (order may be different):

2a03:9800:10:54::2 via fe80::a63e:51ff:fe32:f85d dev enp3s0 metric 1 pref medium
2a03:9800:10:54:8000::/65 dev tun0 proto kernel metric 256  pref medium
2a01:cb19:851f:ea00::/64 dev enp3s0 proto ra metric 100  pref medium
fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100  pref medium
fe80::/64 dev tun0 proto kernel metric 256  pref medium
fe80::/64 dev enp3s0 proto kernel metric 256  pref medium
default via fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100 pref medium
default via tun0 metric 99

And that means that it's time to see your openvpn's server configuration
file. Can I see one, please?

Reco