Web lists-archives.com

Re: Fwd: openvpn over ipv6 /65




On 26/11/2018 16:55, Reco wrote:
> 	Hi.
> 
> It's been a long and an eventful day. But, 
> 
Sorry to ruin your day. I'm truly grateful for your help.

> On Mon, Nov 26, 2018 at 01:40:22PM +0100, tony wrote:
>>>> Have you any further suggestions as to what I might try?
>>>
>>> I'd like to see your IPv6 routing tables from your VPS and the OpenVPN client.
>>> Two simple 'ip -6 ro l' will do.
>>> And, for the sake of the completeness, the same 'ip -6 ro l' once OpenVPN is down.
>>>
> 
> That's weird:
> 
>> With the VPN up:
>> On the host:
>> 13:07:11 tony@tony-fr:~$ ip -6 ro l
> ...
>> 2a03:9800:10:54::2 via fe80::a63e:51ff:fe32:f85d dev enp3s0 metric 1 pref medium
> 
> I understand why this route is here (openvpn needs it for its own
> traffic), but routing public IPv6 through the link-local does not seem
> right.
> 
> 
>> 2a03:9800:10:54:8000::/65 dev tun0 proto kernel metric 256  pref medium
>> 2a03:9800:10:54:8000::/65 dev tun0 metric 1024  pref medium
>> 2a03:9800:10:54:8000::/65 dev tun0 metric 1029  pref medium
> 
> A simple route here would be enough. It seems that you're announcing
> your /65 prefix through the openvpn, but at the same time you're
> allocating IPv6 with full /65 mask to each openvpn client. That's
> redundant.
> 
> 
>> 2000::/3 dev tun0 metric 1024  pref medium
>> 2000::/3 dev tun0 metric 1028  pref medium
> 
> Er, wat? Exterminate this travesty, you should never announce things
> like these through openvpn even once, let alone twice. If you really
> need to do things like GeoIP spoofing, you should announce an IPv6
> default gateway with low metric.
> 
I did wonder about that. I have cobbled together stanzas from many
'tutorials' on the web. the 2000::/3 stanza came from one of those.
Someone seemed to think it was a good idea.
> 
>> default via fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100
>>  pref medium
> 
> And add 'less than 100 metric' to the previous sentence.
> 
> 
>> I hope that is sufficient information
> 
> More or less. Server's routing table is good, assuming that you have
> net.ipv6.conf.all.forwarding set to 1 there.
> 
I assume that's in /etc/sysctl.conf. And no, it's commented out, so
presumably 0.

> Client's routing table is a mess. What you should get with openvpn
> stared is (order may be different):
> 
> 2a03:9800:10:54::2 via fe80::a63e:51ff:fe32:f85d dev enp3s0 metric 1 pref medium
> 2a03:9800:10:54:8000::/65 dev tun0 proto kernel metric 256  pref medium
> 2a01:cb19:851f:ea00::/64 dev enp3s0 proto ra metric 100  pref medium
> fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100  pref medium
> fe80::/64 dev tun0 proto kernel metric 256  pref medium
> fe80::/64 dev enp3s0 proto kernel metric 256  pref medium
> default via fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100 pref medium
> default via tun0 metric 99
> 
> And that means that it's time to see your openvpn's server configuration
> file. Can I see one, please?
>


Certainly:

script-security 2
port 1194
proto udp
proto udp6
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret
dh /etc/openvpn/dh1024.pem

server 10.8.0.0 255.255.255.0
server-ipv6 2a03:9800:10:54:8000::/65

ifconfig-pool-persist ipp.txt
push "route-ipv6 2a03:9800:10:54:8000::/65"
push "route-ipv6 2000::/3"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 208.67.222.222"

# DNS servers provided by portfast.net.
push "dhcp-option DNS 193.108.199.130"
push "dhcp-option DNS 85.158.46.77"

keepalive 10 120

comp-lzo
max-clients 10

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn-status.log

log		/var/log/openvpn.log

verb 4

I have cut out a load of useless commentary in that file