Re: Fwd: openvpn over ipv6 /65
- Date: Mon, 26 Nov 2018 17:53:27 +0100
- From: tony <lists@xxxxxxxxxxxxxx>
- Subject: Re: Fwd: openvpn over ipv6 /65
On 26/11/2018 16:55, Reco wrote:
> It's been a long and an eventful day. But,
Sorry to ruin your day. I'm truly grateful for your help.
> On Mon, Nov 26, 2018 at 01:40:22PM +0100, tony wrote:
>>>> Have you any further suggestions as to what I might try?
>>> I'd like to see your IPv6 routing tables from your VPS and the OpenVPN client.
>>> Two simple 'ip -6 ro l' will do.
>>> And, for the sake of the completeness, the same 'ip -6 ro l' once OpenVPN is down.
> That's weird:
>> With the VPN up:
>> On the host:
>> 13:07:11 tony@tony-fr:~$ ip -6 ro l
>> 2a03:9800:10:54::2 via fe80::a63e:51ff:fe32:f85d dev enp3s0 metric 1 pref medium
> I understand why this route is here (openvpn needs it for its own
> traffic), but routing public IPv6 through the link-local does not seem
>> 2a03:9800:10:54:8000::/65 dev tun0 proto kernel metric 256 pref medium
>> 2a03:9800:10:54:8000::/65 dev tun0 metric 1024 pref medium
>> 2a03:9800:10:54:8000::/65 dev tun0 metric 1029 pref medium
> A simple route here would be enough. It seems that you're announcing
> your /65 prefix through the openvpn, but at the same time you're
> allocating IPv6 with full /65 mask to each openvpn client. That's
>> 2000::/3 dev tun0 metric 1024 pref medium
>> 2000::/3 dev tun0 metric 1028 pref medium
> Er, wat? Exterminate this travesty, you should never announce things
> like these through openvpn even once, let alone twice. If you really
> need to do things like GeoIP spoofing, you should announce an IPv6
> default gateway with low metric.
I did wonder about that. I have cobbled together stanzas from many
'tutorials' on the web. the 2000::/3 stanza came from one of those.
Someone seemed to think it was a good idea.
>> default via fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100
>> pref medium
> And add 'less than 100 metric' to the previous sentence.
>> I hope that is sufficient information
> More or less. Server's routing table is good, assuming that you have
> net.ipv6.conf.all.forwarding set to 1 there.
I assume that's in /etc/sysctl.conf. And no, it's commented out, so
> Client's routing table is a mess. What you should get with openvpn
> stared is (order may be different):
> 2a03:9800:10:54::2 via fe80::a63e:51ff:fe32:f85d dev enp3s0 metric 1 pref medium
> 2a03:9800:10:54:8000::/65 dev tun0 proto kernel metric 256 pref medium
> 2a01:cb19:851f:ea00::/64 dev enp3s0 proto ra metric 100 pref medium
> fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100 pref medium
> fe80::/64 dev tun0 proto kernel metric 256 pref medium
> fe80::/64 dev enp3s0 proto kernel metric 256 pref medium
> default via fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100 pref medium
> default via tun0 metric 99
> And that means that it's time to see your openvpn's server configuration
> file. Can I see one, please?
key /etc/openvpn/server.key # This file should be kept secret
server 10.8.0.0 255.255.255.0
push "route-ipv6 2a03:9800:10:54:8000::/65"
push "route-ipv6 2000::/3"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 126.96.36.199"
# DNS servers provided by portfast.net.
push "dhcp-option DNS 188.8.131.52"
push "dhcp-option DNS 184.108.40.206"
keepalive 10 120
I have cut out a load of useless commentary in that file