Re: Fwd: openvpn over ipv6 /65
On Mon, Nov 26, 2018 at 05:53:27PM +0100, tony wrote:
> >> 2000::/3 dev tun0 metric 1024 pref medium
> >> 2000::/3 dev tun0 metric 1028 pref medium
> > Er, wat? Exterminate this travesty, you should never announce things
> > like these through openvpn even once, let alone twice. If you really
> > need to do things like GeoIP spoofing, you should announce an IPv6
> > default gateway with low metric.
> I did wonder about that. I have cobbled together stanzas from many
> 'tutorials' on the web. the 2000::/3 stanza came from one of those.
> Someone seemed to think it was a good idea.
Either that someone solved their own specific task, or did not give it
much thought. A bad idea.
> >> I hope that is sufficient information
> > More or less. Server's routing table is good, assuming that you have
> > net.ipv6.conf.all.forwarding set to 1 there.
> I assume that's in /etc/sysctl.conf.
"sysctl net.ipv6.conf.all.forwarding" to check it, and yes,
/etc/sysctl.conf to implement it.
> And no, it's commented out, so presumably 0.
This ain't right. You need your openvpn server to route IPv6 from and to
you, so set it to 1.
> > Client's routing table is a mess. What you should get with openvpn
> > stared is (order may be different):
> > And that means that it's time to see your openvpn's server configuration
> > file. Can I see one, please?
So, without further ado,
> proto udp
> proto udp6
Choose one here. Either you connect to your openvpn server via IPv4, or
you do it via IPv6.
Whatever protocol you encapsulate into openvpn tunnel isn't relevant
> dev tun
L3 tunnel, eh? A good choice, if you ask me.
> push "route-ipv6 2a03:9800:10:54:8000::/65"
> push "route-ipv6 2000::/3"
> push "redirect-gateway def1 bypass-dhcp"
Remove these. Use this instead:
push "redirect-gateway def1"
push "route-ipv6 ::/0 metric 99"