Web lists-archives.com

Re: Fwd: openvpn over ipv6 /65




	Hi.

On Mon, Nov 26, 2018 at 05:53:27PM +0100, tony wrote:
> >> 2000::/3 dev tun0 metric 1024  pref medium
> >> 2000::/3 dev tun0 metric 1028  pref medium
> > 
> > Er, wat? Exterminate this travesty, you should never announce things
> > like these through openvpn even once, let alone twice. If you really
> > need to do things like GeoIP spoofing, you should announce an IPv6
> > default gateway with low metric.
> > 
> I did wonder about that. I have cobbled together stanzas from many
> 'tutorials' on the web. the 2000::/3 stanza came from one of those.
> Someone seemed to think it was a good idea.

Either that someone solved their own specific task, or did not give it
much thought. A bad idea.


> >> I hope that is sufficient information
> > 
> > More or less. Server's routing table is good, assuming that you have
> > net.ipv6.conf.all.forwarding set to 1 there.
> > 
> I assume that's in /etc/sysctl.conf.

"sysctl net.ipv6.conf.all.forwarding" to check it, and yes,
/etc/sysctl.conf to implement it.

> And no, it's commented out, so presumably 0.

This ain't right. You need your openvpn server to route IPv6 from and to
you, so set it to 1.


> > Client's routing table is a mess. What you should get with openvpn
> > stared is (order may be different):
> > 
...
> > And that means that it's time to see your openvpn's server configuration
> > file. Can I see one, please?
> 
> Certainly:

So, without further ado,

> proto udp
> proto udp6

Choose one here. Either you connect to your openvpn server via IPv4, or
you do it via IPv6.
Whatever protocol you encapsulate into openvpn tunnel isn't relevant
here.


> dev tun

L3 tunnel, eh? A good choice, if you ask me.


> push "route-ipv6 2a03:9800:10:54:8000::/65"
> push "route-ipv6 2000::/3"
> push "redirect-gateway def1 bypass-dhcp"

Remove these. Use this instead:

push "redirect-gateway def1"
push "route-ipv6 ::/0 metric 99"

Reco