Web lists-archives.com

Fwd: openvpn over ipv6 /65




On 26/11/2018 18:13, Reco wrote:
> 	Hi.
> 
> On Mon, Nov 26, 2018 at 05:53:27PM +0100, tony wrote:
>>>> 2000::/3 dev tun0 metric 1024  pref medium
>>>> 2000::/3 dev tun0 metric 1028  pref medium
>>>
>>> Er, wat? Exterminate this travesty, you should never announce things
>>> like these through openvpn even once, let alone twice. If you really
>>> need to do things like GeoIP spoofing, you should announce an IPv6
>>> default gateway with low metric.
>>>
>> I did wonder about that. I have cobbled together stanzas from many
>> 'tutorials' on the web. the 2000::/3 stanza came from one of those.
>> Someone seemed to think it was a good idea.
> 
> Either that someone solved their own specific task, or did not give it
> much thought. A bad idea.
> 
It actually came from https://community.openvpn.net/openvpn/wiki/IPv6, a
site one would expect to be trustworthy. In fairness it doesn't actually
require this, but in my confusion it just slipped in. Gone now ;)
> 
>>>> I hope that is sufficient information
>>>
>>> More or less. Server's routing table is good, assuming that you have
>>> net.ipv6.conf.all.forwarding set to 1 there.
>>>
>> I assume that's in /etc/sysctl.conf.
> 
> "sysctl net.ipv6.conf.all.forwarding" to check it, and yes,
> /etc/sysctl.conf to implement it.
> 
>> And no, it's commented out, so presumably 0.
> 
> This ain't right. You need your openvpn server to route IPv6 from and to
> you, so set it to 1.
> 
> 
>>> Client's routing table is a mess. What you should get with openvpn
>>> stared is (order may be different):
>>>
> ...
>>> And that means that it's time to see your openvpn's server configuration
>>> file. Can I see one, please?
>>
>> Certainly:
> 
> So, without further ado,
> 
>> proto udp
>> proto udp6
> 
> Choose one here. Either you connect to your openvpn server via IPv4, or
> you do it via IPv6.
> Whatever protocol you encapsulate into openvpn tunnel isn't relevant
> here.
> 
> 
>> dev tun
> 
> L3 tunnel, eh? A good choice, if you ask me.
> 
> 
>> push "route-ipv6 2a03:9800:10:54:8000::/65"
>> push "route-ipv6 2000::/3"
>> push "redirect-gateway def1 bypass-dhcp"
> 
> Remove these. Use this instead:
> 
> push "redirect-gateway def1"
> push "route-ipv6 ::/0 metric 99"

Well, there's an improvement: I'm now able to resolve v6 addresses with
the VPN up, presumably because IPv6 forwarding now being enabled, BUT,
the remote end is still seeing the native V6 address.

I'm seeing this in my host's OVPN log:
Tue Nov 27 10:24:58 2018 us=429309 PUSH: Received control message:
'PUSH_REPLY,redirect-gateway def1,route-ipv6 ::/0 metric
99,redirect-gateway def1 bypass-dhcp,dhcp-option DNS
208.67.222.222,dhcp-option DNS 193.108.199.130,dhcp-option DNS
85.158.46.77,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart
120,ifconfig-ipv6 2a03:9800:10:54:8000::1000/65
2a03:9800:10:54:8000::1,ifconfig 10.8.0.6 10.8.0.5,peer-id 2,cipher
AES-256-GCM'
Tue Nov 27 10:24:58 2018 us=429418 Options error: route-ipv6 parameter
gateway 'metric' must be a valid address
Tue Nov 27 10:24:58 2018 us=429472 Note: option tun-ipv6 is ignored
because modern operating systems do not need special IPv6 tun handling
anymore.

I'm assuming it doesn't like the ::/0 address, nor do I understand that.

Please indulge my ignorance a little longer; I feel we're getting there.

Cheers, Tony