Web lists-archives.com

Re: Fwd: openvpn over ipv6 /65




On 27/11/2018 12:44, Reco wrote:
> 	Hi.
> 
> On Tue, Nov 27, 2018 at 12:26:03PM +0100, tony wrote:
>> OK, that fixed it, thanks. Almost there. I had expected the host's
>> openVPN ip (2a03:9800:10:54:8000::1000) to propagate, but I'm seeing my
>> server's address:
>>
>> tony@tony-fr:~$ dig +short any myip.opendns.com @resolver1.opendns.com
>> 2a03:9800:10:54::2
>>
>> Is that fixable?
> 
> Probably. My suspicion is that openvpn has configured NAT66 for you,
> along with the routing.
> Can I see the result of "ip6tables-save" from your openvpn server?
> 
>

OK:
root@shell:~# ip6tables-save
# Generated by ip6tables-save v1.6.0 on Tue Nov 27 11:50:18 2018
*nat
:PREROUTING ACCEPT [12346:1595144]
:INPUT ACCEPT [1726:141923]
:OUTPUT ACCEPT [743:66648]
:POSTROUTING ACCEPT [743:66648]
-A POSTROUTING -s 2a03:9800:10:54:8000::/65 -o eth0 -j SNAT --to-source
2a03:9800:10:54::2
COMMIT
# Completed on Tue Nov 27 11:50:18 2018
# Generated by ip6tables-save v1.6.0 on Tue Nov 27 11:50:18 2018
*raw
:PREROUTING ACCEPT [2472612:400710422]
:OUTPUT ACCEPT [3139829:2958344820]
COMMIT
# Completed on Tue Nov 27 11:50:18 2018
# Generated by ip6tables-save v1.6.0 on Tue Nov 27 11:50:18 2018
*mangle
:PREROUTING ACCEPT [2472612:400710422]
:INPUT ACCEPT [2456362:396255430]
:FORWARD ACCEPT [5708:3070874]
:OUTPUT ACCEPT [3139831:2958345100]
:POSTROUTING ACCEPT [3145539:2961415974]
COMMIT
# Completed on Tue Nov 27 11:50:18 2018
# Generated by ip6tables-save v1.6.0 on Tue Nov 27 11:50:18 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [165:76753]
:OUTPUT ACCEPT [3135467:2956504072]
-A INPUT -i tun+ -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4000 -j ACCEPT
-A INPUT -s 2001:8b0:ff60:6a91::/64 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -s ::1/128 -d ::1/128 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables denied: "
--log-level 7
-A INPUT -j DROP
-A INPUT -p ipv6-icmp -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 2a03:9800:10:54::/64 -i tap0 -o eth0 -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
COMMIT
# Completed on Tue Nov 27 11:50:18 2018


If I remove the line
-A POSTROUTING -s 2a03:9800:10:54:8000::/65 -o eth0 -j SNAT --to-source
2a03:9800:10:54::2
I lose any ipv6 routing