Web lists-archives.com

Re: Fwd: openvpn over ipv6 /65




	Hi.

On Tue, Nov 27, 2018 at 01:20:25PM +0100, tony wrote:
> On 27/11/2018 12:44, Reco wrote:
> > 	Hi.
> > 
> > On Tue, Nov 27, 2018 at 12:26:03PM +0100, tony wrote:
> >> OK, that fixed it, thanks. Almost there. I had expected the host's
> >> openVPN ip (2a03:9800:10:54:8000::1000) to propagate, but I'm seeing my
> >> server's address:
> >>
> >> tony@tony-fr:~$ dig +short any myip.opendns.com @resolver1.opendns.com
> >> 2a03:9800:10:54::2
> >>
> >> Is that fixable?
> > 
> > Probably. My suspicion is that openvpn has configured NAT66 for you,
> > along with the routing.
> > Can I see the result of "ip6tables-save" from your openvpn server?
> 
> OK:
> root@shell:~# ip6tables-save
> # Generated by ip6tables-save v1.6.0 on Tue Nov 27 11:50:18 2018
> *nat
> :PREROUTING ACCEPT [12346:1595144]
> :INPUT ACCEPT [1726:141923]
> :OUTPUT ACCEPT [743:66648]
> :POSTROUTING ACCEPT [743:66648]
> -A POSTROUTING -s 2a03:9800:10:54:8000::/65 -o eth0 -j SNAT --to-source
> 2a03:9800:10:54::2

Yep. Good old NAT, in this case in IPv6 form. What they call NAT66.


> If I remove the line
> -A POSTROUTING -s 2a03:9800:10:54:8000::/65 -o eth0 -j SNAT --to-source
> 2a03:9800:10:54::2
> I lose any ipv6 routing

Strictly speaking, that's expected. Outside world does not know about
your network topology. What is does know is to send packets to
2a03:9800:10:54::1 (*not* :2) in hope of reaching your :8000::/65.
The problem is - how your IPv6 gateway (54::1) can possibly know that
your custom subnet (:8000::/65) is reachable if you have not announced a
route?

That's something that I need to think about.

Reco