Web lists-archives.com

Re: Fwd: openvpn over ipv6 /65




On 27/11/2018 13:34, Reco wrote:
> 	Hi.
> 
> On Tue, Nov 27, 2018 at 01:20:25PM +0100, tony wrote:
>> On 27/11/2018 12:44, Reco wrote:
>>> 	Hi.
>>>
>>> On Tue, Nov 27, 2018 at 12:26:03PM +0100, tony wrote:
>>>> OK, that fixed it, thanks. Almost there. I had expected the host's
>>>> openVPN ip (2a03:9800:10:54:8000::1000) to propagate, but I'm seeing my
>>>> server's address:
>>>>
>>>> tony@tony-fr:~$ dig +short any myip.opendns.com @resolver1.opendns.com
>>>> 2a03:9800:10:54::2
>>>>
>>>> Is that fixable?
>>>
>>> Probably. My suspicion is that openvpn has configured NAT66 for you,
>>> along with the routing.
>>> Can I see the result of "ip6tables-save" from your openvpn server?
>>
>> OK:
>> root@shell:~# ip6tables-save
>> # Generated by ip6tables-save v1.6.0 on Tue Nov 27 11:50:18 2018
>> *nat
>> :PREROUTING ACCEPT [12346:1595144]
>> :INPUT ACCEPT [1726:141923]
>> :OUTPUT ACCEPT [743:66648]
>> :POSTROUTING ACCEPT [743:66648]
>> -A POSTROUTING -s 2a03:9800:10:54:8000::/65 -o eth0 -j SNAT --to-source
>> 2a03:9800:10:54::2
> 
> Yep. Good old NAT, in this case in IPv6 form. What they call NAT66.
> 
> 
>> If I remove the line
>> -A POSTROUTING -s 2a03:9800:10:54:8000::/65 -o eth0 -j SNAT --to-source
>> 2a03:9800:10:54::2
>> I lose any ipv6 routing
> 
> Strictly speaking, that's expected. Outside world does not know about
> your network topology. What is does know is to send packets to
> 2a03:9800:10:54::1 (*not* :2) in hope of reaching your :8000::/65.
> The problem is - how your IPv6 gateway (54::1) can possibly know that
> your custom subnet (:8000::/65) is reachable if you have not announced a
> route?
> 
> That's something that I need to think about.

thanks very much for spending so much time on my problem.