Web lists-archives.com

Re: Fwd: openvpn over ipv6 /65




On Tue, Nov 27, 2018 at 01:56:34PM +0100, tony wrote:
> >> If I remove the line
> >> -A POSTROUTING -s 2a03:9800:10:54:8000::/65 -o eth0 -j SNAT --to-source
> >> 2a03:9800:10:54::2
> >> I lose any ipv6 routing
> > 
> > Strictly speaking, that's expected. Outside world does not know about
> > your network topology. What is does know is to send packets to
> > 2a03:9800:10:54::1 (*not* :2) in hope of reaching your :8000::/65.
> > The problem is - how your IPv6 gateway (54::1) can possibly know that
> > your custom subnet (:8000::/65) is reachable if you have not announced a
> > route?
> > 
> > That's something that I need to think about.
> 
> thanks very much for spending so much time on my problem.

So, I thought about all this, and came to the following:

1) You can try announcing your own /65 route, but there's 100% chance
that your IPv6 gateway will reject it. I'd do it too if I was your VPS
provider.

2) Currently you have two different network segments - one on eth0, and
another one on tun0 (that one).
Even if you make your openvpn encapsulate L2 traffic (don't), unless you
want to risk losing all network connectivity to your VPS by bridging
eth0 and tun0 *and* hacking openvpn scripts - I see no easy way to
bridge those two segments.

3) Likewise, you *could* put your eth0 in the promiscous mode, and write
some set of netfilter rules to traverse the gap between eth0 and tun0,
but that's wrong on so many levels that I don't know where to begin to
describe it.

In conclusion, your current NAT66 setup is probably the best you can
achieve without a risk to your VPS or your sanity ;)

Reco