I've got an openvpn server which has native ipv6. It's got extra /64 and /56 ranges routed to it's primary ipv6 ip.
I've got a working openvpn ipv6 setup - with the /64 configured with server-ipv6 in my openvpn config. When clients connect, they get a single v6 address from that /64 allocated by openvpn and that all works great - the client has working ipv6.
What I want to do though is give the clients some additional /64's out of the /56, which are routed to the address assigned to the client by openvpn.
If I bring up such an address (eg: 2001:aaaa:100:100::1/64) on the openvpn server, it pings fine. If I bring up the same address on another machine with ipv6, and on the openvpn server do (where 2001:aaaa:100:100::/64 is out of the routed /56 and 2001:aaaa:bbb:1::172 is just another server with ipv6).
ip -6 route add 2001:aaaa:100:100::/64 via 2001:aaaa:bbb:1::172
...then it pings fine.
However, if I bring up the same ip on an openvpn client and add the same route on the openvpn server:
ip -6 route add 2001:aaaa:100:100::/64 via 2001:aaaa:aaa:1::1002 (where 2001:aaaa:aaa:1::1002 is at the client side of an openvpn tunnel)
...then it won't ping at all.
If I tcpdump eth0 on the openvpn server, pings are reaching the server. If I tcpdump tun0 on the openvpn server, pings are reaching there. If I tcpdump tun0 on the openvpn client - the pings are NOT reaching there.
Any ideas why they are not going over the tunnel?
I've got ipv6 forwarding enabled on the openvpn server and ip6tables is set to a default forwarding policy of accept.
The openvpn server is running Debian Jessie:
OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
the openvpn client is running on Arch Linux:
OpenVPN 2.3.10 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016
My openvpn configs are pretty standard - and like I say, ipv6 over openvpn is working for the single address. This is the server config:
Code: Select all
tls-auth tls-auth.key 0
server 10.0.1.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6"
push "route-ipv6 2000::/3"
keepalive 10 30