[Solved] Route extra IPv6 ranges across tunnel
Posted: Sat May 07, 2016 8:35 am
Hi,
I've got an openvpn server which has native ipv6. It's got extra /64 and /56 ranges routed to it's primary ipv6 ip.
I've got a working openvpn ipv6 setup - with the /64 configured with server-ipv6 in my openvpn config. When clients connect, they get a single v6 address from that /64 allocated by openvpn and that all works great - the client has working ipv6.
What I want to do though is give the clients some additional /64's out of the /56, which are routed to the address assigned to the client by openvpn.
If I bring up such an address (eg: 2001:aaaa100::1/64) on the openvpn server, it pings fine. If I bring up the same address on another machine with ipv6, and on the openvpn server do (where 2001:aaaa100::/64 is out of the routed /56 and 2001:aaaa:bbb:1::172 is just another server with ipv6).
ip -6 route add 2001:aaaa100::/64 via 2001:aaaa:bbb:1::172
...then it pings fine.
However, if I bring up the same ip on an openvpn client and add the same route on the openvpn server:
ip -6 route add 2001:aaaa100::/64 via 2001:aaaa:aaa:1::1002 (where 2001:aaaa:aaa:1::1002 is at the client side of an openvpn tunnel)
...then it won't ping at all.
If I tcpdump eth0 on the openvpn server, pings are reaching the server. If I tcpdump tun0 on the openvpn server, pings are reaching there. If I tcpdump tun0 on the openvpn client - the pings are NOT reaching there.
Any ideas why they are not going over the tunnel?
I've got ipv6 forwarding enabled on the openvpn server and ip6tables is set to a default forwarding policy of accept.
The openvpn server is running Debian Jessie:
OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
the openvpn client is running on Arch Linux:
OpenVPN 2.3.10 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016
My openvpn configs are pretty standard - and like I say, ipv6 over openvpn is working for the single address. This is the server config:
Thanks,
Ian
I've got an openvpn server which has native ipv6. It's got extra /64 and /56 ranges routed to it's primary ipv6 ip.
I've got a working openvpn ipv6 setup - with the /64 configured with server-ipv6 in my openvpn config. When clients connect, they get a single v6 address from that /64 allocated by openvpn and that all works great - the client has working ipv6.
What I want to do though is give the clients some additional /64's out of the /56, which are routed to the address assigned to the client by openvpn.
If I bring up such an address (eg: 2001:aaaa100::1/64) on the openvpn server, it pings fine. If I bring up the same address on another machine with ipv6, and on the openvpn server do (where 2001:aaaa100::/64 is out of the routed /56 and 2001:aaaa:bbb:1::172 is just another server with ipv6).
ip -6 route add 2001:aaaa100::/64 via 2001:aaaa:bbb:1::172
...then it pings fine.
However, if I bring up the same ip on an openvpn client and add the same route on the openvpn server:
ip -6 route add 2001:aaaa100::/64 via 2001:aaaa:aaa:1::1002 (where 2001:aaaa:aaa:1::1002 is at the client side of an openvpn tunnel)
...then it won't ping at all.
If I tcpdump eth0 on the openvpn server, pings are reaching the server. If I tcpdump tun0 on the openvpn server, pings are reaching there. If I tcpdump tun0 on the openvpn client - the pings are NOT reaching there.
Any ideas why they are not going over the tunnel?
I've got ipv6 forwarding enabled on the openvpn server and ip6tables is set to a default forwarding policy of accept.
The openvpn server is running Debian Jessie:
OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
the openvpn client is running on Arch Linux:
OpenVPN 2.3.10 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016
My openvpn configs are pretty standard - and like I say, ipv6 over openvpn is working for the single address. This is the server config:
Code: Select all
port 1194
proto udp
dev tun
topology subnet
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth tls-auth.key 0
remote-cert-tls client
server 10.0.1.0 255.255.255.0
server-ipv6 2001:aaaa:aaa:1::/64
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6"
push "route-ipv6 2000::/3"
ifconfig-pool-persist ipp.txt
keepalive 10 30
mssfix 1400
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
Ian