IPv6 Masquerade & Private Network Only

bnerickson · Post by **bnerickson** » Mon Jan 04, 2021 11:06 pm

I have OpenVPN Access Server (openvpn-as-2.8.7_c7d6c210-CentOS8.x86_64) setup for IPv4 tunneling and am attempting to setup a similar configuration for IPv6. In short, I do not want to tunnel ALL IPv6 traffic through the tunnel. I only want to tunnel traffic to my private ULA subnet (fd00::/64) through the tunnel. I used this guide to help me with the initial configuration and set the following parameters in the DB on the server:

./confdba -mk "vpn.routing6.enable" -v "true"
./confdba -mk "vpn.server.routing6.private_network" -v "fd00::/64"
./confdba -mk "vpn.server.daemon.vpn_network6.0" -v "fd00:ffff:ffff:fffe:ffff:ffff:ffff::/112"
./confdba -mk "vpn.server.group_pool6" -v "fd00:0:0:2::/64"
./confdba -mk "vpn.server.nat6.masquerade" -v "true"
./confdba -mk "vpn.server.routing6.private_access" -v "nat"

I restarted the openvpn access server service on my server and see the vpn_network6 assigned to the tunnel interface. Clients are also getting the vpn_network6 assigned on their tunnel interface. However, clients are NOT receiving a route advertisement to reach fd00::/64. Am I missing something in my configuration?

Here's a quick, censored look at the interface output on the server side:

[root@xyz scripts]# ip addr sh
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:86:e6:3d brd ff:ff:ff:ff:ff:ff
inet 192.168.0.59/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0
valid_lft 1007sec preferred_lft 1007sec
inet6 fd00::ffff:c0a8:3b/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 <public_ipv6>/64 scope global dynamic noprefixroute
valid_lft 7091sec preferred_lft 3491sec
inet6 fe80::20c

fe86:e63d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
9: as0t0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 200
link/none
inet 192.168.2.1/25 brd 192.168.2.127 scope global as0t0
valid_lft forever preferred_lft forever
inet6 fd00:ffff:ffff:fffe:ffff:ffff:ffff:0/113 scope global
valid_lft forever preferred_lft forever
inet6 fe80::f58b:9799:c0dc:38e1/64 scope link stable-privacy
valid_lft forever preferred_lft forever

And here's a look at the Windows client side after connecting:

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
16 281 fd00:ffff:ffff:fffe::/64 On-link
16 281 fd00:ffff:ffff:fffe:ffff:ffff:ffff:8000/113
fe80::8
16 281 fd00:ffff:ffff:fffe:ffff:ffff:ffff:8002/128
On-link
16 281 fe80::/64 On-link
16 281 fe80::2ff:acff:fe1f:c8c6/128
On-link
1 331 ff00::/8 On-link
16 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None