OpenVPN IPv4 + IPv6 tunnel (not working so far...)

[AquaL1te]

I'm attempting to add IPv6 addresses for my clients. From my provider I got a fixed /64 IPv6 range, I want to subnet it into a /112 range for the OpenVPN clients (I will verify with my internet provider if there are any technical limitations with this idea). The subnetting idea came from several websites, including the OpenVPN documentation regarding IPv6 (all links listed below). My IPv4 setup is working perfectly for at least a year already. So that part is fully tested and functional. For the IPv6 IP allocation I want to use CCD, just like I do with IPv4.

Some explanation about the IP's and such.
2001:aaaa:bbbb:1::/64 = Subnet of my provider.
2001:aaaa:bbbb:1:10:1:1::/112 = Subnet I want to use for my OpenVPN clients (reachable for the world).
Furthermore, I have 2 tunnel configs. One for UDP and the other for TCP which is routed via my iptable config to use port 443 and share it with Apache. The UDP tunnel is what I use to test IPv6 + IPv4. The TCP tunnel is only IPv4 at the moment.

I use OpenVPN 2.4.0-6+deb9u2 on Raspbian 9 (Stretch) which is installed on a Raspberry Pi 3B+.

My TCP (IPv4 only) server config.

Code: Select all

local 10.1.0.1
port 1194
port-share 127.0.0.1 443
proto tcp
dev tun

ca server/example.com/pki/ca.crt
cert server/example.com/pki/issued/vpn.example.com.crt
key server/example.com/pki/private/vpn.example.com.key
dh server/example.com/dh.pem
tls-auth server/example.com/ta.key 0
crl-verify server/example.com/pki/crl.pem

server 10.1.1.0 255.255.255.0
push "route 10.1.0.0 255.255.255.0"

client-config-dir server/example.com/ccd
ccd-exclusive
topology subnet
learn-address /usr/local/sbin/learn-address.sh
script-security 2

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.1.0.1"
push "dhcp-option DOMAIN home.lan"
push "dhcp-option DOMAIN home.vpn"
keepalive 10 30

remote-cert-tls client
auth SHA256
cipher AES-128-GCM
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
tls-version-min 1.2 or-highest
comp-lzo no
push "comp-lzo no"

user openvpn
group nogroup

persist-key
persist-tun

status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

sndbuf 0
rcvbuf 0
push "sndbuf 0"
push "rcvbuf 0"

My UDP (IPv4 + IPv6) server config. The indented stuff is added to the existing IPv4 config. The commented lines will be tested later.

Code: Select all

local 10.1.0.1
        #local 2001:aaaa:bbbb:1:10:1:0:1
port 1194
proto udp
        #proto udp6
dev tun

ca server/example.com/pki/ca.crt
cert server/example.com/pki/issued/vpn.example.com.crt
key server/example.com/pki/private/vpn.example.com.key
dh server/example.com/dh.pem
tls-auth server/example.com/ta.key 0
crl-verify server/example.com/pki/crl.pem

server 10.1.1.0 255.255.255.0
        server-ipv6 2001:aaaa:bbbb:1:10:1:1::/112
push "route 10.1.0.0 255.255.255.0"
        push "route-ipv6 2001:aaaa:bbbb:1::/64"
        push "route-ipv6 2000::/3"

client-config-dir server/example.com/ccd
ccd-exclusive
topology subnet
learn-address /usr/local/sbin/learn-address.sh
script-security 2

push "redirect-gateway def1 bypass-dhcp"
        #push "redirect-gateway ipv6"
push "dhcp-option DNS 10.1.0.1"
push "dhcp-option DOMAIN home.lan"
push "dhcp-option DOMAIN home.vpn"
keepalive 10 30

remote-cert-tls client
auth SHA256
cipher AES-128-GCM
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
tls-version-min 1.2 or-highest
comp-lzo no
push "comp-lzo no"

user openvpn
group nogroup

persist-key
persist-tun

status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 5

sndbuf 0
rcvbuf 0
push "sndbuf 0"
push "rcvbuf 0"

My mobile phone uses this CCD config to receive a static IPv4 and IPv6 IP.

Code: Select all

ifconfig-push 10.1.1.3 255.255.255.0
ifconfig-ipv6-push 2001:aaaa:bbbb:1:10:1:1:3/112 2001:aaaa:bbbb:1:10:1:1:1

eth0 is connected to the internet and is configured with a static IP.

Code: Select all

source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 10.1.0.1
    netmask 255.255.255.0
    gateway 10.1.0.10
    dns-nameservers 10.1.0.1 10.1.0.10
    dns-search home.lan home.vpn

iface eth0 inet6 static
    address 2001:aaaa:bbbb:1:10:1:0:1
    netmask 64
    gateway gateway fe80::7eff:aaaa:bbbb:cccc
    accept_ra 1
    privext 2

This is in my sysctl.conf.

Code: Select all

#kernel.domainname = example.com
#kernel.printk = 3 4 1 3
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.ip_forward=1
#net.ipv6.conf.all.forwarding=1
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
#net.ipv4.conf.all.send_redirects = 0
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
#kernel.sysrq=1
#fs.protected_hardlinks=0
#fs.protected_symlinks=0
net.ipv4.tcp_rfc1337 = 1

net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1

Mijn mobiel die verbonden is via de UDP (IPv4 + IPv6) tunnel heeft alleen internet via IPv4. Ik zie in iptables geen drops, ook geen accepts for that matter in de FORWARD chain. Client en server kunnen elkaar niet pingen, internet connectie via IPv6 is voor de client ook niet mogelijk.

My phone gets the IPv4 and IPv6 IP's, but connectivity is only possible with IPv4. I don't see any ip6table drops or accepts for that matter (not in INPUT or FORWARD). The client and server can't ping each other.

These are the blogs/manuals I consulted.
https://community.openvpn.net/openvpn/wiki/IPv6
https://blog.apnic.net/2017/06/09/using-openvpn-ipv6/
https://cuzimageek.wordpress.com/2016/0 ... -and-ipv6/
https://feeding.cloud.geek.nz/posts/ipv ... on-linode/
https://techblog.synagila.com/2016/02/2 ... over-ipv4/
https://blog.kmp.or.at/ipv6-enabled-openvpn/
https://tomsalmon.eu/2013/04/openvpn-ip ... un-device/
https://blog.angenieux.info/linux/serve ... -sans-ndp/
viewtopic.php?t=21051
https://www.bjoerns-techblog.de/2017/07 ... -und-ipv6/

My guess is that I'm missing a routing option, here is a relevant snippet of my openvpn.log.

Code: Select all

rWRwRwRwRwRSat Aug  4 13:48:51 2018 us=319238 intrepid.home.vpn/62.251.111.222:44356 MULTI: bad source address from client [10.1.0.13], packet dropped
RwRSat Aug  4 13:48:52 2018 us=640405 intrepid.home.vpn/62.251.111.222:44356 MULTI: bad source address from client [2001:aaa:bbbb:1:10:1:1:3], packet dropped

[TinCanTech]

See the rest of your logfiles ..

[AquaL1te]

See the rest of your logfiles ..

A larger log file can be provided of course, if needed.
https://cloud.neobits.nl/s/sjN83GKXanborak

[TinCanTech]

You are not pushing an IPv6 address to for the client tun:

SENT CONTROL [defiant.home.vpn]: 'PUSH_REPLY,route 10.1.0.0 255.255.255.0,route-ipv6 2001:aaaa:bbbb:1::/112,route-ipv6 2000::/3 route-ipv6 2001:aaaa:bbbb:1::/64 1,redirect-gateway def1 bypass-dhcp,redirect-gateway ipv6,dhcp-option DNS 10.1.0.1,dhcp-option DOMAIN home.lan,dhcp-option DOMAIN home.vpn,comp-lzo no,sndbuf 0,rcvbuf 0,tun-ipv6,route-gateway 10.1.1.1,topology subnet,ping 10,ping-restart 30,ifconfig 10.1.1.2 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)

No --ifconfig-ipv6-push ..

[TinCanTech]

Also, I think you need to reconsider your subnetting:

My TCP (IPv4 only) server config.

local 10.1.0.1
port 1194

server 10.1.1.0 255.255.255.0
push "route 10.1.0.0 255.255.255.0"

My UDP (IPv4 + IPv6) server config

local 10.1.0.1
#local 2001:aaaa:bbbb:1:10:1:0:1
port 1194

server 10.1.1.0 255.255.255.0
server-ipv6 2001:aaaa:bbbb:1:10:1:1::/112
push "route 10.1.0.0 255.255.255.0"
push "route-ipv6 2001:aaaa:bbbb:1::/64"
push "route-ipv6 2000::/3"

[AquaL1te]

You are not pushing an IPv6 address to for the client tun:

SENT CONTROL [defiant.home.vpn]: 'PUSH_REPLY,route 10.1.0.0 255.255.255.0,route-ipv6 2001:aaaa:bbbb:1::/112,route-ipv6 2000::/3 route-ipv6 2001:aaaa:bbbb:1::/64 1,redirect-gateway def1 bypass-dhcp,redirect-gateway ipv6,dhcp-option DNS 10.1.0.1,dhcp-option DOMAIN home.lan,dhcp-option DOMAIN home.vpn,comp-lzo no,sndbuf 0,rcvbuf 0,tun-ipv6,route-gateway 10.1.1.1,topology subnet,ping 10,ping-restart 30,ifconfig 10.1.1.2 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)

No --ifconfig-ipv6-push ..

On my phone I do see the assigned IPv6 address in the OpenVPN app. I'll post the client logs later today. About the TCP and UDP subnetting, I use a script to support this setup. That (IPv4) works fine.

The script below is an old version, the new one checks if IPv4 is used, if so it will continue, otherwise it will exit.

Code: Select all

#!/bin/bash

time_stamp=$(date --rfc-3339=seconds)


if [[ $# -lt 3 ]]; then
  exit 0
else
  operation=$1
  address=$2
  common_name=$3
fi


case $operation in
  add|update)
    echo "$time_stamp $script_type $common_name with $address logged in to $dev" >> /var/log/openvpn-scripts.log
    sudo ip route del $address/32
    sudo ip route add $address/32 dev $dev;;
  delete)
    if [[ -n $dev ]]; then
      echo "$time_stamp $common_name $address deleted from $dev" >> /var/log/openvpn-scripts.log
    else
      echo "$time_stamp $common_name $address deleted" >> /var/log/openvpn-scripts.log
    fi
    sudo ip route del $address/32 dev $dev
    ;;
  *)
    ;;
esac

[TinCanTech]

I am not going to debug your script but your servers are using overlapping IPv4 .. This will fail.

[AquaL1te]

I am not going to debug your script but your servers are using overlapping IPv4 .. This will fail.

IPv4 really works fine, this script handles this overlap. The problem is only IPv6 at the moment

[TinCanTech]

IPv4 really works fine, this script handles this overlap

I assure you openvpn does not work fine .. even if it appears to do so.

In fact, your complete server logs at verb 4 will probably make interesting reading .....

The problem is only IPv6 at the moment

Well, I showed you what is currently wrong with that.

[Pippin]

Can`t help you with IPv6.
I would follow TinCanTech`s advise.
Try to avoid the subnet`s in the list on every network under your control.


Met IPv6 kan ik je niet helpen.
Het advies van TinCanTech zou ik echter wel volgen.
Probeer daarbij de onderstaande subnetten te vermijden op elk netwerk waar je controle over hebt:

Code: Select all

10.0.0
10.0.1
10.1.1
10.1.10
10.2.0
10.8.0
10.10.1
10.90.90
10.100.1
10.255.255

169.254 # APIPA #

172.16.0
172.16.16
172.16.42
172.16.68

172.19.3

172.20.10 # IPhone built-in hotspot #

192.168.0
192.168.1
192.168.2
192.168.3
192.168.4
192.168.5
192.168.6
192.168.7
192.168.8
192.168.9
192.168.10
192.168.11
192.168.13
192.168.15
192.168.16
192.168.18
192.168.20
192.168.29
192.168.30
192.168.31
192.168.33
192.168.39
192.168.40
192.168.42 # Android USB tethering #
192.168.43 # Android built-in hotspot #
192.168.50
192.168.55
192.168.61
192.168.62
192.168.65
192.168.77
192.168.80
192.168.85
192.168.88
192.168.98
192.168.99
192.168.100
192.168.101
192.168.102
192.168.111
192.168.123
192.168.126
192.168.129
192.168.137 # Windows Phone built-in hotspot #
192.168.168
192.168.178
192.168.190
192.168.199
192.168.200
192.168.220
192.168.223
192.168.229
192.168.240
192.168.245
192.168.251
192.168.252
192.168.254

200.200.200

[AquaL1te]

Also, I think you need to reconsider your subnetting:

So with reconsider you mean what Pippin says? Because that does make sense. You didn't specify any specifics, so I assumed you were talking about the double assigned subnets. I can consider Pippin's suggestion later. For now IPv6 is my goal.

You did see the CCD config right? That pushes the addresses. This is what I see on my phone: https://cloud.neobits.nl/index.php/apps ... calingup=0

Here is the log from the client.

Code: Select all

20:21:43.288 -- ----- OpenVPN Start -----

20:21:43.289 -- EVENT: CORE_THREAD_ACTIVE

20:21:43.297 -- Frame=512/2048/512 mssfix-ctrl=1250

20:21:43.313 -- UNUSED OPTIONS
7 [resolv-retry] [infinite] 
8 [nobind] 
10 [user] [nobody] 
11 [group] [nobody] 
12 [persist-key] 
13 [persist-tun] 
15 [auth-nocache] 
20 [tls-cipher] [TLS-DHE-RSA-WITH-AES-128-GCM-SHA256] 
22 [verb] [3] 
23 [sndbuf] [0] 
24 [rcvbuf] [0] 


20:21:43.318 -- EVENT: RESOLVE

20:21:43.484 -- Contacting xxx.yyy.118.252:1194 via UDP

20:21:43.485 -- EVENT: WAIT

20:21:43.491 -- Connecting to [vpn.example.com]:1194 (xxx.yyy.118.252) via UDPv4

20:21:43.495 -- EVENT: CONNECTING

20:21:43.499 -- Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-GCM,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client

20:21:43.500 -- Creds: UsernameEmpty/PasswordEmpty

20:21:43.500 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1


20:21:43.602 -- VERIFY OK : depth=0
cert. version     : 3
serial number     : D0:94:CB:A9:38:BC:4D:1D:9D:6D:1D:2C:E5:7B:EA:2F
issuer name       : CN=vpn.example.com
subject name      : CN=vpn.example.com
issued  on        : 2018-06-09 05:07:19
expires on        : 2028-06-06 05:07:19
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : vpn.example.com
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication


20:21:43.973 -- SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

20:21:43.975 -- Session is ACTIVE

20:21:43.977 -- EVENT: GET_CONFIG

20:21:43.984 -- Sending PUSH_REQUEST to server...

20:21:44.165 -- OPTIONS:
0 [route] [10.1.0.0] [255.255.255.0] 
1 [route-ipv6] [2001:aaaa:bbbb:1::/64] 
2 [route-ipv6] [2001:aaaa:bbbb:1::/112] 
3 [route-ipv6] [2000::/3] 
4 [redirect-gateway] [def1] [bypass-dhcp] 
5 [redirect-gateway] [ipv6] 
6 [dhcp-option] [DNS] [10.1.0.1] 
7 [dhcp-option] [DOMAIN] [home.lan] 
8 [dhcp-option] [DOMAIN] [home.vpn] 
9 [comp-lzo] [no] 
10 [sndbuf] [0] 
11 [rcvbuf] [0] 
12 [tun-ipv6] 
13 [route-gateway] [10.1.1.1] 
14 [topology] [subnet] 
15 [ping] [10] 
16 [ping-restart] [30] 
17 [ifconfig-ipv6] [2001:aaaa:bbbb:1:10:1:1:3/112] [2001:aaaa:bbbb:1:10:1:1:1] 
18 [ifconfig] [10.1.1.3] [255.255.255.0] 
19 [peer-id] [0] 
20 [cipher] [AES-256-GCM] 


20:21:44.171 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA256
  compress: LZO_STUB
  peer ID: 0

20:21:44.172 -- EVENT: ASSIGN_IP

20:21:44.242 -- TunPersist: saving tun context:
Session Name: vpn.example.com
Layer: OSI_LAYER_3
Remote Address: xxx.yyy.118.252
Tunnel Addresses:
  10.1.1.3/24 -> 10.1.1.1
  2001:aaaa:bbbb:1:10:1:1:3/112 -> 2001:aaaa:bbbb:1:10:1:1:1 [IPv6]
Reroute Gateway: IPv4=1 IPv6=1 flags=[ ENABLE REROUTE_GW DEF1 BYPASS_DHCP IPv4 IPv6 ]
Block IPv6: no
Add Routes:
  10.1.0.0/24
  2001:aaaa:bbbb:1::/64 [IPv6]
  2001:aaaa:bbbb:1::/112 [IPv6]
  2000::/3 [IPv6]
Exclude Routes:
DNS Servers:
  10.1.0.1
Search Domains:
  home.lan
  home.vpn


20:21:44.246 -- Connected via tun

20:21:44.257 -- LZO-ASYM init swap=0 asym=1

20:21:44.261 -- Comp-stub init swap=0

20:21:44.262 -- EVENT: CONNECTED info='@vpn.example.com:1194 (xxx.yyy.118.252) via /UDPv4 on tun/10.1.1.3/2001:aaaa:bbbb:1:10:1:1:3 gw=[10.1.1.1/2001:aaaa:bbbb:1:10:1:1:1]' trans=TO_CONNECTED

[TinCanTech]

So with reconsider you mean what Pippin says? Because that does make sense

Pippins post details many commonly used subnets which you can avoid, although I used 10.8/24 for plenty of VPNs so long as they do not conflict with other subnets in your network.

My point about your IPv4 subnets is that you are using the same subnet for two openvpn instances on the same host, which does not work, even if you manage to cobble it together somehow ..

As for IPv6:

20:21:44.172 -- EVENT: ASSIGN_IP
20:21:44.242 -- TunPersist: saving tun context:
Session Name: vpn.example.com
Layer: OSI_LAYER_3
Remote Address: xxx.yyy.118.252
Tunnel Addresses:
10.1.1.3/24 -> 10.1.1.1
2001:aaaa:bbbb:1:10:1:1:3/112 -> 2001:aaaa:bbbb:1:10:1:1:1 [IPv6]

Looks like this client does get an IPv4 and 6 ..

My phone gets the IPv4 and IPv6 IP's, but connectivity is only possible with IPv4. I don't see any ip6table drops or accepts for that matter (not in INPUT or FORWARD). The client and server can't ping each other.

I cannot say for sure but considering the mess your IPv4 is in I am not surprised this does not work.

The only advise I can offer is that you only run this one server at a time, until you clean up your IPv4.

So stop the IPV4 only server, restart the IPv6 server and see what happens ..

[AquaL1te]

Can you please clarify "which does not work"? Because it does work just fine and it has for a year.
Some more logs can be found here: https://cloud.neobits.nl/s/sKdLa4WyXtZAn8E

I'll try some more troubleshooting later this week.

[TinCanTech]

Also, I think you need to reconsider your subnetting:

My TCP (IPv4 only) server config.

local 10.1.0.1
port 1194

server 10.1.1.0 255.255.255.0
push "route 10.1.0.0 255.255.255.0"

My UDP (IPv4 + IPv6) server config

local 10.1.0.1
#local 2001:aaaa:bbbb:1:10:1:0:1
port 1194

server 10.1.1.0 255.255.255.0
server-ipv6 2001:aaaa:bbbb:1:10:1:1::/112
push "route 10.1.0.0 255.255.255.0"
push "route-ipv6 2001:aaaa:bbbb:1::/64"
push "route-ipv6 2000::/3"

Both instances are using --server 10.1.1.0 255.255.255.0 .. even if openvpn does not complain this is an error. If you don't want to change it then expect the unexpected ..

[AquaL1te]

But one is TCP the other is UDP. The sockets are also assigned on different interfaces. There is no technical limitation here, unless you can be more specific? Anyway, I'll try your suggestion to limit the scope to just IPv6 for testing. But to me the problem is IPv6 routing and IPv4 and IPv6 are treated differently and shouldn't be in each other's wake. More details later!

[TinCanTech]

You clearly do not understand ..

google: ip conflict

[AquaL1te]

You clearly do not understand ..

google: ip conflict

The dynamic routing script fixes that But whatever, this is not the issue.

I was messing around with the config last night and this morning I had 1000 PSAD warnings about ip6table FORWARD drops! So I started to do some stuff with that, test-ipv6.com says I have IPv6 connectivity now (with IPv4).

This is what is left of the IPv6 part.

Code: Select all

server-ipv6 2001:aaaa:bbbb:1:10:1:1::/112
push "route-ipv6 2000::/3 route-ipv6 2001:aaaa:bbbb:1::/64 1"

Code: Select all

-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow established/related sessions to be forwared" -j ACCEPT
-A FORWARD -s 2001:aaaa:bbbb:1::/64 -i tun+ -o eth0 -m conntrack --ctstate NEW -m comment --comment "Allow traffic initiated from vpn to access \\\'the world\\\'" -j ACCEPT
-A FORWARD ! -i lo -j LOG --log-prefix "IP6TABLES FORWARD " --log-tcp-options --log-ip-options
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited

:POSTROUTING ACCEPT [302:28613]
-A POSTROUTING -s 2001:aaaa:bbbb:1:10:1:1:0/112 -j SNAT --to-source 2001:aaaa:bbbb:1:10:1:0:1

I will check later this week if NATing is really needed when you use a /112 within a /64. Unless someone already sees a solution for this?

[TinCanTech]

The dynamic routing script fixes that

I would not say fixes .. I would say .. bludgeons openvpn in to a corner.

But whatever, this is not the issue

Openvpn works according to the RFCs which govern how networks work and then it adds some necessary internal code to function as a point-to-multi-point router (IE. --server). Your network setup with openvpn is broken. Which means your VPN will not function as you expect ..

I have read your script and I can see what you are doing and it may even appear to work
but your openvpn networking is broken and your script is sticky tape and string at best.

I was messing around with the config

Indeed, I am going to bow out of this thread because I cannot support that which is clearly broken ..
but you have fun

Although, I am still curious to see your routing etc ..
Bring up your two server instances and post your routing table (ip r) and your interface table (ip a) ....

[AquaL1te]

I don't see how you can be so obsessed with that IPv4 setup (see it as a floating IP thingy, which has worked perfectly for over a year), it can't interfere with the IPv6 routing anyway. The IPv6 thing is the problem (which seems semi fixed now). Does anyone else have comments on the IPv6 setup, it currently uses NATing. I would prefer having public IPv6 IP's, but maybe that the subnetting is demanding this setup. But I'm just thinking out loud now, I will check this in more detail and check alternatives.

Code: Select all

$ ip -6 r
2001:aaaa:bbbb:1:10:1:1:0/112 dev tun0 proto kernel metric 256  pref medium
2001:aaaa:bbbb:1::/64 dev eth0 proto kernel metric 256  pref medium
fe80::/64 dev tun1 proto kernel metric 256  pref medium
fe80::/64 dev eth0 proto kernel metric 256  pref medium
fe80::/64 dev tun0 proto kernel metric 256  pref medium
default via fe80::7eff:zzzz:xxxx:yyyy dev eth0 metric 1024  pref medium

Code: Select all

$ ip r
default via 10.1.0.10 dev eth0 onlink 
10.1.0.0/24 dev eth0 proto kernel scope link src 10.1.0.1 
10.1.1.0/24 dev tun1 proto kernel scope link src 10.1.1.1 
10.1.1.0/24 dev tun0 proto kernel scope link src 10.1.1.1 
10.1.1.2 dev tun0 scope link 
10.1.1.3 dev tun0 scope link 

Code: Select all

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b8:27:eb:30:6e:ad brd ff:ff:ff:ff:ff:ff
    inet 10.1.0.1/24 brd 10.1.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2001:aaaa:bbbb:1:10:1:0:1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::ba27:xxxx:yyyy:6ead/64 scope link 
       valid_lft forever preferred_lft forever
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.1.1.1/24 brd 10.1.1.255 scope global tun1
       valid_lft forever preferred_lft forever
    inet6 fe80::4129:xxxx:yyyy:1300/64 scope link flags 800 
       valid_lft forever preferred_lft forever
29: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.1.1.1/24 brd 10.1.1.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 2001:aaaa:bbbb:1:10:1:1:1/112 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::be20:zzzz:xxxx:yyyy/64 scope link flags 800 
       valid_lft forever preferred_lft forever

[TinCanTech]

The IPv6 thing is the problem (which seems semi fixed now).

Looks like it was the firewall then ..

I don't see how you can be so obsessed with that IPv4 setup, it can't interfere with the IPv6 routing anyway.

You are running this under openvpn .. not just OS.

I will not go on about this except to point out:

$ ip r
default via 10.1.0.10 dev eth0 onlink
10.1.0.0/24 dev eth0 proto kernel scope link src 10.1.0.1
10.1.1.0/24 dev tun1 proto kernel scope link src 10.1.1.1
10.1.1.0/24 dev tun0 proto kernel scope link src 10.1.1.1

and

4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none inet 10.1.1.1/24 brd 10.1.1.255 scope global tun1
<..>
29: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none inet 10.1.1.1/24 brd 10.1.1.255 scope global tun0

If you are comfortable with that then so be it.