my goal is to setup an OpenVPN server to be used as an internet gateway for all client generated ipv4 and ipv6 traffic. The setup for the ipv4 part was no problem but now I'm struggling with ipv6. So please try to help me out...
what is working
ipv4
communication between client and server over ipv6
what is not working
The clients can't establish internet connections over ipv6. It seems like OpenVPN lacks rules/routes to handle packages from clients. Thus, it drops packages with the ipv6 source address of the clients. This can be seen in the last line of the server log. The weird thing (at least for me) is that the source address is the ipv6 address of the client's local interface and not that of the tun device.
server setup
ipv6 prefix
Code: Select all
2b0c:6001:4:b0ad::/64
Code: Select all
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 96:06:e7:e5:7c:45 brd ff:ff:ff:ff:ff:ff
inet 37.156.127.41/22 brd 37.120.191.255 scope global ens3
valid_lft forever preferred_lft forever
inet6 2b0c:6001:4:b0ad::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::417d:214b:f76b:ebf0/64 scope link
valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 2b0c:6001:4:b0ad:ffff::1/112 scope global
valid_lft forever preferred_lft forever
Code: Select all
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1
Code: Select all
port 443
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh4096.pem
server 10.8.0.0 255.255.255.0
server-ipv6 2b0c:6001:4:b0ad:ffff::/112
ifconfig-pool-persist ipp.txt
push "route-ipv6 2b0c:6001:4:b0ad:ffff::/112"
push "route-ipv6 2000::/3"
script-security 2
learn-address /etc/openvpn/scripts/ndp-proxy-setup.sh
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
auth SHA512
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 6
Code: Select all
#!/bin/bash
action="$1"
addr="$2"
pubif="ens3"
if [[ "${addr//:/}" == "$addr" ]]
then
# not an ipv6 address
exit
fi
logger "${action} ndp proxy ${addr} for ${pubif}"
case "$action" in
add)
ip -6 neigh add proxy ${addr} dev ${pubif}
;;
update)
ip -6 neigh replace proxy "$addr" dev "$pubif"
;;
delete)
ip -6 neigh del proxy ${addr} dev ${pubif}
;;
esac
Code: Select all
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
-I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp6-port-unreachable
-A TCP -p tcp -m tcp --dport 1234 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A UDP -p udp -m udp --dport 443 -j ACCEPT
-A INPUT -j REJECT
COMMIT
ipv6 prefix (dynamic allocation by provider)
Code: Select all
2003:4c:1b2a:fa00::/56
Code: Select all
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether d0:50:99:14:8c:df brd ff:ff:ff:ff:ff:ff
inet 192.168.1.68/24 brd 192.168.1.255 scope global enp0s25
valid_lft forever preferred_lft forever
inet6 2003:4c:1b2a:fa00:ae40:6f6a:c0ea:e332/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 6732sec preferred_lft 1332sec
inet6 fe80::4ce6:a350:b067:c3b8/64 scope link
valid_lft forever preferred_lft forever
42: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100
link/none
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 2b0c:6001:4:b0ad:ffff::1000/112 scope global
valid_lft forever preferred_lft forever
Code: Select all
client
dev tun
proto udp
remote server.wtf 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user.crt
key user.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
auth SHA512
comp-lzo
verb 6
explicit-exit-notify
Code: Select all
... tls handshake ...
Peer Connection Initiated with [AF_INET]84.150.95.65:38372
MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=2b0c:6001:4:b0ad:ffff::1000
MULTI: Learn: 10.8.0.6 -> philip/84.150.95.65:38372
MULTI: primary virtual IP for philip/84.150.95.65:38372: 10.8.0.6
MULTI: Learn: 2b0c:6001:4:b0ad:ffff::1000 -> philip/84.150.95.65:38372
MULTI: primary virtual IPv6 for philip/84.150.95.65:38372: 2b0c:6001:4:b0ad:ffff::1000
UDPv4 READ [155] from [AF_INET]84.150.95.65:38372: P_CONTROL_V1 kid=0 pid=[ #16 ] [ ] pid=8 DATA len=69
PUSH: Received control message: 'PUSH_REQUEST'
send_push_reply(): safe_cap=940
SENT CONTROL [philip]: 'PUSH_REPLY,ifconfig-ipv6 2b0c:6001:4:b0ad:ffff::1000/112 2b0c:6001:4:b0ad:ffff::1,route-ipv6 2b0c:6001:4:b0ad:ffff::/112,route-ipv6 2000::/3,redirect-gateway def1,dhcp-option DNS 10.8.0.1,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
UDPv4 WRITE [94] to [AF_INET]84.150.95.65:38372: P_ACK_V1 kid=0 pid=[ #14 ] [ 8 ]
UDPv4 WRITE [427] to [AF_INET]84.150.95.65:38372: P_CONTROL_V1 kid=0 pid=[ #15 ] [ ] pid=9 DATA len=341
UDPv4 READ [94] from [AF_INET]84.150.95.65:38372: P_ACK_V1 kid=0 pid=[ #17 ] [ 9 ]
UDPv4 READ [161] from [AF_INET]84.150.95.65:38372: P_DATA_V1 kid=0 DATA len=160
MULTI: bad source address from client [2003:4c:1b2a:fa00:ae40:6f6a:c0ea:e332], packet dropped
...
Code: Select all
... tls handshake ...
Peer Connection Initiated with [AF_INET]37.156.127.41:443
SENT CONTROL [0xdefaced]: 'PUSH_REQUEST' (status=1)
UDPv4 WRITE [155] to [AF_INET]37.156.127.41:443: P_CONTROL_V1 kid=0 pid=[ #16 ] [ ] pid=8 DATA len=69
UDPv4 READ [94] from [AF_INET]37.156.127.41:443: P_ACK_V1 kid=0 pid=[ #14 ] [ 8 ]
UDPv4 READ [427] from [AF_INET]37.156.127.41:443: P_CONTROL_V1 kid=0 pid=[ #15 ] [ ] pid=9 DATA len=341
PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 2b0c:6001:4:b0ad:ffff::1000/112 2b0c:6001:4:b0ad:ffff::1,route-ipv6 2b0c:6001:4:b0ad:ffff::/112,route-ipv6 2000::/3,redirect-gateway def1,dhcp-option DNS 10.8.0.1,tun-ipv6,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp0s25 HWADDR=d0:50:99:14:8c:df
ROUTE6: default_gateway=UNDEF
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
/usr/bin/ip link set dev tun0 up mtu 1500
/usr/bin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
/usr/bin/ip -6 addr add 2b0c:6001:4:b0ad:ffff::1000/112 dev tun0
/usr/bin/ip route add 37.156.127.41/32 via 192.168.1.1
/usr/bin/ip route add 0.0.0.0/1 via 10.8.0.5
/usr/bin/ip route add 128.0.0.0/1 via 10.8.0.5
/usr/bin/ip route add 10.8.0.1/32 via 10.8.0.5
add_route_ipv6(2b0c:6001:4:b0ad:ffff::/112 -> 2b0c:6001:4:b0ad:ffff::1 metric -1) dev tun0
/usr/bin/ip -6 route add 2b0c:6001:4:b0ad:ffff::/112 dev tun0
add_route_ipv6(2000::/3 -> 2b0c:6001:4:b0ad:ffff::1 metric -1) dev tun0
/usr/bin/ip -6 route add 2000::/3 dev tun0
Initialization Sequence Completed
UDPv4 WRITE [94] to [AF_INET]37.156.127.41:443: P_ACK_V1 kid=0 pid=[ #17 ] [ 9 ]
TUN READ [72]
...