[Solved] Route extra IPv6 ranges across tunnel

Samples of working configurations.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
ichilton
OpenVpn Newbie
Posts: 8
Joined: Tue Jan 11, 2011 4:33 pm

[Solved] Route extra IPv6 ranges across tunnel

Post by ichilton » Sat May 07, 2016 8:35 am

Hi,

I've got an openvpn server which has native ipv6. It's got extra /64 and /56 ranges routed to it's primary ipv6 ip.

I've got a working openvpn ipv6 setup - with the /64 configured with server-ipv6 in my openvpn config. When clients connect, they get a single v6 address from that /64 allocated by openvpn and that all works great - the client has working ipv6.

What I want to do though is give the clients some additional /64's out of the /56, which are routed to the address assigned to the client by openvpn.

If I bring up such an address (eg: 2001:aaaa:100:100::1/64) on the openvpn server, it pings fine. If I bring up the same address on another machine with ipv6, and on the openvpn server do (where 2001:aaaa:100:100::/64 is out of the routed /56 and 2001:aaaa:bbb:1::172 is just another server with ipv6).
ip -6 route add 2001:aaaa:100:100::/64 via 2001:aaaa:bbb:1::172
...then it pings fine.

However, if I bring up the same ip on an openvpn client and add the same route on the openvpn server:
ip -6 route add 2001:aaaa:100:100::/64 via 2001:aaaa:aaa:1::1002 (where 2001:aaaa:aaa:1::1002 is at the client side of an openvpn tunnel)
...then it won't ping at all.

If I tcpdump eth0 on the openvpn server, pings are reaching the server. If I tcpdump tun0 on the openvpn server, pings are reaching there. If I tcpdump tun0 on the openvpn client - the pings are NOT reaching there.

Any ideas why they are not going over the tunnel?

I've got ipv6 forwarding enabled on the openvpn server and ip6tables is set to a default forwarding policy of accept.

The openvpn server is running Debian Jessie:
OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015

the openvpn client is running on Arch Linux:
OpenVPN 2.3.10 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016

My openvpn configs are pretty standard - and like I say, ipv6 over openvpn is working for the single address. This is the server config:

Code: Select all

port 1194
proto udp

dev tun
topology subnet

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth tls-auth.key 0

remote-cert-tls client

server 10.0.1.0 255.255.255.0
server-ipv6 2001:aaaa:aaa:1::/64

push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6"

push "route-ipv6 2000::/3"
ifconfig-pool-persist ipp.txt

keepalive 10 30
mssfix 1400

comp-lzo

user nobody
group nogroup

persist-key
persist-tun
Thanks,

Ian

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Route extra IPv6 ranges across tunnel

Post by Traffic » Sat May 07, 2016 11:32 am

tl;dr .. may be you need some of this foo:

ichilton
OpenVpn Newbie
Posts: 8
Joined: Tue Jan 11, 2011 4:33 pm

Re: Route extra IPv6 ranges across tunnel

Post by ichilton » Mon May 09, 2016 9:35 am

Thanks - I hadn't done any ccd stuff yet as I wanted to get it working with a manual route.

I'm not quite sure why routing to a tunnel endpoint is any different to routing to another host....

Ian

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Route extra IPv6 ranges across tunnel

Post by Traffic » Mon May 09, 2016 10:41 am

ichilton wrote:I wanted to get it working with a manual route
This can be done but only in point-2-point mode.
ichilton wrote:not quite sure why routing to a tunnel endpoint is any different to routing to another host
Because in --mode server the server end connects to many clients ..
OpenVPN differentiates each remote host internally and learns remote networks with --iroute

See HOWTO: Expanding the scope of the VPN to include additional machines

ichilton
OpenVpn Newbie
Posts: 8
Joined: Tue Jan 11, 2011 4:33 pm

Re: Route extra IPv6 ranges across tunnel

Post by ichilton » Mon May 09, 2016 10:45 am

Traffic wrote: OpenVPN differentiates each remote host internally and learns remote networks with --iroute
Ahhhh, I see!

So because openvpn doesn't know anything about 2001:aaaa:100:100::1, it doesn't route it over the tunnel.

I'll look into the iroute thing.

Thank you!

ichilton
OpenVpn Newbie
Posts: 8
Joined: Tue Jan 11, 2011 4:33 pm

Re: Route extra IPv6 ranges across tunnel

Post by ichilton » Mon May 09, 2016 1:00 pm

Fixed with:

/etc/openvpn/server.conf:
route-ipv6 2001:aaaa:100:100::/56

/etc/openvpn/ccd/myclient1:
iroute-ipv6 2001:aaaa:100:101::/64
iroute-ipv6 2001:aaaa:100:102::/64

/etc/openvpn/ccd/myclient2:
iroute-ipv6 2001:aaaa:100:103::/64
..etc..

Thanks for the pointer Traffic!

Ian

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Route extra IPv6 ranges across tunnel

Post by Traffic » Mon May 09, 2016 1:10 pm

Thanks for letting us know the solution 8-)

Locked