Dual-stack IPv6 not working
Posted: Fri Mar 24, 2017 12:08 pm
I have dual-stack server (Centos 7) and IPv4 only client (Windows 10) but want for him IPv6 also.
IPv6 connectivity on server works fine.
IPv4 VPN works correctly.
IPv6 VPN does not work at all.
OpenVPN server 2.3.14-1
OpenVPN GUI client 11.4
Server:
Client
Server:
Client:
Client gets fe80::8 as default gateway. I cannot ping that gateway.
However, ICMP gets through VPN and reaches a remote site which responds but that response never arrives on my client or even server.
I presume it's the same with TCP/UDP packets.
It's not problem of upstream gateway - I checked various IPv6 addresses from 2001:1111:2222:3333::/64 and they're routed correctly.
IPv6 connectivity on server works fine.
IPv4 VPN works correctly.
IPv6 VPN does not work at all.
OpenVPN server 2.3.14-1
OpenVPN GUI client 11.4
Server:
Code: Select all
#ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 1.2.3.4 netmask 255.255.255.0 broadcast 1.2.3.255
inet6 fe80::250:56ff:febc:731a prefixlen 64 scopeid 0x20<link>
inet6 2001:1111:2222:3333::11 prefixlen 64 scopeid 0x0<global>
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.111.1 netmask 255.255.255.0 destination 192.168.111.1
inet6 2001:1111:2222:3333::1 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#route -6 -n
Destination Next Hop Flag Met Ref Use If
::/96 :: !n 1024 0 0 lo
0.0.0.0/96 :: !n 1024 0 0 lo
2001:1111:2222:3333::/64 :: U 256 0 0 eth0
2001:1111:2222:3333::/64 :: U 256 0 0 tun0
fe80::/64 :: U 256 1 20 eth0
::/0 fe80::1 UG 1 1 829 eth0
::/0 :: !n -1 1 946 lo
::1/128 :: Un 0 2 47 lo
2001:1111:2222:3333::/128 :: Un 0 1 0 lo
2001:1111:2222:3333::/128 :: Un 0 1 0 lo
2001:1111:2222:3333::1/128 :: Un 0 1 0 lo
2001:1111:2222:3333::11/128 :: Un 0 2 203 lo
fe80::/128 :: Un 0 1 0 lo
fe80::250:56ff:febc:731a/128 :: Un 0 2 662 lo
ff00::/8 :: U 256 1 242 eth0
ff00::/8 :: U 256 1 4 tun0
::/0 :: !n -1 1 946 lo
#cat sysctl.conf
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
net.ipv4.ip_forward = 1
#lsmod | grep ipv6
nf_reject_ipv6 13717 1 ip6t_REJECT
nf_conntrack_ipv6 18894 6
nf_defrag_ipv6 35104 1 nf_conntrack_ipv6
nf_nat_ipv6 14131 1 ip6table_nat
nf_nat 26147 3 nf_nat_ipv4,nf_nat_ipv6,xt_nat
nf_conntrack 111302 6 nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,nf_conntrack_ipv4,nf_conntrack_ipv6
#iptables -nvL
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 512 all * * ::/0 ::/0 state RELATED,ESTABLISHED
603 50699 ACCEPT all tun0 * ::/0 ::/0
4 512 ACCEPT all * tun0 ::/0 ::/0
0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited
Chain OUTPUT (policy ACCEPT 706 packets, 53256 bytes)
pkts bytes target prot opt in out source destination
Code: Select all
c:\ipconfig
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-6F-54-70-95
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:1111:2222:3333::1000(Preferred)
Link-local IPv6 Address . . . . . : fe80::91b2:541f:9a5a:6ff7%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.111.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.111.254
DHCPv6 IAID . . . . . . . . . . . : 167837551
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-26-CE-34-D4-C9-EF-4F-FD-5B
DNS Servers . . . . . . . . . . . : 2001:4860:4860::8888
2001:4860:4860::8844
8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled
c:\>route print
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
10 276 2000::/3 fe80::8
10 276 2001:1111:2222:3333::/64 On-link
10 276 2001:1111:2222:3333::/64 fe80::8
10 276 2001:1111:2222:3333::1000/128
On-link
10 276 fe80::/64 On-link
10 276 fe80::91b2:541f:9a5a:6ff7/128
On-link
1 306 ff00::/8 On-link
10 276 ff00::/8 On-link
===========================================================================
Code: Select all
mode server
tls-server
topology subnet
port 443
proto tcp
dev tun
tun-ipv6
server-ipv6 2001:1111:2222:3333::/64
push "route-ipv6 2000::/3"
push "redirect-gateway def1"
push "dhcp-option DNS6 2001:4860:4860::8888"
push "dhcp-option DNS6 2001:4860:4860::8844"
comp-lzo
persist-key
persist-tun
Code: Select all
client
dev tun
cipher AES-256-CBC
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
Code: Select all
CLIENT c:\> ping -6 fe80::8%24
Pinging fe80::8%24 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
Ping statistics for fe80::8%24:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
SERVER $ping6 fe80::8%tun0
PING fe80::8%tun0(fe80::8%tun0) 56 data bytes
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable
CLIENT PS C:\> get-wmiobject win32_networkadapter | select-object ServiceName, MACAddress, AdapterType, Index, Name
ServiceName : tap0901
MACAddress : 00:FF:6F:54:70:95
AdapterType : Ethernet 802.3
Index : 24
Name : TAP-Windows Adapter V9
I presume it's the same with TCP/UDP packets.
It's not problem of upstream gateway - I checked various IPv6 addresses from 2001:1111:2222:3333::/64 and they're routed correctly.