Re: Fwd: openvpn over ipv6 /65
On 26/11/2018 16:55, Reco wrote:
> Hi.
>
> It's been a long and an eventful day. But,
>
Sorry to ruin your day. I'm truly grateful for your help.
> On Mon, Nov 26, 2018 at 01:40:22PM +0100, tony wrote:
>>>> Have you any further suggestions as to what I might try?
>>>
>>> I'd like to see your IPv6 routing tables from your VPS and the OpenVPN client.
>>> Two simple 'ip -6 ro l' will do.
>>> And, for the sake of the completeness, the same 'ip -6 ro l' once OpenVPN is down.
>>>
>
> That's weird:
>
>> With the VPN up:
>> On the host:
>> 13:07:11 tony@tony-fr:~$ ip -6 ro l
> ...
>> 2a03:9800:10:54::2 via fe80::a63e:51ff:fe32:f85d dev enp3s0 metric 1 pref medium
>
> I understand why this route is here (openvpn needs it for its own
> traffic), but routing public IPv6 through the link-local does not seem
> right.
>
>
>> 2a03:9800:10:54:8000::/65 dev tun0 proto kernel metric 256 pref medium
>> 2a03:9800:10:54:8000::/65 dev tun0 metric 1024 pref medium
>> 2a03:9800:10:54:8000::/65 dev tun0 metric 1029 pref medium
>
> A simple route here would be enough. It seems that you're announcing
> your /65 prefix through the openvpn, but at the same time you're
> allocating IPv6 with full /65 mask to each openvpn client. That's
> redundant.
>
>
>> 2000::/3 dev tun0 metric 1024 pref medium
>> 2000::/3 dev tun0 metric 1028 pref medium
>
> Er, wat? Exterminate this travesty, you should never announce things
> like these through openvpn even once, let alone twice. If you really
> need to do things like GeoIP spoofing, you should announce an IPv6
> default gateway with low metric.
>
I did wonder about that. I have cobbled together stanzas from many
'tutorials' on the web. the 2000::/3 stanza came from one of those.
Someone seemed to think it was a good idea.
>
>> default via fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100
>> pref medium
>
> And add 'less than 100 metric' to the previous sentence.
>
>
>> I hope that is sufficient information
>
> More or less. Server's routing table is good, assuming that you have
> net.ipv6.conf.all.forwarding set to 1 there.
>
I assume that's in /etc/sysctl.conf. And no, it's commented out, so
presumably 0.
> Client's routing table is a mess. What you should get with openvpn
> stared is (order may be different):
>
> 2a03:9800:10:54::2 via fe80::a63e:51ff:fe32:f85d dev enp3s0 metric 1 pref medium
> 2a03:9800:10:54:8000::/65 dev tun0 proto kernel metric 256 pref medium
> 2a01:cb19:851f:ea00::/64 dev enp3s0 proto ra metric 100 pref medium
> fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100 pref medium
> fe80::/64 dev tun0 proto kernel metric 256 pref medium
> fe80::/64 dev enp3s0 proto kernel metric 256 pref medium
> default via fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100 pref medium
> default via tun0 metric 99
>
> And that means that it's time to see your openvpn's server configuration
> file. Can I see one, please?
>
Certainly:
script-security 2
port 1194
proto udp
proto udp6
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
server-ipv6 2a03:9800:10:54:8000::/65
ifconfig-pool-persist ipp.txt
push "route-ipv6 2a03:9800:10:54:8000::/65"
push "route-ipv6 2000::/3"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
# DNS servers provided by portfast.net.
push "dhcp-option DNS 193.108.199.130"
push "dhcp-option DNS 85.158.46.77"
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 4
I have cut out a load of useless commentary in that file
Reply to: