Hi. It's been a long and an eventful day. But,
On Mon, Nov 26, 2018 at 01:40:22PM +0100, tony wrote: > >> Have you any further suggestions as to what I might try? > > > > I'd like to see your IPv6 routing tables from your VPS and the OpenVPN > > client. > > Two simple 'ip -6 ro l' will do. > > And, for the sake of the completeness, the same 'ip -6 ro l' once OpenVPN > > is down. > > That's weird: > With the VPN up: > On the host: > 13:07:11 tony@tony-fr:~$ ip -6 ro l ... > 2a03:9800:10:54::2 via fe80::a63e:51ff:fe32:f85d dev enp3s0 metric 1 pref > medium I understand why this route is here (openvpn needs it for its own traffic), but routing public IPv6 through the link-local does not seem right. > 2a03:9800:10:54:8000::/65 dev tun0 proto kernel metric 256 pref medium > 2a03:9800:10:54:8000::/65 dev tun0 metric 1024 pref medium > 2a03:9800:10:54:8000::/65 dev tun0 metric 1029 pref medium A simple route here would be enough. It seems that you're announcing your /65 prefix through the openvpn, but at the same time you're allocating IPv6 with full /65 mask to each openvpn client. That's redundant. > 2000::/3 dev tun0 metric 1024 pref medium > 2000::/3 dev tun0 metric 1028 pref medium Er, wat? Exterminate this travesty, you should never announce things like these through openvpn even once, let alone twice. If you really need to do things like GeoIP spoofing, you should announce an IPv6 default gateway with low metric. > default via fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100 > pref medium And add 'less than 100 metric' to the previous sentence. > I hope that is sufficient information More or less. Server's routing table is good, assuming that you have net.ipv6.conf.all.forwarding set to 1 there. Client's routing table is a mess. What you should get with openvpn stared is (order may be different): 2a03:9800:10:54::2 via fe80::a63e:51ff:fe32:f85d dev enp3s0 metric 1 pref medium 2a03:9800:10:54:8000::/65 dev tun0 proto kernel metric 256 pref medium 2a01:cb19:851f:ea00::/64 dev enp3s0 proto ra metric 100 pref medium fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100 pref medium fe80::/64 dev tun0 proto kernel metric 256 pref medium fe80::/64 dev enp3s0 proto kernel metric 256 pref medium default via fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100 pref medium default via tun0 metric 99 And that means that it's time to see your openvpn's server configuration file. Can I see one, please? Reco
