On 26/11/2018 16:55, Reco wrote: > Hi. > > It's been a long and an eventful day. But, > Sorry to ruin your day. I'm truly grateful for your help.
> On Mon, Nov 26, 2018 at 01:40:22PM +0100, tony wrote: >>>> Have you any further suggestions as to what I might try? >>> >>> I'd like to see your IPv6 routing tables from your VPS and the OpenVPN >>> client. >>> Two simple 'ip -6 ro l' will do. >>> And, for the sake of the completeness, the same 'ip -6 ro l' once OpenVPN >>> is down. >>> > > That's weird: > >> With the VPN up: >> On the host: >> 13:07:11 tony@tony-fr:~$ ip -6 ro l > ... >> 2a03:9800:10:54::2 via fe80::a63e:51ff:fe32:f85d dev enp3s0 metric 1 pref >> medium > > I understand why this route is here (openvpn needs it for its own > traffic), but routing public IPv6 through the link-local does not seem > right. > > >> 2a03:9800:10:54:8000::/65 dev tun0 proto kernel metric 256 pref medium >> 2a03:9800:10:54:8000::/65 dev tun0 metric 1024 pref medium >> 2a03:9800:10:54:8000::/65 dev tun0 metric 1029 pref medium > > A simple route here would be enough. It seems that you're announcing > your /65 prefix through the openvpn, but at the same time you're > allocating IPv6 with full /65 mask to each openvpn client. That's > redundant. > > >> 2000::/3 dev tun0 metric 1024 pref medium >> 2000::/3 dev tun0 metric 1028 pref medium > > Er, wat? Exterminate this travesty, you should never announce things > like these through openvpn even once, let alone twice. If you really > need to do things like GeoIP spoofing, you should announce an IPv6 > default gateway with low metric. > I did wonder about that. I have cobbled together stanzas from many 'tutorials' on the web. the 2000::/3 stanza came from one of those. Someone seemed to think it was a good idea. > >> default via fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100 >> pref medium > > And add 'less than 100 metric' to the previous sentence. > > >> I hope that is sufficient information > > More or less. Server's routing table is good, assuming that you have > net.ipv6.conf.all.forwarding set to 1 there. > I assume that's in /etc/sysctl.conf. And no, it's commented out, so presumably 0. > Client's routing table is a mess. What you should get with openvpn > stared is (order may be different): > > 2a03:9800:10:54::2 via fe80::a63e:51ff:fe32:f85d dev enp3s0 metric 1 pref > medium > 2a03:9800:10:54:8000::/65 dev tun0 proto kernel metric 256 pref medium > 2a01:cb19:851f:ea00::/64 dev enp3s0 proto ra metric 100 pref medium > fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100 pref medium > fe80::/64 dev tun0 proto kernel metric 256 pref medium > fe80::/64 dev enp3s0 proto kernel metric 256 pref medium > default via fe80::a63e:51ff:fe32:f85d dev enp3s0 proto static metric 100 pref > medium > default via tun0 metric 99 > > And that means that it's time to see your openvpn's server configuration > file. Can I see one, please? > Certainly: script-security 2 port 1194 proto udp proto udp6 dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key # This file should be kept secret dh /etc/openvpn/dh1024.pem server 10.8.0.0 255.255.255.0 server-ipv6 2a03:9800:10:54:8000::/65 ifconfig-pool-persist ipp.txt push "route-ipv6 2a03:9800:10:54:8000::/65" push "route-ipv6 2000::/3" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" # DNS servers provided by portfast.net. push "dhcp-option DNS 193.108.199.130" push "dhcp-option DNS 85.158.46.77" keepalive 10 120 comp-lzo max-clients 10 user nobody group nogroup persist-key persist-tun status /var/log/openvpn-status.log log /var/log/openvpn.log verb 4 I have cut out a load of useless commentary in that file
