On 27/11/2018 13:34, Reco wrote: > Hi. > > On Tue, Nov 27, 2018 at 01:20:25PM +0100, tony wrote: >> On 27/11/2018 12:44, Reco wrote: >>> Hi. >>> >>> On Tue, Nov 27, 2018 at 12:26:03PM +0100, tony wrote: >>>> OK, that fixed it, thanks. Almost there. I had expected the host's >>>> openVPN ip (2a03:9800:10:54:8000::1000) to propagate, but I'm seeing my >>>> server's address: >>>> >>>> tony@tony-fr:~$ dig +short any myip.opendns.com @resolver1.opendns.com >>>> 2a03:9800:10:54::2 >>>> >>>> Is that fixable? >>> >>> Probably. My suspicion is that openvpn has configured NAT66 for you, >>> along with the routing. >>> Can I see the result of "ip6tables-save" from your openvpn server? >> >> OK: >> root@shell:~# ip6tables-save >> # Generated by ip6tables-save v1.6.0 on Tue Nov 27 11:50:18 2018 >> *nat >> :PREROUTING ACCEPT [12346:1595144] >> :INPUT ACCEPT [1726:141923] >> :OUTPUT ACCEPT [743:66648] >> :POSTROUTING ACCEPT [743:66648] >> -A POSTROUTING -s 2a03:9800:10:54:8000::/65 -o eth0 -j SNAT --to-source >> 2a03:9800:10:54::2 > > Yep. Good old NAT, in this case in IPv6 form. What they call NAT66. > > >> If I remove the line >> -A POSTROUTING -s 2a03:9800:10:54:8000::/65 -o eth0 -j SNAT --to-source >> 2a03:9800:10:54::2 >> I lose any ipv6 routing > > Strictly speaking, that's expected. Outside world does not know about > your network topology. What is does know is to send packets to > 2a03:9800:10:54::1 (*not* :2) in hope of reaching your :8000::/65. > The problem is - how your IPv6 gateway (54::1) can possibly know that > your custom subnet (:8000::/65) is reachable if you have not announced a > route? > > That's something that I need to think about.
thanks very much for spending so much time on my problem.
