Hello everyone, I have been working on enabling IPv6 access for OpenVPN clients by encapsulating IPv6 within IPv4, allowing clients without native IPv6 to reach IPv6 content via the server’s public IPv6.
The ULA address: -> fdbb:e761:c9ec::/64 Example of address that a client gets assigned from the server: -> fdbb:e761:c9ec::1000 Public IPv6 of the server: -> 3f52:d112:131:0:92::1 The setup: - Clients are assigned a ULA from fdbb:e761:c9ec::/64. - IPv6 routes are pushed (route-ipv6 2000::/3, etc.). - Clients can ping the server’s public IPv6 of the server as well as the ULA gateway. The routing tables for IPv6: Internet6: Destination Gateway Iface default 3f52:d112:131::1 vio0 3f52:d112:131::/64 3f52:d112:131:0:92::1 vio0 3f52:d112:131::1 00:00:5e:00:01:83 vio0 3f52:d112:131::2 fe:e1:ba:d0:d7:e4 vio0 3f52:d112:131:0:26::1 aa:00:00:10:03:1a vio0 3f52:d112:131:0:32::1 link#1 vio0 3f52:d112:131:0:92::1 a:00:00:10:03:6b vio0 fe80::%vio0/64 fe80::a800:ff:fe10:36b%vio0 vio0 fe80::a800:ff:fe10:31a%vio0 aa:00:00:10:03:1a vio0 fe80::a800:ff:fe10:36b%vio0 aa:00:00:10:03:6b vio0 fe80::fce1:baff:fed0:d7e4%vio0 fe:e1:ba:d0:d7:e4 vio0 ff01::%vio0/32 fe80::a800:ff:fe10:36b%vio0 vio0 ff02::%vio0/32 fe80::a800:ff:fe10:36b%vio0 vio0 The issue: - Clients cannot reach public IPv6 addresses. - The server receives the request on tun0 but doesn’t forward it to its main interface (vio0). What I’ve tried: - Enabled IPv6 forwarding (net.inet6.ip6.forwarding=1). - Various /etc/pf.conf rules for NAT66, such as: # openvpn IPv6 pass quick on tun0 inet6 pass quick on egress inet6 match out on egress inet6 from (tun0:network) to any nat-to (egress:0) match out on tun0 inet6 from fdbb:e761:c9ec::/64 to any nat-to (vio0) match out on egress inet6 from (tun0:network) to any nat-to 3f52:d112:131:0:92::1 # ping pass in inet proto icmp all icmp-type echoreq pass in inet6 proto icmp6 all pass in on egress inet6 proto icmp6 all icmp6-type echoreq --- However somehow, packets are still not properly forwarded, and therefore clients do not get any replies from their IPv6 requests. See this example when tcpdumping the tunnel interface for ICMP6: 16:49 fdbb:e761:c9ec::1000 > googleipv6_add: icmp6: echo request 16:49 fdbb:e761:c9ec::1000 > googleipv6_add: icmp6: echo request 16:49 fdbb:e761:c9ec::1000 > googleipv6_add: icmp6: echo request Am I missing something particular in my pf.conf ? Or does the issue come from something else more related within my ULA address and its prefix 64 being used ? I’d appreciate any guidance/correction on configuring NAT66 to allow clients to appear as the server’s public IPv6. Thanks in advance for the very much appreciated help! Kind regards,Michael
