Am 30.10.18 um 11:22 schrieb Arne Schwabe:
> Am 30.10.18 um 11:07 schrieb Thomas Schäfer:
>> Am 29.10.18 um 23:09 schrieb Gert Doering:
>>> Hi,
>>>
>>> On Mon, Oct 29, 2018 at 09:06:13PM +0000, Kristian McColm wrote:
>>>> Will this feature break VPNs that use NAT64 to connect to IPv4-only
>>>> OpenVPN servers?
>>>
>>> No.
>>>
>>> This is an opt-in feature which you can enable by pushing "block-ipv6"
>>> from the server to the client, to avoid IPv6 traffic (to, say, youtube)
>>> bypassing your IPv4-only VPN.
>>>
>>> If your VPN is dual-stacked *inside* the tunnel, you wouldn't enable
>>> this. If your VPN is IPv4-only, but the client has external IPv6
>>> connectivity, you might consider enabling this.
>>>
>>> gert
>>
>>
>> Sure?
>>
>> NAT64 means the client has (only) IPv6 connectivity. I am not sure
>> about, if a openvpn connections survive from an IPv6-only/NAT64 endpoint
>> to an IPv4-only server (transport protocol is changing during the
>> transport from 6 to 4 and vice versa). May be they do it via NAT64 or
>> via 464xlat. But if you block IPv6 ("external") at the client, you will
>> lose also you connectivity. (except 464xlat which generates a v4 socket)
>>
>> I cannot test it at the moment. I have two IPv6-only configured ovpn
>> servers and two NAT64-ISP (tm and lrz) but no time to build an
>> IPv4-only-openvpn-Server.
>
> This patch only adds code to reject ipv6 packets that are *already* in
> the tunnel. It still depends on having redirect-gateway ipv6 or a
> default route to your tun device to actually do anything. If your
> packets to the VPN server ended up inside the tunnel something else is
> wrong already. I can add a followup patch to clarify this.
>
Actually the man page already in the patch has a section about this:
.\"*********************************************************
.TP
.B \-\-block\-ipv6
On the client, instead of sending IPv6 packets over the VPN tunnel, all
IPv6 packets are answered with an ICMPv6 no route host message. On the
server, all IPv6 packets from clients are answered with an ICMPv6
no route to host message. This options is intended for cases when IPv6
should be blocked and other options are not available.
\.B \-\-block\-ipv6
will use the remote IPv6 as source address of the ICMPv6 packets if set,
otherwise will use fe80::7 as source address.
For this option to make sense you actually have to route traffic to the tun
interface. The following example config block would send all IPv6 traffic to
OpenVPN and answer all requests with no route to host, effectively blocking
IPv6.
# client config
.br
.B \-\-ifconfig-ipv6
fd15:53b6:dead::2/64 fd15:53b6:dead::1
.br
.B \-\-redirect\-gateway
ipv6
.br
.B \-\-block\-ipv6
# Server config, push a "valid" ipv6 config to the client and block
# on the server
.br
.B \-\-push
"ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1"
.br
.B \-\-push
"redirect\-gateway ipv6"
.br
.B \-\-block\-ipv6
.\"*********************************************************
That should answer your questions, doesn't it?
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
