Re: [Openvpn-users] Moving all IPv6 traffic from client though server over vpn, can't ping from client lan?

Fri, 21 Aug 2015 08:54:24 -0700 

Hi John,

> and a route on the server to the 4d09::/64 through the tunnel. Please
> show us the routes on the server too.
>
>
>         ip -6 route
>                 2600:####:####:4d00::/64 dev eth0  proto kernel  metric
> 256  pref medium
>                 2600:####:####:4dff::/64 dev tun1  proto kernel  metric
> 256  pref medium
>                 fe80::/64 dev eth0  proto kernel  metric 256  pref medium
>                 default via fe80::1 dev eth0  metric 1024  pref medium
>
>         ip -4 route
>                 default via X.X.X.1 dev eth0
>                 10.0.0.0/24 dev tun1  proto kernel  scope link  src
> 10.0.0.1
>                 X.X.X.0/24 dev eth0  proto kernel  scope link  src X.X.X.X
>                 10.128.128.0/24 via 10.0.0.2 dev tun1



> I don't see anything that's just for the 4d09::/64.  So something like
> that's missing?  Do I do that in the OpenVpn config?
>

I was only testing, so manually added the route -- in your case that would
be

ip -6 route add  2600:x:x:4d09::/64 via 2600:x:x:4dff::y

where y  is the v6 IP of the VPN client (the LAN router in your case) -- y
= 2 in your case?

To state the obvious, also make sure the traffic to this prefix is not
firewalled.

I don't know the best practice for handling routes to delegated prefixes; I
guess it depends on whether the delegation is handled by some service
running on the server or not. If the delegation is managed manually, the
route could be setup by in a client-connect script or be permanently added?


I'm kind of confused why the ping6 without the "-I <address>" works but not
> without it. :-/


Ping from the router would work as long as the source address is 4dff::2
and not 4d09::1. As you wrote before

>From shell on the LOCAL-ROUTER, this works
>         ping6 -v -c 1 2600:####:####:4dff::1
>
> But this doesn't.
>         ping6 -v -c 1 -I 2600:####:####:4d09::1 2600:####:####:4dff::1


The first one uses 4dff::2 as the source and there is a route to it on the
server, the second one uses 4d09::1 as the source address but the server
doesn't know how to route back to it.

Selva

P.S. This may not be a problem in your case, but I had to set accept_ra = 2
on the Linode as otherwise ipv6_forward=1 disables "Accept Router
Advertisements".

------------------------------------------------------------------------------

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to