Re: [Openvpn-users] Moving all IPv6 traffic from client though server over vpn, can't ping from client lan?

Fri, 21 Aug 2015 09:25:12 -0700 

Hi Selva

            ip -6 route
                    2600:x:x:4d00::/64 dev eth0  proto kernel  metric 256  pref 
medium
                    2600:x:x:4dff::/64 dev tun1  proto kernel  metric 256  pref 
medium
                    fe80::/64 dev eth0  proto kernel  metric 256  pref medium
                    default via fe80::1 dev eth0  metric 1024  pref medium

            ip -4 route
                    default via X.X.X.1 dev eth0
                    10.0.0.0/24 dev tun1  proto kernel  scope link  src 10.0.0.1
                    X.X.X.0/24 dev eth0  proto kernel  scope link  src X.X.X.X
                    10.128.128.0/24 via 10.0.0.2 dev tun1 

 

> I was only testing, so manually added the route -- in your case that would be
> ip -6 route add  2600:x:x:4d09::/64 via 2600:x:x:4dff::y
> where y  is the v6 IP of the VPN client (the LAN router in your case) -- y = 
> 2 in your case?


Ok I added on the REMOTE-SERVER

        ip -6 route add 2600:x:x:4d09::/64 via 2600:x:x:4dff::2

So now I have

        ip -6 route
                2600:x:x:4d00::/64 dev eth0  proto kernel  metric 256  pref 
medium
                2600:x:x:4d09::/64 via 2600:x:x:4dff::2 dev tun1  metric 1024  
pref medium
                2600:x:x:4dff::/64 dev tun1  proto kernel  metric 256  pref 
medium
                fe80::/64 dev eth0  proto kernel  metric 256  pref medium
                default via fe80::1 dev eth0  metric 1024  pref medium

But it doesn't make any difference.  Still can't get out from the client side 
LAN.

> To state the obvious, also make sure the traffic to this prefix is not 
> firewalled.

Sure that's one of the FIRST things I was fumbling around with.  While testing 
I turned on verbose logging in the firewalls on both ends and don't see 
anything being DROPd or REJECTd.

I don't really know if this is only a firewall or routing problem or both :-(

> I don't know the best practice for handling routes to delegated prefixes; I 
> guess it depends on whether the delegation is handled by some service running 
> on the server or not. If the delegation is managed manually, the route could 
> be setup by in a client-connect script or be permanently added?
 
Once I can get it working I guess there's a bunch of places to do it.  Since 
its OpenVpn related probably in OpenVpn configuration.

> P.S. This may not be a problem in your case, but I had to set accept_ra = 2 
> on the Linode as otherwise ipv6_forward=1 disables "Accept Router 
> Advertisements".

I checked on the REMOTE-SERVER.  Right now it's

        cat /proc/sys/net/ipv6/conf/{all,tun1,eth0}/accept_ra
                1
                1
                1

So I did

        echo 2 > /proc/sys/net/ipv6/conf/all/accept_ra
        echo 2 > /proc/sys/net/ipv6/conf/tun1/accept_ra
        echo 2 > /proc/sys/net/ipv6/conf/eth0/accept_ra
        cat /proc/sys/net/ipv6/conf/{all,tun1,eth0}/accept_ra
                2
                2
                2

But it's still the same.   No ping.

- John

------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to