Forwarding ipv6 over openvpn?

Hi.


Please explain how to work forwarding for ipv6?


You have a server with openvpn raised that clients in the internal network handing out ipv6 addresses.
server-ipv6 2001:1af8:4101:4::/64.


There is an external interface eth0 with an external ipv6 address.
eth0 Link encap:Ethernet HWaddr 06:d9:70:00:11:10
 inet addr:82.XXX.YYY.211 Bcast:82.XXX.YYY.255 Mask:255.255.255.128
 inet6 addr: fe80::4d9:70ff:fe00:1110/64 Scope:Link
 inet6 addr: 2001:1af8:4101:XXXX:4::1100/64 Scope:Global
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:96539 errors:0 dropped:0 overruns:0 frame:0
 TX packets:22744 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:63114723 (63.1 MB) TX bytes:6530149 (6.5 MB)



Internal interface:
tap0 Link encap:Ethernet HWaddr c6:00:92:85:6f:cc
 inet addr:10.8.0.1 Bcast:10.8.0.255 Mask:255.255.255.0
 inet6 addr: fe80::c400:92ff:fe85:6fcc/64 Scope:Link
 inet6 addr: 2001:1af8:4101:4::1/64 Scope:Global
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:11593 errors:0 dropped:0 overruns:0 frame:0
 TX packets:8301 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:100
 RX bytes:1660846 (1.6 MB) TX bytes:3887267 (3.8 MB)



Configured rules in ip6tables:
# ip6tables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere



Clients specify a gateway for ipv6 2001:1af8:4101:4::1 (server address in the internal network).


In such a scheme:

1) on the client works ping6 2001:1af8:4101:4::1.

2) the server is running ping6 ipv6.google.com

3) the client is NOT running ping6 ipv6.google.com


Goal: to make clients openvpn went to the outside Internet through the ipv6 address of the server. Ie, make it so make ping6 ipv6.google.com worked.


Do I understand correctly that you need to make sure that all packets arriving on the internal interface of the server, went to vsini, and the responses are wrapped back into the inside? How to do it?

Or need on the customers, some routes tweaking?
October 3rd 19 at 02:20
1 answer
October 3rd 19 at 02:22
on the client you need a route -6 route add default via

or, in openvpn config: push "route ::/0", something like that.

To check on the client ip route get the answer should be next-hop — your openvpn server
Yeah, it's done. In the end, traceroute6 looks like this:
$ traceroute6 ipv6.google.com
traceroute6 to ipv6.l.google.com (2a00:1450:4001:c02::69) from 2001:1af8:4101:4::1:2, 64 hops max, 12 byte packets
 1 2001:1af8:4101:4::1 79.862 40.280 38.412 ms ms ms
 2 * * *
 3 * * *


Ie on server request is not going away.
tcpdump on the server like this:

# tcpdump -i tap0 -v ip6
tcpdump: listening on tap0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:23:19.184731 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::c400:92ff:fe85:6fcc > fe80::f41c:aff:fe9d:5d42: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::f41c:aff:fe9d:5d42
 source link-address option (1), length 8 (1): c6:00:92:85:6f:cc
20:23:19.220675 IP6 (flowlabel 0x3d002, hlim 6, next-header UDP (17) payload length: 20) 2001:1af8:4101:4::1:2.58909 > fa-in-x69.1e100.net.33452: [udp sum ok] UDP, length 12
20:23:19.227052 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::f41c:aff:fe9d:5d42 > fe80::c400:92ff:fe85:6fcc: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::f41c:aff:fe9d:5d42, Flags [solicited]
- Ariel.Wol commented on October 3rd 19 at 02:25
sysctl -a | grep forward

ip6tables only allows forward, but does not include it. - fidel10 commented on October 3rd 19 at 02:28
on the server: sysctl net.ipv6.conf.default.forwarding=1 - chaz commented on October 3rd 19 at 02:31
forwarding is enabled
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.ip6tnl0.forwarding = 1
net.ipv6.conf.tap0.forwarding = 1
- Ariel.Wol commented on October 3rd 19 at 02:34

Find more questions by tags OpenVPNIP