Answer the question
In order to leave comments, you need to log in
A
A
alexeimoisseev2013-11-11 21:54:05
alexeimoisseev, 2013-11-11 21:54:05
Forwarding ipv6 via openvpn?
Hello.
Can you please explain how forwarding for ipv6 should work?
There is a server with a raised openvpn, which distributes ipv6 addresses to clients on the internal network.
server-ipv6 2001:1af8:4101:4::/64.
There is an external interface eth0 with an external ipv6 address.
<br>
eth0 Link encap:Ethernet HWaddr 06:d9:70:00:11:10<br>
inet addr:82.XXX.YYY.211 Bcast:82.XXX.YYY.255 Mask:255.255.255.128<br>
inet6 addr: fe80::4d9:70ff:fe00:1110/64 Scope:Link<br>
inet6 addr: 2001:1af8:4101:XXXX:4::1100/64 Scope:Global<br>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
RX packets:96539 errors:0 dropped:0 overruns:0 frame:0<br>
TX packets:22744 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 txqueuelen:1000<br>
RX bytes:63114723 (63.1 MB) TX bytes:6530149 (6.5 MB)<br>Internal interface:
<br>
tap0 Link encap:Ethernet HWaddr c6:00:92:85:6f:cc<br>
inet addr:10.8.0.1 Bcast:10.8.0.255 Mask:255.255.255.0<br>
inet6 addr: fe80::c400:92ff:fe85:6fcc/64 Scope:Link<br>
inet6 addr: 2001:1af8:4101:4::1/64 Scope:Global<br>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
RX packets:11593 errors:0 dropped:0 overruns:0 frame:0<br>
TX packets:8301 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 txqueuelen:100<br>
RX bytes:1660846 (1.6 MB) TX bytes:3887267 (3.8 MB)<br>Rules configured in ip6tables:
<br>
# ip6tables -L FORWARD<br>
Chain FORWARD (policy ACCEPT)<br>
target prot opt source destination<br>
ACCEPT all anywhere anywhere<br>On clients, the gateway for ipv6 is specified - 2001:1af8:4101:4::1 (server address on the internal network).
In this scheme:
1) ping6 2001:1af8:4101:4::1 works on the client.
2) ping6 ipv6.google.com works on the server
3) ping6 ipv6.google.com does NOT work on the client
Purpose: to make openvpn clients go to the external Internet through the server's ipv6 address. That is, make ping6 ipv6.google.com work.
Do I understand correctly that you need to make sure that all packets coming to the server's internal interface are sent to the server, and the responses are wrapped back to the internal one? How to do it?
Or it is necessary to configure some routes on clients?
2 answer(s)
@merlin-vrn
@anton_slim
M
merlin-vrn, 2013-11-11 @merlin-vrn
on the client, you need the route route -6 add default via <server>
or in the openvpn config: push "route ::/0", something like this.
Check - on the client ip route get <ipv6-address>, the response should be next-hop - your openvpn server
A
Anton Robul, 2018-10-01 @anton_slim
I figured out what the problem is, I had a situation similar to yours.
The /48 network issued by the provider to my server was assigned to an interface on the provider's router, that is, I could not distribute ip addresses further than my server.
It was correct to make a point-to-point network for the junction, for example /64 , through which to route /48 to the ipv6 address of my server.
That is, the provider gave me ipv6 2A00:1C48:x:xxx::5 /64 , GW 2A00:1C48:x:xxx::1
and routed the subnet 2A00:1C48:zzz:: /48 to my ip 2A00:1C48:x :xxx::5
Now I can cut the network 2A00:1C48:zzz:: /48 into any pieces and route it where necessary.
All ips see each other (including for openvpn), thanks to net.ipv6.conf.all.forwarding=1
If your ISP cannot do this for you, then you will have to do nat masquerading (that's how it worked for me).
ip6tables -t nat -A POSTROUTING -s "${SUBNET_PREFIX}/${TARGET_CIDR}" -o $INTERFACE -j MASQUERADE
where $SUBNET_PREFIX/$TARGET_CIDR = your ipv6 network,
$INTERFACE = eth0 (for example)
in this case everything ipv6 clients will be replaced by ipv6 servers, that is, all internal ipv6 will be masked.
Similar questions
W
A
J
R
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question