Answer the question
In order to leave comments, you need to log in
Forwarding ipv6 via openvpn?
Hello.
Can you please explain how forwarding for ipv6 should work?
There is a server with a raised openvpn, which distributes ipv6 addresses to clients on the internal network.
server-ipv6 2001:1af8:4101:4::/64
.
There is an external interface eth0 with an external ipv6 address.
<br>
eth0 Link encap:Ethernet HWaddr 06:d9:70:00:11:10<br>
inet addr:82.XXX.YYY.211 Bcast:82.XXX.YYY.255 Mask:255.255.255.128<br>
inet6 addr: fe80::4d9:70ff:fe00:1110/64 Scope:Link<br>
inet6 addr: 2001:1af8:4101:XXXX:4::1100/64 Scope:Global<br>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
RX packets:96539 errors:0 dropped:0 overruns:0 frame:0<br>
TX packets:22744 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 txqueuelen:1000<br>
RX bytes:63114723 (63.1 MB) TX bytes:6530149 (6.5 MB)<br>
<br>
tap0 Link encap:Ethernet HWaddr c6:00:92:85:6f:cc<br>
inet addr:10.8.0.1 Bcast:10.8.0.255 Mask:255.255.255.0<br>
inet6 addr: fe80::c400:92ff:fe85:6fcc/64 Scope:Link<br>
inet6 addr: 2001:1af8:4101:4::1/64 Scope:Global<br>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
RX packets:11593 errors:0 dropped:0 overruns:0 frame:0<br>
TX packets:8301 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 txqueuelen:100<br>
RX bytes:1660846 (1.6 MB) TX bytes:3887267 (3.8 MB)<br>
<br>
# ip6tables -L FORWARD<br>
Chain FORWARD (policy ACCEPT)<br>
target prot opt source destination<br>
ACCEPT all anywhere anywhere<br>
Answer the question
In order to leave comments, you need to log in
on the client, you need the route route -6 add default via <server>
or in the openvpn config: push "route ::/0", something like this.
Check - on the client ip route get <ipv6-address>, the response should be next-hop - your openvpn server
I figured out what the problem is, I had a situation similar to yours.
The /48 network issued by the provider to my server was assigned to an interface on the provider's router, that is, I could not distribute ip addresses further than my server.
It was correct to make a point-to-point network for the junction, for example /64 , through which to route /48 to the ipv6 address of my server.
That is, the provider gave me ipv6 2A00:1C48:x:xxx::5 /64 , GW 2A00:1C48:x:xxx::1
and routed the subnet 2A00:1C48:zzz:: /48 to my ip 2A00:1C48:x :xxx::5
Now I can cut the network 2A00:1C48:zzz:: /48 into any pieces and route it where necessary.
All ips see each other (including for openvpn), thanks to net.ipv6.conf.all.forwarding=1
If your ISP cannot do this for you, then you will have to do nat masquerading (that's how it worked for me).
ip6tables -t nat -A POSTROUTING -s "${SUBNET_PREFIX}/${TARGET_CIDR}" -o $INTERFACE -j MASQUERADE
where $SUBNET_PREFIX/$TARGET_CIDR = your ipv6 network,
$INTERFACE = eth0 (for example)
in this case everything ipv6 clients will be replaced by ipv6 servers, that is, all internal ipv6 will be masked.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question