OpenVPN routing with tap and IPv6 how to correct?

A

Ahmed C2020-04-23 22:34:58

openvpn

Ahmed C, 2020-04-23 22:34:58

OS Archlinux, the network rises through systemd-networkd, the br0 bridge looks at the Internet. The hoster issued according to the standard: 1 IP4 address and IP6 subnet - conditionally - 1234:5678:9999:aaaa::/64. The host has an IPv6 RA router that serves addresses 1234:5678:999::/48.
Set up Openvpn-server with tap0 interface.

Server config

port 65398
proto udp
dev tap0
server-bridge 192.168.15.1 255.255.255.0 192.168.15.200 192.168.15.254
ifconfig-ipv6 1234:5678:9999:aaaa:1::1 1234:5678:9999:aaaa:1::2
ifconfig-ipv6-pool 1234:5678:9999:aaaa:1::3/80
tls-version-min 1.2
ecdh-curve secp521r1
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key
dh none
tls-auth ta.key 0
tls-cipher TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
cipher AES-256-GCM
crl-verify crl.pem
compress lz4-v2
keepalive 10 120
user openvpn
group openvpn
persist-key
persist-tun
log server6.log
verb 4

Added to systemd unit for openvpn:
[Service]
ExecStartPost = /usr/bin/ip link set tap0 up promisc on
ExecStartPost = /usr/bin/ip link set dev tap0 master br0

Internal redirects are allowed in sysctl.conf:
net.ipv4 .ip_forward = 1
net.ipv6.conf.all.forwarding = 1

With this configuration, VPN works in IPv6, the client connects, receives its IP6 from the pool (it can, if desired, assign which one it wants, at least a dozen) and after a minute or two the announcement of the RA hoster router and it is online, there are no problems here. Problems with IP4. Here is how the network looks on the client:

[email protected]~> ip a

1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 80:e8:2c:b6:f5:88 brd ff:ff:ff:ff:ff:ff
3: wlp3s0: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:e0:4c:81:92:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.43.166/24 brd 192.168.43.255 scope global dynamic wlp3s0
valid_lft 2732sec preferred_lft 2732sec
inet6 fe80::2e0:4cff:fe81:9202/64 scope link
valid_lft forever preferred_lft forever
11: tap0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/ether 1a:90:f9:d1:50:d9 brd ff:ff:ff:ff:ff:ff
inet 192.168.15.200/24 brd 192.168.15.255 scope global tap0
valid_lft forever preferred_lft forever
inet6 1234:5678:9999:aaaa:1::3/80 scope global
valid_lft forever preferred_lft forever
inet6 fe80::c8ef:c1ff:fed2:a667/64 scope link
valid_lft forever preferred_lft forever

The client does not receive any routes from the server, so communication via IP4 goes through the provider.
I tried push "redirect-gateway def1 bypass-dhcp" in the server config ,
while the client receives the route, but then IP4 on the computer completely falls off, only IPv6 remains. In this case, the ping does not go from the server to the client, or vice versa.
Games with iptable POSTROUTING did not give any result. So far, the VPN works, as it were, halfway: according to protocol 4, traffic goes through the provider, according to 6 - through the RA hoster.
How to force IPv4 traffic to go through VPN? I understand that it is easier to do it through tun, but it is the white IP6 address that is important to me so that the client looks "bare ass" on the Internet :). The issue with IPv6 has been resolved, but now it is completely unclear what to do with IPv4. Somewhere I'm making a mistake on a fundamental level. Tell me, please, who knows.