OpenVPN Split tunnelling **screenshots**

lifespeed

@johnpoz said in OpenVPN Split tunnelling **screenshots**:

For IPv6 vpn to work on pfsense, you would have to NAT to it... The vpn connection is not going to route your local IPv6 space..

If you're referring to a link-local address, of course not. You're saying it won't route a SLAAC IPv6 that is globally routable?

johnpoz

@lifespeed said in OpenVPN Split tunnelling **screenshots**:

You're saying it won't route a SLAAC IPv6 that is globally routable?

NO it wont - why would you think that would work?? VPN services work by handing you an IP they route, and then natting it to some public IP... You can not just use as source IP space they don't route.. Now if they would hand you clients IPv6 space they are routing, then you could do it.

Kind of how HE ipv6 works, its a tunnel - is just not encrypted, its just a GRE tunnel... If you find an vpn service that does that, then sure you could do it.

lifespeed

@johnpoz said in OpenVPN Split tunnelling **screenshots**:

Kind of how HE ipv6 works, its a tunnel - is just not encrypted, its just a GRE tunnel... If you find an vpn service that does that, then sure you could do it.

Thanks again for the description, I'll look into what is actually offered by these IPv6 VPN services. As you mention, a key question is do they hand you a single /128 address or a /64 or /60? For IPv6, a single /128 is not normal nor really keeping with the whole point of IPv6.

You're also making me wonder if HE tunnel could be a replacement for some aspects of a VPN - the anonymizing aspect, not encryption obviously.

johnpoz

The prefix they hand the vpn client doesn't matter... and /128 is perfectly valid for a point to point connection like a vpn client to the vpn server... Work just fine when you run the vpn on the client.

When your doing it on the edge router, you have a problem for the other clients - you have to nat it to the IP given to the actual vpn client.. They are not routing a /64 prefix for you to use on all your clients - so if you want to use it you would have to nat to the IP they give the vpn client... Like what happens with IPv4.

Natting to IPv6 does work btw... if your interested in actually doing this.. But to be honest its just easier to spend your time/effort and money on just a box somewhere.. It's a much better solution across the board.

ekoo

@johnpoz
Hi John,

I have a 1gbe up/down fibre up and down and its the only source of "information" to the house and my rental tenants (eg: home phone, internet, even stream the local radio).
The said "linux ISO's" are my main entertainment thru a said "P-server"... which is hosted on the NAS and serves about 25 accounts of "families and friends".
Luckily, most of my p2p'ing is from a private tracker site. its the odd occasional public site i download.
I'm in Canada, where P2P is decently friendly, depends on the tracker.
ExpressVPN's pricing isn't bad at all, considering I need something reliable to climb the GFW whenever i travel to China.

I was hoping in someway i could narrow down just Transmission thru VPN and not the said "P-server" on the same NAS.
From your explanation, it sounds like it can only be done with IP.

DaMaGe21

@ekoo I am doing what your asking in your OP. But my setup is different. I have multiple Nics in my server and I can bind P2P to use one of those Nics. My router is pFSense with 8 ports to do whatever I want with.

So I setup pFSense to use Opt3(port3) to route all traffic through expressvpn, then on my server, I bind my P2P client to use Nic3 only.

I then set each nics index priority so that traffic is routed through nic1 first and so on. Only my P2P is traveling through VPN.