IPv6 over p2p OpenVPN, IPv6 won't get back



  • I have a VPS with /64 allocation,

    2001:XXXX:XXXX:XXXX/64. I'll call it "prefix_64" further on. It is not Link-local!

    On VPS, eth0:

    inet6 addr: [prefix_64:1::1/64] Scope:Global

    What it comes for VPS, IPv6 going in and out fine.

    Now I decided to provision out IPv6 to outside pfSense:

    [VPS] <= p2p OpenVPN => pfSense_OVPN_Gateway_V6 => LAN (DHCPv6)
    

    So, on VPS, VPN tunnel (tun mode) is

    VPS end: prefix_64:8000::1/64 
    pfSense end: prefix_64:8000::2/64
    
    LAN: prefix_64:8000::1001/116
    DHCPv6, Router Advertisements - Managed
    

    So far, so good, everything is pingable within VPS <=> pfSense world. I can ping up to eth0 on vps from any machine on LAN.

    And can ping any machine on LAN from VPS, including ping from VPS LAN, "ping -I eth0 ip_on_pfsense_net"

    However, I cannot reach anything from pfSense LAN to outside. Ping reach eth0 of VPS, but never come back:

    On_pfSense_Lan:
    ping6 ipv6.google.com, it is stuck.

    If I tcpdump on VPS eth0, sudo tcpdump -i eth0 -vv ip6:

    
    21:43:57.638044 IP6 (hlim 62, next-header ICMPv6 (58) payload length: 64) prefix_64:8000::11f9 > lga25s41-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 85
    21:43:58.646021 IP6 (hlim 62, next-header ICMPv6 (58) payload length: 64) prefix_64:8000::11f9 > lga25s41-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 86
    21:43:59.654171 IP6 (hlim 62, next-header ICMPv6 (58) payload length: 64) prefix_64:8000::11f9 > lga25s41-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 87
    
    

    where [prefix_64:8000::11f9] is a machine on pfSense LAN I ping from

    The same happens if I ping directly from the pfSense box.

    I've tried to ping another unrelated VPS, where I did TCP dump. On this remote, unrelated IPv6-enabled machine, I see ping received and replied back. So it looks like ping reaching remote destination and getting all way back to VPS. But echo reply unable to enter VPS.

    On VPS I have ufw with ipv6 support ON. Tried to disable it (UFW) temporary - no success.

    sysctl.conf, ipv6 routing is on.

    VPS:

    
    ip -6 route list
    prefix_64::/64 dev eth0  proto kernel  metric 256
    prefix_64::/64 dev tun6  proto kernel  metric 256
    fe80::/64 dev eth0  proto kernel  metric 256
    default via fe80::xxxx:xxxx:xxxx:xxxx dev eth0  proto ra  metric 1024  expires 1720sec
    
    

    pfSense IPv6 routes, relating to the tunnel:

    
    default 	prefix_64:8000::2 	UGS 	1396 	1500 	ovpnc5
    ::1 	link#4 	UH 	101 	16384 	lo0
    prefix_64::/64 	link#10 	U 	66 	1500 	ovpnc5
    prefix_64:1::1 	prefix_64:8000::2 	UGHS 	11425 	1500 	ovpnc5
    fe80::%ovpnc5/64 	link#10 	U 	0 	1500 	ovpnc5
    ff01::%ovpnc5/32 	fe80::xxxx:xxxx:xxx:xxxx%ovpnc5 	U 	0 	1500 	ovpnc5
    ff02::%ovpnc5/32    fe80::xxxx:xxxx:xxxx:xxxx%ovpnc5 U        ovpnc5
    
    


  • I believe it is related to neighbor discovery. At least, I see some messages on eth0 on VPS, like "neighbor solicitation, length 32, who has 2001 …."

    Why IPv6 just won't push all requests further to VPN net ?

    Oh, yes, it s the same subnet with unknown tenants, sitting beyond VPN tunnel, who's whereabouts are not known. It is tun, no ARP... sorry no ND.

    Lot's of stuff to read. Or, may be, split the /64 range, so what's beyond VPN is going to different subnet.

    Just some ideas on IPv6 on IPv6-dummy's mind



  • Based on
    http://unix.stackexchange.com/questions/136211/routing-public-ipv6-traffic-through-openvpn-tunnel
    http://www.ipsidixit.net/2010/03/24/239/

    Following script on VPS did work

    ip route add  prefix_64:8000::1000/120 dev tun6
    
    for i in $(seq 0 255) ; do
      ip -6 neigh add proxy prefix_64:8000::10$(printf %x $i) dev eth0
    done
    
    

    Where tun6 is my p2p OVPN tunnel. While in the loop eth0 is what's worked, contrary to first link.
    I allocated prefix_64:8000::1000:8000::1080/121 on my DHCPv6 (128 IPs)

    prefix_64 is my 2001… address allocated by the VPS provider



  • @Vetal:

    So, on VPS, VPN tunnel (tun mode) is

    VPS end: prefix_64:8000::1/64 
    pfSense end: prefix_64:8000::2/64
    
    LAN: prefix_64:8000::1001/116
    DHCPv6, Router Advertisements - Managed
    

    So far, so good, everything is pingable within VPS <=> pfSense world. …
    ...

    I am testing similar setup, trying to follow https://community.openvpn.net/openvpn/wiki/IPv6 - the only sample I found so far.
    gateway is getting IPv6, I can ping VPS eth0 but not outside.

    From prefix_64:8000::1 icmp_seq=1 Destination unreachable: Administratively prohibited.

    net.ipv6.conf.all.forwarding is enabled.

    Would you mind sharing your openvpn config files?