Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 over p2p OpenVPN, IPv6 won't get back

    IPv6
    2
    4
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Vetal
      last edited by

      I have a VPS with /64 allocation,

      2001:XXXX:XXXX:XXXX/64. I'll call it "prefix_64" further on. It is not Link-local!

      On VPS, eth0:

      inet6 addr: [prefix_64:1::1/64] Scope:Global

      What it comes for VPS, IPv6 going in and out fine.

      Now I decided to provision out IPv6 to outside pfSense:

      [VPS] <= p2p OpenVPN => pfSense_OVPN_Gateway_V6 => LAN (DHCPv6)

      So, on VPS, VPN tunnel (tun mode) is

      VPS end: prefix_64:8000::1/64 
pfSense end: prefix_64:8000::2/64

LAN: prefix_64:8000::1001/116
DHCPv6, Router Advertisements - Managed

      So far, so good, everything is pingable within VPS <=> pfSense world. I can ping up to eth0 on vps from any machine on LAN.

      And can ping any machine on LAN from VPS, including ping from VPS LAN, "ping -I eth0 ip_on_pfsense_net"

      However, I cannot reach anything from pfSense LAN to outside. Ping reach eth0 of VPS, but never come back:

      On_pfSense_Lan:
      ping6 ipv6.google.com, it is stuck.

      If I tcpdump on VPS eth0, sudo tcpdump -i eth0 -vv ip6:

      
21:43:57.638044 IP6 (hlim 62, next-header ICMPv6 (58) payload length: 64) prefix_64:8000::11f9 > lga25s41-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 85
21:43:58.646021 IP6 (hlim 62, next-header ICMPv6 (58) payload length: 64) prefix_64:8000::11f9 > lga25s41-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 86
21:43:59.654171 IP6 (hlim 62, next-header ICMPv6 (58) payload length: 64) prefix_64:8000::11f9 > lga25s41-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 87

      where [prefix_64:8000::11f9] is a machine on pfSense LAN I ping from

      The same happens if I ping directly from the pfSense box.

      I've tried to ping another unrelated VPS, where I did TCP dump. On this remote, unrelated IPv6-enabled machine, I see ping received and replied back. So it looks like ping reaching remote destination and getting all way back to VPS. But echo reply unable to enter VPS.

      On VPS I have ufw with ipv6 support ON. Tried to disable it (UFW) temporary - no success.

      sysctl.conf, ipv6 routing is on.

      VPS:

      
ip -6 route list
prefix_64::/64 dev eth0  proto kernel  metric 256
prefix_64::/64 dev tun6  proto kernel  metric 256
fe80::/64 dev eth0  proto kernel  metric 256
default via fe80::xxxx:xxxx:xxxx:xxxx dev eth0  proto ra  metric 1024  expires 1720sec

      pfSense IPv6 routes, relating to the tunnel:

      
default 	prefix_64:8000::2 	UGS 	1396 	1500 	ovpnc5
::1 	link#4 	UH 	101 	16384 	lo0
prefix_64::/64 	link#10 	U 	66 	1500 	ovpnc5
prefix_64:1::1 	prefix_64:8000::2 	UGHS 	11425 	1500 	ovpnc5
fe80::%ovpnc5/64 	link#10 	U 	0 	1500 	ovpnc5
ff01::%ovpnc5/32 	fe80::xxxx:xxxx:xxx:xxxx%ovpnc5 	U 	0 	1500 	ovpnc5
ff02::%ovpnc5/32    fe80::xxxx:xxxx:xxxx:xxxx%ovpnc5 U        ovpnc5
      1 Reply Last reply Reply Quote 0
      • V
        Vetal
        last edited by

        I believe it is related to neighbor discovery. At least, I see some messages on eth0 on VPS, like "neighbor solicitation, length 32, who has 2001 …."

        Why IPv6 just won't push all requests further to VPN net ?

        Oh, yes, it s the same subnet with unknown tenants, sitting beyond VPN tunnel, who's whereabouts are not known. It is tun, no ARP... sorry no ND.

        Lot's of stuff to read. Or, may be, split the /64 range, so what's beyond VPN is going to different subnet.

        Just some ideas on IPv6 on IPv6-dummy's mind

        1 Reply Last reply Reply Quote 0
        • V
          Vetal
          last edited by

          Based on
          http://unix.stackexchange.com/questions/136211/routing-public-ipv6-traffic-through-openvpn-tunnel
          http://www.ipsidixit.net/2010/03/24/239/

          Following script on VPS did work

          ip route add  prefix_64:8000::1000/120 dev tun6

for i in $(seq 0 255) ; do
  ip -6 neigh add proxy prefix_64:8000::10$(printf %x $i) dev eth0
done

          Where tun6 is my p2p OVPN tunnel. While in the loop eth0 is what's worked, contrary to first link.
          I allocated prefix_64:8000::1000:8000::1080/121 on my DHCPv6 (128 IPs)

          prefix_64 is my 2001… address allocated by the VPS provider

          1 Reply Last reply Reply Quote 0
          • Q
            qtlnx
            last edited by

            @Vetal:

            So, on VPS, VPN tunnel (tun mode) is

            VPS end: prefix_64:8000::1/64 
pfSense end: prefix_64:8000::2/64

LAN: prefix_64:8000::1001/116
DHCPv6, Router Advertisements - Managed

            So far, so good, everything is pingable within VPS <=> pfSense world. …
            ...

            I am testing similar setup, trying to follow https://community.openvpn.net/openvpn/wiki/IPv6 - the only sample I found so far.
            gateway is getting IPv6, I can ping VPS eth0 but not outside.

            From prefix_64:8000::1 icmp_seq=1 Destination unreachable: Administratively prohibited.

            net.ipv6.conf.all.forwarding is enabled.

            Would you mind sharing your openvpn config files?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.