Hi,
I have two routed subnets, standard /64 + /48. Generally it works, except routing between OpenVPN clients and /64 hosts. So the configuration looks like:
Server IPv6 Address:2001:470:xx:12e::1/64
Client IPv6 Address:2001:470:xx:12e::2/64
Routed /64:2001:470:yy:12e::/64
Routed /48:2001:470:aaaa::/48
eno1: 1.2.3.4/24
he-ipv6: 2001:470:yy:12e::2/64
tun0: 10.2.0.1/24 + 2001:470:aaaa:1::1/64
vmbr0: 192.168.101.1/24 + 2001:470:yy:12e::1
In the local network (192.168.101.0/24) I have some VMs and bare metal boxes running on dual ipv6+ipv4 stack. That works fine. On the VPN I have added IPv6 support to get it on my home aptop/desktop/rpi running behind IPv4 only network:
cd /etc/openvpn
local 1.2.3.4
proto udp
#proto udp6
port 11095
verb 3
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
daemon
dev tun0
tun-mtu 1500
persist-tun
persist-key
server 10.2.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ips.txt
push "dhcp-option DOMAIN domain.net"
push "dhcp-option DNS 8.8.8.8"
push "sndbuf 0"
push "rcvbuf 0"
push block-outside-dns
push "route 0.0.0.0 0.0.0.0 vpn_gateway"
push "route-ipv6 2001:470:yy:12e::/64"
push "route-ipv6 2001:470:xx:12e::/64"
cipher AES-256-CBC
auth-nocache
keepalive 10 120
user nobody
group nogroup
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh4096.pem
client-to-client
duplicate-cn
sndbuf 0
rcvbuf 0
fast-io
mssfix 1360
#server-ipv6 2001:470:xx:12e:8000::/65
server-ipv6 2001:470:aaaa:1::/64
push "route-ipv6 ::/0"
push "route-metric 2000"
Then routed two IPv6 networks:
ip route add 2001:470:aaaa::/64 via 2001:470:xx:12e::1
ip route add 2001:470:aaaa:1::/64 via 2001:470:xx:12e::1
The problem is that I can't access anything in the local network (on ipv6) using 2001:470:yy:12e::x network and vice versa.
Routing from the OpenVPN connected client to the internet (google):
1.|-- 2001:470:aaaa:1::1 0.0% 10 46.1 45.2 43.9 46.9 0.7
2.|-- 2001:470:xx:12e::1 0.0% 10 53.3 53.3 51.8 54.2 0.5
3.|-- 2001:470:0:222::1 0.0% 10 71.6 57.0 50.5 73.5 8.9
4.|-- 2001:7f8:60::1:5169:1 0.0% 10 51.0 51.7 50.0 52.9 0.9
5.|-- 2001:4860:0:1184::8 0.0% 10 51.8 53.2 50.6 68.6 5.4
6.|-- 2001:4860::c:4000:f873 0.0% 10 70.0 71.2 68.7 74.7 1.6
7.|-- 2001:4860::c:4000:d9aa 0.0% 10 74.8 73.2 72.0 74.8 0.7
8.|-- 2607:f8b0:e000:8000::3 0.0% 10 73.9 73.9 72.0 79.3 1.9
9.|-- 2001:4860:0:1::219f 0.0% 10 72.7 72.9 70.8 74.6 1.0
10.|-- 2a00:1450:400e:80b::200e 0.0% 10 72.0 74.4 71.9 86.4 4.2
Routing from the same OpenVPN connected client to the host in the server local network (2001:470:yy:12e::3):
1.|-- 2001:470:aaaa:1::1 0.0% 10 45.2 45.1 44.4 46.0 0.0
2.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
Routing from the 2001:470:yy:12e::3 to the OpenVPN client:
1.|-- 2001:470:yy:12e::1 0.0% 10 0.3 0.3 0.3 0.3 0.0
2.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
But any IPv6 enabled host in the internet like my other server outside the network can access IPv6 OpenVPN client without any problems. So I am assuming that the problem is with the routing.
Any idea, what I have missed?
Why use the /64 if you have 64k worth of /64 in a /48?