• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

ipv6 routing question

Started by guylhem, July 05, 2011, 12:06:23 PM

Previous topic - Next topic

guylhem

Hello

I use tb_userspace to tunnelbroker on a  OpenVZ VPS to get ipv6 connectivity for my machines connected to this VPS by openvpn.
My VPS also supports native ipv6, but just give a handfull ipv6 addresses (not even a /64 !0) - better than nothing. So this native ipv6 address is used to make the website hosted on the VPS accessible by ipv6.

But I also need ipv6 for my openvpn clients. I run openvpn 2.2 + Gert Doring IPV6 patch. This requires subnets, I'm trying to setup ipv6 routing to support both tunnelbroker (for openvpn) and a default route to the native ipv6 (for the website on the VPS)

Of course, if I use tb0 as the default route, it works, but then I don't use native ipv6 for the VPS itself, resulting in a waste of bandwidth for he.net (I don't want to do that - they provide a great service)
And if I use venet0 as the default route, it works too, but then I don't get any tunnelbroker connectivity for the clients.


So at the moment I use:

# Route to tunnel
ip -6 route add 2001:470::/32 dev tb0
# Default route
ip route add ::/0 dev venet0

Yet I'm not sure about the 2001:470::/32 - what is the proper prefix I should use to route my tunnelbroker allocations back to tb_userspace?

I just need to use tunnelbroker for "openvpntcp0" and "openvpnudp0" interfaces, which could use the /64 and /48 I was allocated. Hopefully the VPS will provide ipv6 subnets in the future, but at the moment this is the only solution I see.

Thanks in advance for any help with this basic routing question,
Guylhem

jrocha

What you are currently doing, which is actually not such a bad idea, is sending everything destined for HE address space (2001:470::/32) through tunnelbroker, and everything else out default through native.

The problem is that you are routing EVERYTHING destined for HE space through tunnelbroker. You probably want to put a static route for your allocations before the less specific /32 route. I'm not familiar with how OpenVPN is handling IPv6, but if you are assigning a /64 to the vpn tunnel, you would want to insure that the /64 is routed down the vpn interface instead of out the tunnelbroker interface.

juhoostman

#2
If your native IPv6 connection is source address filtered, you need to choose default route based on the source address in addition to the destination, that is, traffic whose source address belongs to the HE space needs to be routed to the Internet through the tunnel broker. You can do this by setting up multiple routing tables and routing rules (using ip rule). If you have further problems, you should post your OpenVPN configuration and IPv6 routing tables and rules.

guylhem

Hello

Thanks for your help!

The allocation I have from tunnelbroker is 2001:470:8:dac::/64 and 2001:470:e414::/48, and I'm using tb0 interface.

According to the 1st reply, I should only route this to the tunneled connection to tb0 - basically doing 2 route add instead of the current /32 one. I can see that.

But I believe the native ipv6 connection is indeed address filtered because unless I do the /32 route, I can't ping ipv6 hosts to/from the tunnel.

According to the 2nd reply, I should do something a little more complicated which I don't fully understand but seems better - ie sending back to the tb0 only packets coming from the tunnel hosts.

I'm using 2001:470:e414:1000::/64 on openvpntcp0 and 2001:470:e414:2000::/64 on openvpnudp0

Could you please give me an example of the ip rules I should use?


juhoostman

Let's suppose that DEV is the native IPv6 interface, GW is the native gateway, ADDR is your native address and SUBNET is its network prefix, and we use the  main table for the tunnelbroker. You configure the tunnelbroker as your default route normally. The scripts would probably add routes to the main table by default. In order to route your native traffic through the native interface you add a routing rule as following:

ip -6 rule add from ADDR table 1
ip -6 route add SUBNET table 1 dev DEV
ip -6 route add default table 1 via GW

You should test this and see whether it works. If your VPS has an IPv6 address in the tunnelbroker subnet, you should also check which source address is chosen by default if you initiate a connection from the VPS. If a tunnelbroker address is chosen instead of your native address you can force your native address to be used by deprecating the tunnelbroker address (or deleting it if you don't need it). Address ADDR of device DEV is deprecated like this:
ip -6 addr change ADDR dev DEV preferred_lft 0

juhoostman

If your kernel has IPv6 subtrees support or you can build your own kernel, this becomes a lot simpler. Then you can add source address masks to regular routes and hassle with multiple tables is avoided. In this case it suffices to write:

ip -6 route add default from ADDR/128 via GW

The problem with multiple tables is that it is difficult to reconcile that with several programs automatically updating their routes. Most programs don't seem to have an option to use an alternative table, so routes have to be set up manually or some custom scripts need to be hooked.

guylhem

Thanks for the information.

Unfortunately the "native ipv6" allocation is not a subnet but a list of IPs, from :10 to :29, which doesn't even looks like a proper ipv4-style /28 classless networking :-( And no, I can't deploy my own kernel.

I did some tests however and using the native ipv6 gives a much better latency than tunnelbroker for outgoing comms. So my current approach is to give to each openvpn client a /64 from tb /48, along with a single ipv6 from the native allocation : openvpn clients should talk to eachother with their /64 from tunnelbroker, but they should use the single native ipv6 for outgoing communications to say ipv6.google.com - at least that's the plan.

Yet when I write my routes, route complains that the gateway for the ipv6 is unreachable. An opnvpn client with a native ipv6 can ping the openvpn server, and vice versa. If I write something like route -6 add nativeipv6gw -host openvpnserveripv6, I can also ping6 the native gateway for ipv6. But when I try to set it up as the default route, it fails as unreachable.

I can post the precise command if you want.

juhoostman

Post the commands, then, along with ip -6 addr, ip -6 route, and if you have changed it, ip -6 rule. You should have OpenVPN running and maybe some client connected.

I don't think it matters that your assigned addresses don't cover a complete subnet. You just use the longest prefix that includes all your addresses.

guylhem

The full config, along with some details have been send to you by email, since it's a bit long.

I'll post a sum up here of the relevant part and any fix they might need

guylhem

It works now, and I'm preparing a detailed explanation, but I'm just missing something to deprecate the address on other OS besides linux. Will post an update soon.