• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPv6 routing between subnets and OpenVPN

Started by lannetplv6, September 28, 2019, 12:10:57 PM

Previous topic - Next topic

lannetplv6

Hi,
I have two routed subnets, standard /64 + /48. Generally it works, except routing between OpenVPN clients and /64 hosts. So the configuration looks like:
Server IPv6 Address:2001:470:xx:12e::1/64
Client IPv6 Address:2001:470:xx:12e::2/64
Routed /64:2001:470:yy:12e::/64
Routed /48:2001:470:aaaa::/48

eno1: 1.2.3.4/24
he-ipv6: 2001:470:yy:12e::2/64
tun0: 10.2.0.1/24 + 2001:470:aaaa:1::1/64
vmbr0: 192.168.101.1/24 + 2001:470:yy:12e::1

In the local network (192.168.101.0/24) I have some VMs and bare metal boxes running on dual ipv6+ipv4 stack. That works fine. On the VPN I have added IPv6 support to get it on my home aptop/desktop/rpi running behind IPv4 only network:


cd /etc/openvpn
local 1.2.3.4
proto udp
#proto udp6
port 11095
verb 3
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
daemon
dev tun0
tun-mtu 1500
persist-tun
persist-key
server 10.2.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ips.txt
push "dhcp-option DOMAIN domain.net"
push "dhcp-option DNS 8.8.8.8"
push "sndbuf 0"
push "rcvbuf 0"
push block-outside-dns
push "route 0.0.0.0 0.0.0.0 vpn_gateway"
push "route-ipv6 2001:470:yy:12e::/64"
push "route-ipv6 2001:470:xx:12e::/64"
cipher AES-256-CBC
auth-nocache
keepalive 10 120
user nobody
group nogroup
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh4096.pem
client-to-client
duplicate-cn
sndbuf 0
rcvbuf 0
fast-io
mssfix 1360
#server-ipv6 2001:470:xx:12e:8000::/65
server-ipv6 2001:470:aaaa:1::/64
push "route-ipv6 ::/0"
push "route-metric 2000"


Then routed two IPv6 networks:
ip route add 2001:470:aaaa::/64 via 2001:470:xx:12e::1
ip route add 2001:470:aaaa:1::/64 via 2001:470:xx:12e::1

The problem is that I can't access anything in the local network (on ipv6) using 2001:470:yy:12e::x network and vice versa.

Routing from the OpenVPN connected client to the internet (google):

  1.|-- 2001:470:aaaa:1::1         0.0%    10   46.1  45.2  43.9  46.9   0.7
  2.|-- 2001:470:xx:12e::1         0.0%    10   53.3  53.3  51.8  54.2   0.5
  3.|-- 2001:470:0:222::1          0.0%    10   71.6  57.0  50.5  73.5   8.9
  4.|-- 2001:7f8:60::1:5169:1      0.0%    10   51.0  51.7  50.0  52.9   0.9
  5.|-- 2001:4860:0:1184::8        0.0%    10   51.8  53.2  50.6  68.6   5.4
  6.|-- 2001:4860::c:4000:f873     0.0%    10   70.0  71.2  68.7  74.7   1.6
  7.|-- 2001:4860::c:4000:d9aa     0.0%    10   74.8  73.2  72.0  74.8   0.7
  8.|-- 2607:f8b0:e000:8000::3     0.0%    10   73.9  73.9  72.0  79.3   1.9
  9.|-- 2001:4860:0:1::219f        0.0%    10   72.7  72.9  70.8  74.6   1.0
10.|-- 2a00:1450:400e:80b::200e   0.0%    10   72.0  74.4  71.9  86.4   4.2


Routing from the same OpenVPN connected client to the host in the server local network (2001:470:yy:12e::3):

  1.|-- 2001:470:aaaa:1::1         0.0%    10   45.2  45.1  44.4  46.0   0.0
  2.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0


Routing from the 2001:470:yy:12e::3 to the OpenVPN client:

  1.|-- 2001:470:yy:12e::1         0.0%    10    0.3   0.3   0.3   0.3   0.0
  2.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0


But any IPv6 enabled host in the internet like my other server outside the network can access IPv6 OpenVPN client without any problems. So I am assuming that the problem is with the routing.
Any idea, what I have missed?

cholzhauer

Why use the /64 if you have 64k worth of /64 in a /48?