LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-31-2015, 06:30 PM   #1
gnirtS
LQ Newbie
 
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 26

Rep: Reputation: 15
OpenVPN and IPv6 Routing issue


I've got a working IPv4 OpenVPN setup working on my VPS allowing devices to connect and route all internet traffic through so that part is fine.
I'm trying to use it to natively route IPv6 for clients as well and have problems i suspect route related.

The VPS itself has a /64 address block allocated to it (eth0 is using 2001:42d8:1:5886::f9/64). This part works as i can ping6 and my www/email and so on listen on the IPv6 and respond so thats fine.

In the OpenVPN client side (Windows and Android) ive added tun-ipv6
In the OpenVPN server side i've added the following:-

tun-ipv6
server-ipv6 2001:42d8:1:5886:123::f9/64
push "route-ipv6 2001:42d8:1:5886::f9"
push "route-ipv6 2000::/3"

On restarting i can successfully connect to the VPN and from the client side i can ping6 both the tunnel server ipv6 and the eth0 address.
However, i cannot ping6 the client address from the server. The packet is just dropped.
The main problem is from the client although i can access the tunnel and eth0 ipv6 i cannot access any sites outside that network so no internet routing at all.
Im assuming ive messed up somewhere in my server or pushes and have a routing issue somewhere but im completely unable to find it.

Can anyone suggest where im going wrong here?

(yes ive randomised some of the IP addresses here so they're not my real ones posted)
 
Old 04-02-2015, 02:46 AM   #2
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
The packet is just dropped...i cannot access any sites outside that network so no internet routing at all
Did you check ip6tables (your ip6 firewall) for whatever is functioning as your internet switch? Generally, the default setting is outbound allow / inboud drop, which is what it sounds like you're describing here.
 
Old 04-02-2015, 06:00 AM   #3
gnirtS
LQ Newbie
 
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 26

Original Poster
Rep: Reputation: 15
I've changed that now to try to use the /80 as a server but the issues remain (and in fact are worse now - i cant ping the eth0 VPS ipv6 address).

server config is now:-

Code:
server-ipv6 2001:42d8:1:5886:123::/80
push "route-ipv6 2001:42d8:1:5886::/64"
push "route-ipv6 2000::/3"


Now i can ping the tunnel endpoint on the VPS from the client but cant ping the eth0 public address. I still cant ping the client from the VPS either.

Just for testing ive tried to open up everything in ip6tables:-

Code:
ip6tables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere state NEW
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED


net.ipv6.conf.all.forwarding=1 is set

Code:
ip -6 route show
2001:42d8:1:5886:123::/80 dev tun0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
2001:42d8:1:5886::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev tun0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
default via fe80::1 dev eth0 metric 1024 mtu 1500 advmss 1440 hoplimit 0


On a tcpdump for ipv6 i can see the client packets going outbound from the tunnel interface but nothing comes back in.
The eth0 interface i can see my client packets going outbound to try to connect to ipv6.google.com but again nothing seems to come back in to it.
 
Old 04-02-2015, 08:02 AM   #4
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
I've changed that now to try to use the /80 as a server but the issues remain (and in fact are worse now - i cant ping the eth0 VPS ipv6 address).
I wouldn't change a thing in the configuration files until we've determined whether this is a configuration issue, a routing issue or a firewall issue.
On that note:
All your forwarded ip6 hop limits are set to 0

Quote:
Time To Live (TTL)/Hop Limit (8 bits) The 8-bit Hop Limit field is decremented by one, by each node (typically a router) that forwards a packet. If the Hop Limit field is decremented to zero, the packet is discarded.
Why don't we set the ipv6 tables to ALLOW/ALLOW/ALLOW, change your configuration back to what it was before and reset your hop limits to a sane value and see if that was the problem all along.
 
Old 04-02-2015, 08:06 AM   #5
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Sorry for the confusion, in the prior post I should have said, the ipv6 firewall rules should be initially set to ACCEPT/ACCEPT/ACCEPT (not ALLOW).
 
Old 04-02-2015, 09:45 AM   #6
gnirtS
LQ Newbie
 
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 26

Original Poster
Rep: Reputation: 15
I've restored the config and set ip6tables to a blanket accept now but identical problems as above - i can ping the tunnel end point and eth0 ipv6 from the client but nothing back to it and no inbound internet packets.

As for the hop limit, proc/sys/net/ipv6/conf/default is showing a default setting of 64 and i haven't changed it anywhere so ive got no idea how to actually reset it (or how it got non zero in the first place).

Code:
sysctl -A |grep -i hop_limit
net.ipv6.conf.all.hop_limit = 64
net.ipv6.conf.default.hop_limit = 64
net.ipv6.conf.lo.hop_limit = 64
net.ipv6.conf.dummy0.hop_limit = 64
net.ipv6.conf.eth0.hop_limit = 64
net.ipv6.conf.teql0.hop_limit = 64
net.ipv6.conf.tunl0.hop_limit = 64
net.ipv6.conf.gre0.hop_limit = 64
net.ipv6.conf.sit0.hop_limit = 64
net.ipv6.conf.ip6tnl0.hop_limit = 64
net.ipv6.conf.tun0.hop_limit = 64

Last edited by gnirtS; 04-02-2015 at 10:15 AM.
 
Old 04-02-2015, 06:28 PM   #7
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
try

Quote:
ping -c 3 -t 64 linuxquestions.org
from the VPS. If you get data back, it's the hop count. Different options for setting it are available via google, post back if you have any questions.
 
Old 04-03-2015, 04:31 AM   #8
gnirtS
LQ Newbie
 
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 26

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by dijetlo View Post
try



from the VPS. If you get data back, it's the hop count. Different options for setting it are available via google, post back if you have any questions.
That's the ipv4 command ? In which case, yes that works.

Doing the ipv6 ping to google reveals the same:-

Code:
PING google.com(lhr08s07-in-x0e.1e100.net) 56 data bytes
64 bytes from lhr08s07-in-x0e.1e100.net: icmp_seq=1 ttl=57 time=6.15 ms
64 bytes from lhr08s07-in-x0e.1e100.net: icmp_seq=2 ttl=57 time=5.85 ms
Both inbound and outbound ipv6 works on the VPS itself, the issue ive got is the tunneling and vpn end.

On the client end im pinging ipv6 sites using TTL=64 and its still just not responding (no ttl error etc).

Last edited by gnirtS; 04-03-2015 at 04:34 AM.
 
Old 04-03-2015, 06:34 AM   #9
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
If your vpn wasn't supporting ip6 in the tunnel, you wouldn't be able to ping the VPS over it using ipv6. If you can, it's probably not your VPN.
If the hop count is 0, you wont get a response, first router to touch it kills it.
Try pinging the client from the VPS over ip6 while running a tcpdump on the client. That way we'll see what's in the packet header.
 
Old 04-03-2015, 06:38 AM   #10
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Also, you might want to check your ip6tables -t nat to make sure forwarding the packets through the chains in that table isn't what resetting the value to 0 (if it's that, when you ping6 back to the client, you'll see a sane hop count but when your VPS forwards them to the outbound internet adapter over ip6tables nat, their hop counts are getting zeroed out.)
 
  


Reply

Tags
ipv6, openvpn, routing


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPv6 on Debian VPS (Routing Issue) Cinos Linux - Networking 0 07-26-2012 02:00 PM
LXer: Another IPv6 Crash Course For Linux: Real IPv6 Addresses, Routing, Name Services LXer Syndicated Linux News 0 04-21-2011 07:40 AM
OpenVPN and routing issue with redirect-gateway iproute2 solution ? ddeted Linux - Networking 2 04-19-2011 03:58 AM
Openvpn strange routing issue metallica1973 Linux - Networking 3 10-18-2010 11:20 PM
Error When converting Routing OpenVPN to bridge mode openvpn danmartinj Linux - Software 0 11-06-2009 09:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration