Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-31-2015, 06:30 PM
|
#1
|
LQ Newbie
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 26
Rep:
|
OpenVPN and IPv6 Routing issue
I've got a working IPv4 OpenVPN setup working on my VPS allowing devices to connect and route all internet traffic through so that part is fine.
I'm trying to use it to natively route IPv6 for clients as well and have problems i suspect route related.
The VPS itself has a /64 address block allocated to it (eth0 is using 2001:42d8:1:5886::f9/64). This part works as i can ping6 and my www/email and so on listen on the IPv6 and respond so thats fine.
In the OpenVPN client side (Windows and Android) ive added tun-ipv6
In the OpenVPN server side i've added the following:-
tun-ipv6
server-ipv6 2001:42d8:1:5886:123::f9/64
push "route-ipv6 2001:42d8:1:5886::f9"
push "route-ipv6 2000::/3"
On restarting i can successfully connect to the VPN and from the client side i can ping6 both the tunnel server ipv6 and the eth0 address.
However, i cannot ping6 the client address from the server. The packet is just dropped.
The main problem is from the client although i can access the tunnel and eth0 ipv6 i cannot access any sites outside that network so no internet routing at all.
Im assuming ive messed up somewhere in my server or pushes and have a routing issue somewhere but im completely unable to find it.
Can anyone suggest where im going wrong here?
(yes ive randomised some of the IP addresses here so they're not my real ones posted)
|
|
|
04-02-2015, 02:46 AM
|
#2
|
Senior Member
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Rep:
|
Quote:
The packet is just dropped...i cannot access any sites outside that network so no internet routing at all
|
Did you check ip6tables (your ip6 firewall) for whatever is functioning as your internet switch? Generally, the default setting is outbound allow / inboud drop, which is what it sounds like you're describing here.
|
|
|
04-02-2015, 06:00 AM
|
#3
|
LQ Newbie
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 26
Original Poster
Rep:
|
I've changed that now to try to use the /80 as a server but the issues remain (and in fact are worse now - i cant ping the eth0 VPS ipv6 address).
server config is now:-
Code:
server-ipv6 2001:42d8:1:5886:123::/80
push "route-ipv6 2001:42d8:1:5886::/64"
push "route-ipv6 2000::/3"
Now i can ping the tunnel endpoint on the VPS from the client but cant ping the eth0 public address. I still cant ping the client from the VPS either.
Just for testing ive tried to open up everything in ip6tables:-
Code:
ip6tables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere state NEW
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
net.ipv6.conf.all.forwarding=1 is set
Code:
ip -6 route show
2001:42d8:1:5886:123::/80 dev tun0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
2001:42d8:1:5886::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev tun0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
default via fe80::1 dev eth0 metric 1024 mtu 1500 advmss 1440 hoplimit 0
On a tcpdump for ipv6 i can see the client packets going outbound from the tunnel interface but nothing comes back in.
The eth0 interface i can see my client packets going outbound to try to connect to ipv6.google.com but again nothing seems to come back in to it.
|
|
|
04-02-2015, 08:02 AM
|
#4
|
Senior Member
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Rep:
|
Quote:
I've changed that now to try to use the /80 as a server but the issues remain (and in fact are worse now - i cant ping the eth0 VPS ipv6 address).
|
I wouldn't change a thing in the configuration files until we've determined whether this is a configuration issue, a routing issue or a firewall issue.
On that note:
All your forwarded ip6 hop limits are set to 0
Quote:
Time To Live (TTL)/Hop Limit (8 bits) The 8-bit Hop Limit field is decremented by one, by each node (typically a router) that forwards a packet. If the Hop Limit field is decremented to zero, the packet is discarded.
|
Why don't we set the ipv6 tables to ALLOW/ALLOW/ALLOW, change your configuration back to what it was before and reset your hop limits to a sane value and see if that was the problem all along.
|
|
|
04-02-2015, 08:06 AM
|
#5
|
Senior Member
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Rep:
|
Sorry for the confusion, in the prior post I should have said, the ipv6 firewall rules should be initially set to ACCEPT/ACCEPT/ACCEPT (not ALLOW).
|
|
|
04-02-2015, 09:45 AM
|
#6
|
LQ Newbie
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 26
Original Poster
Rep:
|
I've restored the config and set ip6tables to a blanket accept now but identical problems as above - i can ping the tunnel end point and eth0 ipv6 from the client but nothing back to it and no inbound internet packets.
As for the hop limit, proc/sys/net/ipv6/conf/default is showing a default setting of 64 and i haven't changed it anywhere so ive got no idea how to actually reset it (or how it got non zero in the first place).
Code:
sysctl -A |grep -i hop_limit
net.ipv6.conf.all.hop_limit = 64
net.ipv6.conf.default.hop_limit = 64
net.ipv6.conf.lo.hop_limit = 64
net.ipv6.conf.dummy0.hop_limit = 64
net.ipv6.conf.eth0.hop_limit = 64
net.ipv6.conf.teql0.hop_limit = 64
net.ipv6.conf.tunl0.hop_limit = 64
net.ipv6.conf.gre0.hop_limit = 64
net.ipv6.conf.sit0.hop_limit = 64
net.ipv6.conf.ip6tnl0.hop_limit = 64
net.ipv6.conf.tun0.hop_limit = 64
Last edited by gnirtS; 04-02-2015 at 10:15 AM.
|
|
|
04-02-2015, 06:28 PM
|
#7
|
Senior Member
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Rep:
|
try
Quote:
ping -c 3 -t 64 linuxquestions.org
|
from the VPS. If you get data back, it's the hop count. Different options for setting it are available via google, post back if you have any questions.
|
|
|
04-03-2015, 04:31 AM
|
#8
|
LQ Newbie
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 26
Original Poster
Rep:
|
Quote:
Originally Posted by dijetlo
try
from the VPS. If you get data back, it's the hop count. Different options for setting it are available via google, post back if you have any questions.
|
That's the ipv4 command ? In which case, yes that works.
Doing the ipv6 ping to google reveals the same:-
Code:
PING google.com(lhr08s07-in-x0e.1e100.net) 56 data bytes
64 bytes from lhr08s07-in-x0e.1e100.net: icmp_seq=1 ttl=57 time=6.15 ms
64 bytes from lhr08s07-in-x0e.1e100.net: icmp_seq=2 ttl=57 time=5.85 ms
Both inbound and outbound ipv6 works on the VPS itself, the issue ive got is the tunneling and vpn end.
On the client end im pinging ipv6 sites using TTL=64 and its still just not responding (no ttl error etc).
Last edited by gnirtS; 04-03-2015 at 04:34 AM.
|
|
|
04-03-2015, 06:34 AM
|
#9
|
Senior Member
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Rep:
|
If your vpn wasn't supporting ip6 in the tunnel, you wouldn't be able to ping the VPS over it using ipv6. If you can, it's probably not your VPN.
If the hop count is 0, you wont get a response, first router to touch it kills it.
Try pinging the client from the VPS over ip6 while running a tcpdump on the client. That way we'll see what's in the packet header.
|
|
|
04-03-2015, 06:38 AM
|
#10
|
Senior Member
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Rep:
|
Also, you might want to check your ip6tables -t nat to make sure forwarding the packets through the chains in that table isn't what resetting the value to 0 (if it's that, when you ping6 back to the client, you'll see a sane hop count but when your VPS forwards them to the outbound internet adapter over ip6tables nat, their hop counts are getting zeroed out.)
|
|
|
All times are GMT -5. The time now is 03:50 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|