Routing problems IPv6 client/server where server has both native and tunnelled address

Question

I have been trying to get IPv6 working on my tap OpenVPN network. The server already has IPv6, however it only has a /64 and the biggest range available is a /116 (which breaks autoconf). I am getting a 6-in-4 /48 from he.net to provide addresses to my VPN.

IPv6 Tunnel Endpoints

Server IPv6 Address:2001:470:xxxx:xxxx::1/64
Client IPv6 Address:2001:470:xxxx:xxxx::2/64

Routed IPv6 Prefixes

Routed 2001:470:yyyy::/48:

My network structure (internet => server => client) is:

Internet
 ||
OpenVPN server
eth0 (Native ipv6): 2600:3c01::xxxx:xxxx:xxxx:xxxx/64
he-ipv6 (6-in-4): 2001:470:xxxx:xxxx::2/64
tap0 (VPN): 2001:470:yyyy:zzzz::1/64
 ||
OpenVPN client
wlan0 (ipv4)
tap0 (VPN - autconf): 2001:470:yyyy:zzzz:wwww:wwww:wwww:wwww/64

Config of server:

server # ip -6 route
2001:470:xxxx:xxxx::/64 via :: dev he-ipv6  proto kernel  metric 256 
2001:470:yyyy:zzzz::/64 dev tap0  proto kernel  metric 256 
2600:3c01::xxxx:xxxx:xxxx:xxxx dev eth0  proto kernel  metric 256 
fe80::/64 dev eth0  proto kernel  metric 256 
fe80::/64 dev tap0  proto kernel  metric 256 
fe80::/64 via :: dev he-ipv6  proto kernel  metric 256 
default dev he-ipv6  metric 1024 
default via fe80::xxxx:xxxx:xxxx:xxxx dev tap0  proto kernel  metric 1024  expires 4748sec

Config of client:

client # ip -6 route                                           
2001:470:xxxx:xxxx::/64 via 2001:470:yyyy:zzzz::1 dev tap0  metric 1 
2001:470:yyyy:zzzz::/64 dev tap0  proto kernel  metric 256  expires 86388sec
fe80::/64 dev wlan0  proto kernel  metric 256 
fe80::/64 dev tap0  proto kernel  metric 256 
default via fe80::xxxx:xxxx:xxxx:xxxx dev tap0  proto kernel  metric 1024  expires 5383sec hoplimit 64

Ping results

Internet => 2600:3c01::xxxx:xxxx:xxxx:xxxx           Works
Internet => 2001:470:yyyy:zzzz::1                    Works
Internet => 2001:470:yyyy:zzzz:wwww:wwww:wwww:wwww   Timed Out

Server => 2600:3c01::xxxx:xxxx:xxxx:xxxx             Works
Server => 2001:470:yyyy:zzzz::1                      Works
Server => 2001:470:yyyy:zzzz:wwww:wwww:wwww:wwww     Works
Server => 2404:6800:4006:802::1011 (ipv6.google.com) Works

Client => 2600:3c01::xxxx:xxxx:xxxx:xxxx             Works
Client => 2001:470:yyyy:zzzz::1                      Works
Client => 2001:470:yyyy:zzzz:wwww:wwww:wwww:wwww     Works
Client => 2404:6800:4006:802::1011 (ipv6.google.com) Destination unreachable: Address unreachable

What should the routes be so that the client can be properly online with ipv6?

I know there should be a default route on the client for dev tap0, however no gateway I have tried has worked. I have been trying to work this out (through both research and experimentation) however I have not found a solution that works (though this seems to come close).

Mike Haboustak · Answer 1 · 2011-09-22T14:30:19.133

Are you sure the problem is on the client and not the server? The client routes look fine. Does a trace route to ipv6.google.com reach 2001:470:yyyy:zzzz::1? If it does than IPv6 traffic is using the VPN as its default gateway and your client routes are all set.

I think the problem may be forwarding packets between tap0 and he-ipv6 on the server. I'm not very familiar with OpenVPN, but normally that kind of thing is controlled by policies in addition to the routing table.

I think OpenVPN uses iptables, and so allowing forwarding in both directions between the two ipv6 interfaces would require something like this.

iptables -I FORWARD -i tap0 -o he-ipv6 -j ACCEPT
iptables -I FORWARD -i he-ipv6 -o tap0 -j ACCEPT

score 0 · Accepted Answer · answered Sep 28 '11 at 06:42

0

I ended up changing the setup and so the question does not apply any more.

However, I was thinking that you need to make sure that the kernel has been setup to forward IPv6 packets for all devices.

answered Sep 28 '11 at 06:42

Portablejim

133
5

Routing problems IPv6 client/server where server has both native and tunnelled address

2 Answers2