0

I am using OpenVPN (build from tarball) and have a /112 subnet. My server is configured to use tun. IPv4 is working correctly, but IPv6 has some problems:

  • ping6 ipv6.google.com gives no reply.
  • When I add the from OpenVPN advertised ip6 address and remove it after that, it works.

My idea is: the ICMP is leaving the server, but isn't coming back, because the address assigned to the vpn client isn't added in any interface - the server is ignoring the incoming packet.

How can I change this behaviour? tcpdump shows the outgoing packet. I can ping the openvpn server from the client.

wb7
  • 134
  • 6

1 Answers1

0

The proper configuration is to have one link prefix assigned to the physical network interface on the VPN server and have a different prefix routed to the server from which you allocate a link prefix for the virtual network interface used by the VPN software. Unless you have specific reasons to do otherwise, you should make each of the link prefixes a /64. The routed could be a /64 or shorter.

Of those three prefixes involved you only mention that one is a /112 without mentioning which one of them it is. This makes me think you might be trying to use one single /112 for different purposes without even realizing what each of those different purposes is.

There are hacks one can use to turn part of a link prefix into a routed prefix, those hacks do however waste capacity on the router and requires better understanding of the protocols you are dealing with, so my recommendation is to use a real routed prefix.

If it is completely impossible for you to get a routed prefix either from your current provider or by switching to another provider, you can proxy neighbor discovery between the physical and virtual interfaces. ndppd promises to be able to do that. I haven't tested that particular tool, but I know from previous experiments that it is possible to do it.

kasperd
  • 30,455
  • 17
  • 76
  • 124
  • My provider only assigns me a /112. – wb7 Apr 07 '14 at 14:22
  • You should ask your provider for a routed /60. If your provider won't give you that, you should consider moving to a more serious provider. You could use a hack to turn one /113 out of that /112 into a routed prefix, but it's not going to be pretty. – kasperd Apr 07 '14 at 14:36
  • I already asked my provider - he wouldn't. It's a VPN in another country, and more or less the cheapest provider. – wb7 Apr 07 '14 at 14:39
  • Is it your own VPN server, or are you only running the client yourself? – kasperd Apr 07 '14 at 14:44
  • It's a KVM container. – wb7 Apr 07 '14 at 14:51