0

I have a tunnel set up between my laptop and server, using OpenVPN 2.3.10 on the client and 2.3.13 on the server. It was originally set up for IPv4 to masquerade my IP address to be my server IP address and to hide where I am connecting to from my local ISP. Then I added IPv6 so it is now dual-stack. I used masquerading with IPv6 to keep things as simple as I believed they could be.

My laptop setup and info:

lt1/pdh /home/pdh 1> cat /etc/issue.net
Ubuntu 16.04.1 LTS
lt1/pdh /home/pdh 2> uname -r
4.4.0-57-generic
lt1/pdh /home/pdh 3> ifconfig tun2kepler
tun2kepler Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.0.2.2  P-t-P:192.0.2.1  Mask:255.255.255.255
          inet6 addr: fdff::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1280  Metric:1
          RX packets:425555 errors:0 dropped:0 overruns:0 frame:0
          TX packets:386998 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100 
      RX bytes:296698202 (296.6 MB)  TX bytes:56672484 (56.6 MB)

My server setup and info:

kepler/phil /home/phil 1> cat /etc/issue.net
Ubuntu 14.04.5 LTS
kepler/phil /home/phil 2> uname -r
3.13.0-101-generic
kepler/phil /home/phil 3> ifconfig tun2home
tun2home  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.0.2.1  P-t-P:192.0.2.2  Mask:255.255.255.255
          inet6 addr: fdff::1/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1280  Metric:1
          RX packets:6730209 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7546625 errors:0 dropped:3158 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:835431595 (835.4 MB)  TX bytes:5118239922 (5.1 GB)

Everything works including IPv6. The problem that I am having is that my browser and other clients are using IPv4. I want them to use IPv6 in cases where IPv6 can be used (DNS has an AAAA record and/or /etc/hosts has an IPv6 address). If there is only an IPv6 address then it works as long as that address is reachable and valid. But if there is an IPv4 address, then it gets used. I want it to prefer IPv6. So I googled for this an found suggestions to modify the /etc/gai.conf file to change the precedence so IPv4 is lower. Here is that file:

#               #               #
precedence      ::1/128         50
precedence      ::/0            40
precedence      2002::/16       30
precedence      ::/96           20
precedence      ::ffff:0:0/96   12
precedence      fec0::/10       10
precedence      fc00::/7        19
precedence      2001:0::/32     18
#               #               #
label           ::1/128         0
label           ::/0            1
label           2002::/16       2
label           ::/96           3
label           ::ffff:0:0/96   4
label           fec0::/10       4
label           fc00::/7        4
label           2001:0::/32     4
#               #               #

So the precedence of IPv4 is 12 and most of IPv6 is higher? Is this a correct setting? What do I need to change to make my laptop prefer IPv6 when it can? I realize there may be cases where I should prefer IPv4 instead of IPv6, but I can't even get that problem. I would like to have other IPv6-enabled clients prefer IPv6 host-wide, as well, if possible.

Skaperen
  • 1,094
  • 2
  • 11
  • 23
  • 2
    Clients prefer IPv6 by default. Things like Happy Eyeballs can make then switch to IPv4 though if IPv6 is much slower than IPv4. Using wireshark might show you what exactly is happening. – Sander Steffann Jan 07 '17 at 12:06
  • 3
    Don't masquerade IPv6 if you can avoid it (and you can almost always avoid it). That's just going to _cause_ a variety of problems, potentially including this. – Michael Hampton Jan 07 '17 at 17:23
  • how does masquerading IPv6 cause this? all that is different is the source address. the client operates with fdff::2 instead of the server address. and how can i avoid it? the server has *one* IPv6 address. i actually did try configuring my laptop to operate with the laptop tunnel interface IPv6 being the same as the server but that did not work at all ... how would it know which packets go to the server and which go to the tunnel? the server has a website that needs to be reached via IPv6. – Skaperen Jan 08 '17 at 01:53
  • i don't care if IPv6 is slower. but actually it is faster (i am guessing because the providers involved planned on IPv6 being more busy than it actually is). either way, i want to use it as much as i can. by "faster" i mean total traffic, not DNS turnaround. it appears that A record answers are arriving before AAAA record answers. not all DNS servers will answer an ANY query. maybe they need a single A/AAAA record query that answers only and both A and AAAA records so that bad timings in these answer have no meaning. i do have reasonably recent software (ubuntu 16.04.1, etc). – Skaperen Jan 08 '17 at 04:30
  • can those who vote this question down please say where this question should be posted. – Skaperen Jan 08 '17 at 04:33
  • @Skaperen I don't know if masquerading itself can cause your problem. But using RFC 4193 addresses can. And too much exposure to IPv4 can cause administrators to think using RFC 4193 addresses together with masquerading is a sensible way to deploy IPv6 (hint it is not). I guess that's the reason for Michael suspecting masquerading as a potential root cause. I do notice however that your `gai.conf` file has suspicious looking labels. That's enough different potential sources of problems that I am not even going to make a guess as to which one of them is the root cause. – kasperd Jan 08 '17 at 15:26

0 Answers0