New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Need help on IPv6 configuration to get global connectivity
Hi,
I am having an IPv6 setup as below
netassist
|
|-------------------------------------------------------
sit0 - 2a01:d0:xxxx:yyyy::2/64
|
----------- VPS (Ubuntu)
|
tun0 - 2a01:d0:xxxx:yyyy:8000::1/65 (OpenVPN server)
|-------------------------------------------------------
|
|
tun0 - 2a01:d0:xxxx:yyyy:8000::1000/65 (OpenVPN clinet)
|
------------ Linux VM 1 (Alpine Linux)
|
eth1 - 2a01:d0:xxxx:yyyy:c000::1/66
|-------------------------------------------------------
|
|-------------------------------------------------------
eth0 -2a01:d0:xxxx:yyyy:c000::2/66
|
------------ Linux VM 2 (Ubuntu)
|-------------------------------------------------------
I can access ipv6 services from Linux VM 1 without any issue but I cannot access ipv6 internet from Linux VM 2, all services can accessible between Linux VM 1 and Linux VM 2(ssh and HTTP)
I am not sure what went wrong, could you please give an advice on my setup
Thanks!
Comments
its hard to read these on mobile.
both client using vpn?
try traceroute from both of vm for example www.kame.net or google
Only VM 1 connected to openVPN, VM2 connected to VM1 via internal network, I just want to act VM1 as a router and connect few VMs to it, basically add a VM without using openVPN
traceroute from VM2
ip -6 route show
Is there any firewalling on VM1 ?
What are you trying to achieve with these stupid /65 and /66s? You don't get SLAAC with them anyway, so could just as well use simpler and clean /80, /96 and /112 segments.
I am not intentionally selected /65 and /66s, I'll try with /112 as you suggested
I am not sure.. using newly installed alpine Linux
>
I would double check and make sure Alpine isn't firewalling by default, I haven't used it myself so I'm not sure what the defaults are. I would also confirm that you have IPv6 forwarding enabled, as it's often not enabled by default. In Debian/Ubuntu you would do this to enable forwarding: sysctl -w net.ipv6.conf.all.forwarding=1
Note I'm not saying /112 will auto fix it, but it will be much easier to clearly see which network segment is where, and that segments really do not overlap. And to check that you have proper routes everywhere.
I've analyzed interface using tcpdump and found out tun0 of VPS does not response to requested originated from VM2
Seems vm1 correctly forward them to VPS, may be my openvpn configure does not configured to do so..
Is it possibly an issue with missing iroutes? I recall a few years ago when I was experimenting with routing subnets with OpenVPN I needed to create an iroute for each routed subnet. https://community.openvpn.net/openvpn/wiki/RoutedLans
I think so, Thanks for the link
still not working even with iroute..
Just did a quick search and looks like that 'bad source address' error is indeed related to missing iroutes: https://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html
Looks like when routing IPv6, you need to use the iroute-ipv6 parameter: https://unix.stackexchange.com/questions/305809/how-to-asign-full-ipv6-subnet-to-openvpn-client#305989
Hopefully that helps
Thanks for the links, I was trying similar configuration but "route-ipv6 $PREFIX in server.conf" was missed in my configuration
all configuration are looks good now, log file says 'internal route 2001:d0:xxxx:yyyy:c000::/66' but still having same error when ping
log
when I ping, I am getting in openvpn.log
client1/zzzz.231.122.182:10538 MULTI: bad source address from client [2a01:d0:xxxx:yyyy:c000::2], packet dropped
finally got it working using OpenVPN tap interface, thanks all for the support, especially @freerangecloud (got idea about point to point from your link : https://unix.stackexchange.com/questions/305809/how-to-asign-full-ipv6-subnet-to-openvpn-client#305989)
Cheers! Good to hear you got it figured out.