Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Need help on IPv6 configuration to get global connectivity
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Need help on IPv6 configuration to get global connectivity

melanmelan Member
edited February 2018 in Help

Hi,

I am having an IPv6 setup as below

netassist
|
|-------------------------------------------------------
sit0  - 2a01:d0:xxxx:yyyy::2/64
|
----------- VPS (Ubuntu)
|
tun0 - 2a01:d0:xxxx:yyyy:8000::1/65 (OpenVPN server)
|-------------------------------------------------------
|
|
tun0 - 2a01:d0:xxxx:yyyy:8000::1000/65 (OpenVPN clinet)
|
------------ Linux VM 1 (‎Alpine Linux)
|
eth1 - 2a01:d0:xxxx:yyyy:c000::1/66
|-------------------------------------------------------
|
|-------------------------------------------------------
eth0 -2a01:d0:xxxx:yyyy:c000::2/66
|
------------ Linux VM 2 (Ubuntu)
|-------------------------------------------------------

I can access ipv6 services from Linux VM 1 without any issue but I cannot access ipv6 internet from Linux VM 2, all services can accessible between Linux VM 1 and Linux VM 2(ssh and HTTP)

I am not sure what went wrong, could you please give an advice on my setup

Thanks!

Comments

  • sibapersibaper Member

    its hard to read these on mobile.

    both client using vpn?

    try traceroute from both of vm for example www.kame.net or google

    Thanked by 1melan
  • melanmelan Member
    edited February 2018

    @sibaper said:
    its hard to read these on mobile.

    both client using vpn?

    try traceroute from both of vm for example www.kame.net or google

    Only VM 1 connected to openVPN, VM2 connected to VM1 via internal network, I just want to act VM1 as a router and connect few VMs to it, basically add a VM without using openVPN

    traceroute from VM2

    traceroute6 2404:6800:4008:c07::66
traceroute to 2404:6800:4008:c07::66 (2404:6800:4008:c07::66) from 2a01:d0:xxxx:yyyy:c000::2, 30 hops max, 24 byte packets
 1  2a01:d0:xxxx:yyyy:c000::2 (2a01:d0:xxxx:yyyy:c000::2)  2998.56 ms !H  2997.87 ms !H  3000.06 ms !H

    ip -6 route show

    2a01:d0:xxxx:yyyy:c000::/66 dev enp0s3  proto kernel  metric 256  pref medium
2000::/3 dev enp0s3  metric 1024  pref medium
fe80::/64 dev enp0s3  proto kernel  metric 256  pref medium
default via 2a01:d0:xxxx:yyyy:c000::1 dev enp0s3  proto static  metric 100  pref medium
  • freerangecloudfreerangecloud Member, Patron Provider

    Is there any firewalling on VM1 ?

    Thanked by 1melan
  • rm_rm_ IPv6 Advocate, Veteran
    edited February 2018

    What are you trying to achieve with these stupid /65 and /66s? You don't get SLAAC with them anyway, so could just as well use simpler and clean /80, /96 and /112 segments.

    Thanked by 1melan
  • melanmelan Member
    edited February 2018

    @rm_ said:
    What are you trying to achieve with these stupid /65 and /66s? You don't get SLAAC with them anyway, so could just as well use simpler and clean /80, /96 and /112 segments.

    I am not intentionally selected /65 and /66s, I'll try with /112 as you suggested

  • melanmelan Member

    @freerangecloud said:
    Is there any firewalling on VM1 ?

    I am not sure.. using newly installed alpine Linux

  • freerangecloudfreerangecloud Member, Patron Provider

    @melan said:

    @freerangecloud said:
    Is there any firewalling on VM1 ?

    I am not sure.. using newly installed alpine Linux

    >

    I would double check and make sure Alpine isn't firewalling by default, I haven't used it myself so I'm not sure what the defaults are. I would also confirm that you have IPv6 forwarding enabled, as it's often not enabled by default. In Debian/Ubuntu you would do this to enable forwarding: sysctl -w net.ipv6.conf.all.forwarding=1

    Thanked by 1melan
  • rm_rm_ IPv6 Advocate, Veteran
    edited February 2018

    melan said: I am not intentionally selected /65 and /66s, I'll try with /112 as you suggested

    Note I'm not saying /112 will auto fix it, but it will be much easier to clearly see which network segment is where, and that segments really do not overlap. And to check that you have proper routes everywhere.

    Thanked by 1melan
  • melanmelan Member

    I've analyzed interface using tcpdump and found out tun0 of VPS does not response to requested originated from VM2

    Seems vm1 correctly forward them to VPS, may be my openvpn configure does not configured to do so..

  • freerangecloudfreerangecloud Member, Patron Provider

    Is it possibly an issue with missing iroutes? I recall a few years ago when I was experimenting with routing subnets with OpenVPN I needed to create an iroute for each routed subnet. https://community.openvpn.net/openvpn/wiki/RoutedLans

    Thanked by 1melan
  • melanmelan Member

    @freerangecloud said:
    Is it possibly an issue with missing iroutes? I recall a few years ago when I was experimenting with routing subnets with OpenVPN I needed to create an iroute for each routed subnet. https://community.openvpn.net/openvpn/wiki/RoutedLans

    I think so, Thanks for the link

  • melanmelan Member
    edited February 2018

    still not working even with iroute..

    Mon Feb  5 12:03:59 2018 us=684178 client1/aaa.bbb.ccc.ddd:10518 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/client1
Mon Feb  5 12:03:59 2018 us=684299 client1/aaa.bbb.ccc.ddd:10518 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=2a01:d0:xxxx:yyyy:8000::1000
Mon Feb  5 12:03:59 2018 us=684414 client1/aaa.bbb.ccc.ddd:10518 MULTI: Learn: 10.8.0.6 -> client1/aaa.bbb.ccc.ddd:10518
Mon Feb  5 12:03:59 2018 us=684471 client1/aaa.bbb.ccc.ddd:10518 MULTI: primary virtual IP for client1/aaa.bbb.ccc.ddd:10518: 10.8.0.6
Mon Feb  5 12:03:59 2018 us=684528 client1/aaa.bbb.ccc.ddd:10518 MULTI: Learn: 2a01:d0:xxxx:yyyy:8000::1000 -> client1/aaa.bbb.ccc.ddd:10518
Mon Feb  5 12:03:59 2018 us=684583 client1/aaa.bbb.ccc.ddd:10518 MULTI: primary virtual IPv6 for client1/aaa.bbb.ccc.ddd:10518: 2a01:d0:xxxx:yyyy:8000::1000
Mon Feb  5 12:03:59 2018 us=684638 client1/aaa.bbb.ccc.ddd:10518 MULTI: internal route 2001:d0:xxxx:yyyy:8000::/65 -> client1/aaa.bbb.ccc.ddd:10518
Mon Feb  5 12:03:59 2018 us=684696 client1/aaa.bbb.ccc.ddd:10518 MULTI: Learn: 2001:d0:xxxx:yyyy:8000::/65 -> client1/aaa.bbb.ccc.ddd:10518
Mon Feb  5 12:04:00 2018 us=866800 client1/aaa.bbb.ccc.ddd:10518 PUSH: Received control message: 'PUSH_REQUEST'
Mon Feb  5 12:04:00 2018 us=867079 client1/aaa.bbb.ccc.ddd:10518 send_push_reply(): safe_cap=940
Mon Feb  5 12:04:00 2018 us=867174 client1/aaa.bbb.ccc.ddd:10518 SENT CONTROL [client1]: 'PUSH_REPLY,ifconfig-ipv6 2a01:d0:xxxx:yyyy:8000::1000/65 2a01:d0:xxxx:yyyy:8000::1,tun-ipv6,redirect-gateway-ipv6 def1 bypass-dhcp-ipv6,route-ipv6 2a01:d0:xxxx:yyyy:8000::1/65,route-ipv6 2000::/3,tun-ipv6,route 10.8.0.0 
255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

    Mon Feb  5 12:04:23 2018 us=716476 client1/aaa.bbb.ccc.ddd:10518 MULTI: bad source address from client [2a01:d0:xxxx:yyyy:c000::2], packet dropped
Mon Feb  5 12:04:24 2018 us=726739 client1/aaa.bbb.ccc.ddd:10518 MULTI: bad source address from client [2a01:d0:xxxx:yyyy:c000::2], packet dropped
Mon Feb  5 12:04:25 2018 us=726702 client1/aaa.bbb.ccc.ddd:10518 MULTI: bad source address from client [2a01:d0:xxxx:yyyy:c000::2], packet dropped
Mon Feb  5 12:04:26 2018 us=726720 client1/aaa.bbb.ccc.ddd:10518 MULTI: bad source address from client [2a01:d0:xxxx:yyyy:c000::2], packet dropped
  • freerangecloudfreerangecloud Member, Patron Provider
    edited February 2018

    Just did a quick search and looks like that 'bad source address' error is indeed related to missing iroutes: https://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html

    Looks like when routing IPv6, you need to use the iroute-ipv6 parameter: https://unix.stackexchange.com/questions/305809/how-to-asign-full-ipv6-subnet-to-openvpn-client#305989

    Hopefully that helps

    Thanked by 1melan
  • melanmelan Member
    edited February 2018

    @freerangecloud said:
    Just did a quick search and looks like that 'bad source address' error is indeed related to missing iroutes: https://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html

    Looks like when routing IPv6, you need to use the iroute-ipv6 parameter: https://unix.stackexchange.com/questions/305809/how-to-asign-full-ipv6-subnet-to-openvpn-client#305989

    Hopefully that helps

    Thanks for the links, I was trying similar configuration but "route-ipv6 $PREFIX in server.conf" was missed in my configuration

    all configuration are looks good now, log file says 'internal route 2001:d0:xxxx:yyyy:c000::/66' but still having same error when ping

    log

    MULTI: Learn: 2a01:d0:xxxx:yyyy:8000::1000 -> client1/zzz.231.122.182:10538
MULTI: primary virtual IPv6 for client1/zzz.231.122.182:10538: 2a01:d0:xxxx:yyyy:8000::1000
MULTI: internal route 2001:d0:xxxx:yyyy:c000::/66 -> client1/zzz.231.122.182:10538
MULTI: Learn: 2001:d0:xxxx:yyyy:c000::/66 -> client1/zzz.231.122.182:10538

    when I ping, I am getting in openvpn.log
    client1/zzzz.231.122.182:10538 MULTI: bad source address from client [2a01:d0:xxxx:yyyy:c000::2], packet dropped

  • melanmelan Member

    finally got it working using OpenVPN tap interface, thanks all for the support, especially @freerangecloud (got idea about point to point from your link : https://unix.stackexchange.com/questions/305809/how-to-asign-full-ipv6-subnet-to-openvpn-client#305989)

  • freerangecloudfreerangecloud Member, Patron Provider

    Cheers! Good to hear you got it figured out.

Sign In or Register to comment.