Sorry, hit the wrong button!
-------- Forwarded Message -------- Subject: Re: openvpn over ipv6 /65 Date: Mon, 26 Nov 2018 11:25:09 +0100 From: tony <li...@vanderhoff.org> To: Reco <recovery...@enotuniq.net> On 23/11/2018 15:24, Reco wrote: > HI. > > On Fri, Nov 23, 2018 at 03:07:01PM +0100, tony wrote: >> Thanks for your quick response, Reco, >> >> On 23/11/2018 13:33, Reco wrote: >>> Hi. >>> >>> On Fri, Nov 23, 2018 at 01:18:45PM +0100, tony wrote: >>>> Hi, >>>> >>>> I have a Stretch VPServer with a /64 netbloch, of which only the first 2 >>>> addresses are used. I've been struggling for some time to get the right >>>> stanza to split that into two /65s, using the upper half for openvpn. >>> >>> I'd check first that some other addresses from this /64 range are routed >>> by your VPS provider. >>> >> I'm not sure I understand what you mean. As far as I'm aware, my VPS >> provider furnishes a full native /64 netblock for my exclusive use. >> They'll provide more, at a cost, but I see no point in that. >>> >> [snip] > > Assign some other IPv6 address from your range to your VPS. > Ensure that it's reachable from the outside world. > For instance, I do not get any response from your gateway while I'm > pinging 2a03:9800:10:54::dead (which you do not have), and get a reply > from 2a03:9800:10:54::2 (which belongs to your VPS). > > >>> Ad-hoc configuration: >>> >>> ### check this on your OS! >>> # ip a d igb0 2001:db8:0:123::/64 >>> # ip a a igb0 2001:db8:0:123::/65 >>> ### >>> ### re-assign the other aliases previously set under the /64 block >>> # ip a a igb0 2001:db8:0:123::dead/128 >>> # ip a a igb0 2001:db8:0:123::ea:beef/128 >>> >> I'm not using any addresses other than the ::1 and ::2 in the /64 block, >> so presumably the last two lines are redundant. > > Yes, you do not need them. > > >>> As for the persistent configuration, that depends on the contents of >>> /etc/network/interfaces. Can be static (it's straightforward then), >>> DHCPv6 (you won't be able to do the split) or RA (ditto). >>> >> No, it's all static: > > That simplifies things greatly. > Replace this: > > iface eth0 inet6 static > address 2a03:9800:10:54::2 > netmask 64 > gateway 2a03:9800:10:54::1 > > with this: > > iface eth0 inet6 static > address 2a03:9800:10:54::2 > netmask 65 > gateway 2a03:9800:10:54::1 > > Leave all the other entries intact. > Then invoke this as root (one-time only): > > ip a d dev eth0 2a03:9800:10:54::2/64 > ip a a dev eth0 2a03:9800:10:54::2/65 > ip ro d default via 2a03:9800:10:54::1 > > >> So what is igb0? > > A name of interface that's used in OpenVPN documentation. Yours is called > eth0. > > >> What do you mean by ad-hoc and persistent configuration? > > ad-hoc means that you're using certain OS binaries (in this case - ip) > to create a network configuration that does not survive the reboot. > persistent means the opposite - you're trying to create a configuration > that should reproduce itself after the reboot (in this case - e/n/i). > > Reco > Thanks so much, Reco. This has got me well on the way to setting up a IPv6 VPN. It has also greatly enhanced my unserstanding of OpenVPN. So, I've assigned 2a03:9800:10:54:8000::/65 to the VPN, and this appears to work. The logs are showing the tunnel having been established. However, I can't get any IPv6 connectivity to the internet unless I stop OpenVPN. Have you any further suggestions as to what I might try? Cheers, Tony
