Hi. On Mon, Nov 26, 2018 at 05:53:27PM +0100, tony wrote: > >> 2000::/3 dev tun0 metric 1024 pref medium > >> 2000::/3 dev tun0 metric 1028 pref medium > > > > Er, wat? Exterminate this travesty, you should never announce things > > like these through openvpn even once, let alone twice. If you really > > need to do things like GeoIP spoofing, you should announce an IPv6 > > default gateway with low metric. > > > I did wonder about that. I have cobbled together stanzas from many > 'tutorials' on the web. the 2000::/3 stanza came from one of those. > Someone seemed to think it was a good idea.
Either that someone solved their own specific task, or did not give it much thought. A bad idea. > >> I hope that is sufficient information > > > > More or less. Server's routing table is good, assuming that you have > > net.ipv6.conf.all.forwarding set to 1 there. > > > I assume that's in /etc/sysctl.conf. "sysctl net.ipv6.conf.all.forwarding" to check it, and yes, /etc/sysctl.conf to implement it. > And no, it's commented out, so presumably 0. This ain't right. You need your openvpn server to route IPv6 from and to you, so set it to 1. > > Client's routing table is a mess. What you should get with openvpn > > stared is (order may be different): > > ... > > And that means that it's time to see your openvpn's server configuration > > file. Can I see one, please? > > Certainly: So, without further ado, > proto udp > proto udp6 Choose one here. Either you connect to your openvpn server via IPv4, or you do it via IPv6. Whatever protocol you encapsulate into openvpn tunnel isn't relevant here. > dev tun L3 tunnel, eh? A good choice, if you ask me. > push "route-ipv6 2a03:9800:10:54:8000::/65" > push "route-ipv6 2000::/3" > push "redirect-gateway def1 bypass-dhcp" Remove these. Use this instead: push "redirect-gateway def1" push "route-ipv6 ::/0 metric 99" Reco
