I'm having an ipv6 problem that's plagued me for some time. (IPv6 routing over VPN) the goal is to use a HurricaneElectric v6 tunnel to get v6 on my laptop, no matter where I am by using my VPN.
I'm going to be overly-detailed here, so settle in.
Network layout:
svr1
--- vpn
--- laptop
svr1
is a Linux OpenVPN client with a static v4 and HE's ipv6 tunnel.vpn
is a Linux OpenVPN server (amongst other things). it has a dynamic v4 address and as such, cant be used with HurricaneElectric's tunnel.laptop
is an OSX laptop and OpenVPN client
Interfaces:
HE gateway: 2001:470:a:ed::1
svr1 v6: 2001:470:a:ed::2
srv1-tap: 2001:470:a:ed::20
laptop-tap: 2001:470:a:ed::99
what I'd like:
HE
--- svr1
--- (vpn
) --- laptop
the problem hinges on the fact that I can make this set up work, but only under certain conditions.
for example, I connect up everything, ping6 2001:470:a:ed::2 (and beyond) is ICMP unreachable. as soon as I ping6 2001:470:a:ed::20 (the next hop). this kind of problem existed when I first set up the tunnel on srv1, but appears to have gone away with the addition of 'metric 1' to the interface declaration. I have however replicated this on vpn
, although I havent yet tested the 'metric 1' component. I have been unable to find the 'metric' command on OSX, but I have found a number of people having issues with ipv6 on OSX
I'm looking for some sort of solution. I'd prefer static routes, no extra prefixes, but at this point, I'm willing to try anything. I've tried radvd, ipv6 on vpn, prefix (albeit probably incorrectly). I have almost no ipv6 experience, so assume I know nothing.
All your routing tables (
ip -6 ro
) and more precise description of what (pings) work and what don't would quite help to understand what's going on,but I can guess you either have problems with ipv6 forwarding setup on the srv1 (sysctl's
net.ipv6.conf.all.forwarding
) or with ip6tables (there might be a defaultDROP
policy).the solution wound up being the difference between the tunnel broker tunnel and the routed /64 they provide. this addressing scheme is correct.
Interfaces:
HE gateway: 2001:470:a:ed::1
svr1 v6: 2001:470:a:ed::2
srv1-tap: 2001:470:b:ed::1
laptop-tap: 2001:470:b:ed::2