Ipv6 Tunnelbroker with openvpn not forwarding ip

pagan · July 8, 2023, 7:52am

Hi Everybody.
As guessed I am new to openWrt.

I wanted to use a system which is lightweight, fast and simple.
Now I am struggling with the basics.
After a few hours of forum and internet research and a few dozens of attempts I am coming to seek for help in the forum.
I started once again with more or less virgin system.
Things done:
-Installed system with openvpn.
-set up openvpn which running

Goals to achieve:
-Getting br-lan ready to distribute ipv6 addresses to the clients to go through the openvpn tunnel.
-Do not provide ipv4 addresses to the br-lan for the client

Here are my configuration so far. No changes to route so far.

root@OpenWrt:~# ifconfig -a
br-lan    Link encap:Ethernet  HWaddr B2:3D:8A:1D:F9:FF  
          inet addr:10.20.0.50  Bcast:10.20.255.255  Mask:255.255.0.0
          inet6 addr: fde7:ac8a:9390::1/60 Scope:Global
          inet6 addr: fe80::b03d:8aff:fe1d:f9ff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7361 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4989 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:643714 (628.6 KiB)  TX bytes:22458045 (21.4 MiB)

eth0      Link encap:Ethernet  HWaddr B2:3D:8A:1D:F9:FF  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7407 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4997 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:758356 (740.5 KiB)  TX bytes:22460647 (21.4 MiB)

eth1      Link encap:Ethernet  HWaddr 12:53:93:B5:56:B0  
          inet addr:192.168.2.47  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::1053:93ff:feb5:56b0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2728 errors:0 dropped:0 overruns:0 frame:0
          TX packets:798 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3199192 (3.0 MiB)  TX bytes:72783 (71.0 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:313 errors:0 dropped:0 overruns:0 frame:0
          TX packets:313 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:33043 (32.2 KiB)  TX bytes:33043 (32.2 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.9  P-t-P:10.8.0.9  Mask:255.255.255.0
          inet6 addr: AAAA:BBBB:CCCC:babb::EEEE:::2/80 Scope:Global
          inet6 addr: fe80::f4b:355f:4dc3:35e3/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:304 (304.0 B)

ping6 openwrt.org
PING openwrt.org (2a03:b0c0:3:d0::1af1:1): 56 data bytes
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=0 ttl=57 time=21.432 ms

uci show openvpn
openvpn.6project_bridge=openvpn
openvpn.6project_bridge.dh='dh1024.pem'
openvpn.6project_bridge.float='1'
openvpn.6project_bridge.client='1'
openvpn.6project_bridge.reneg_sec='0'
openvpn.6project_bridge.verb='3'
openvpn.6project_bridge.persist_key='1'
openvpn.6project_bridge.nobind='1'
openvpn.6project_bridge.remote_cert_tls='server'
openvpn.6project_bridge.remote='tb.6project.org'
openvpn.6project_bridge.ca='/etc/openvpn/eothain-ca.crt'
openvpn.6project_bridge.cert='/etc/openvpn/eothain-cert.crt'
openvpn.6project_bridge.key='/etc/openvpn/eothain-key.key'
openvpn.6project_bridge.cipher='AES-256-CBC'
openvpn.6project_bridge.ns_cert_type='server'
openvpn.6project_bridge.dev='tun'
openvpn.6project_bridge.persist_tun='1'
openvpn.6project_bridge.port='19000'
openvpn.6project_bridge.proto='udp'
openvpn.6project_bridge.enabled='1'
openvpn.6project_bridge.comp_lzo='adaptive'


cat firewall 
config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

Every help is appreciated

And I have only this /80 address block.

Thank you in advance

NPeca75 · July 8, 2023, 8:35am

Hi

so you have no other choice, you need to masqerade ipv6 traffic from your LAN to OVPN

something like

config zone
        option name 'ovpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'ovpn'
        option masq6 '1'

it must be entered from ssh, because option masq6 '1' does not exist in LuCI
inet6 addr: fde7:ac8a:9390::1/60 Scope:Global
and this need to be /64

... and you need to install

opkg update
opkg install kmod-nf-nat6

suppose you are running OWRT with nftables

hope this will help you

mk24 · July 8, 2023, 2:48pm

Yes a /80 is not standard. The minimum size of a routable block is supposed to be /64. SLAAC requires the prefix be /64. I don't think that the DHCP server supports issuing IPs from a block smaller than /64 (and even if it did, clients like Android that don't support DHCPv6 will not use it).

Also (as standards suggest) clients do not consider a ULA to be IP6 connectivity to the Internet. You will need to own a separate GUA /64 or make up a phony one to issue to clients, then NAT6 them into the VPN.

pagan · July 12, 2023, 7:08pm

Hi there.

Thank you very much. As it seems, IPv6 is a quite messed up protocol.

I was able to achieve my goal with route46.org. There I got a /64 and a /56 address range. With wireguard it was possible to advertise IPs to the clients.
Since I have only *nix systems in my vlan, other systems are not of interest (for the moment at least).

Thanks to the community.

system · July 22, 2023, 7:08pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.