OpenVPN IPv6 over IPv4 tunnel
- by user66779
Today I installed OpenVPN 2.3rc2 on both my windows 7 client machine and centos 6 server. This new version of OpenVPN provides full compatibility for IPv6.
The Problem: I am currently able to connect to the server (through the IPv4 tunnel) and ping the IPv6 address which is assigned to my client and I can also ping the tun0 interface on the server. However, I cannot browse to any IPv6 websites.
My vps provider has given me this:
2607:f840:0044:0022:0000:0000:0000:0000/64 is routed to this server (2607:f840:0:3f:0:0:0:eda).
This is ifconfig after setup with OpenVPN running:
eth0 Link encap:Ethernet HWaddr 00:16:3E:12:77:54
inet addr:208.111.39.160 Bcast:208.111.39.255 Mask:255.255.255.0
inet6 addr: 2607:f740:0:3f::eda/64 Scope:Global
inet6 addr: fe80::216:3eff:fe12:7754/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2317253 errors:0 dropped:7263 overruns:0 frame:0
TX packets:1977414 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1696120096 (1.5 GiB) TX bytes:1735352992 (1.6 GiB)
Interrupt:29
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
inet6 addr: 2607:f740:44:22::1/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:739567 errors:0 dropped:0 overruns:0 frame:0
TX packets:1218240 errors:0 dropped:1542 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:46512557 (44.3 MiB) TX bytes:1559930874 (1.4 GiB)
So OpenVPN is sucessfully creating a tun0 interface and assigning clients IPv6 addresses using 2607:f840:44:22::/64. The first client to connect is getting 2607:f840:44:22::1000 and the second 2607:f840:44:22::1001, and so on... plus 1 each time.
After connecting as the first client, I can ping from my windows client machine 2607:f740:44:22::1 and 2607:f740:44:22::1000. However, I have no access to IPv6 websites. I believe the problem is that the tun0 IPv6 addressees are not being forwarded to the eth0 interface.
This is the firewall running on the server:
#!/bin/sh
#
# iptables configuration script
#
# Flush all current rules from iptables
#
iptables -F
iptables -t nat -F
#
# Allow SSH connections on tcp port 22
#
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept connections on 1195 for vpn access from client
#
iptables -A INPUT -i eth0 -p udp --dport 1195 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 1195 -m state --state ESTABLISHED -j ACCEPT
#
# Apply forwarding for OpenVPN Tunneling
#
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 209.111.39.160
iptables -A FORWARD -j REJECT
#
# Enable forwarding
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#
# IPv6
#
IP6TABLES=/sbin/ip6tables
$IP6TABLES -F INPUT
$IP6TABLES -F FORWARD
$IP6TABLES -F OUTPUT
echo -n "1" >/proc/sys/net/ipv6/conf/all/forwarding
echo -n "1" >/proc/sys/net/ipv6/conf/all/proxy_ndp
echo -n "0" >/proc/sys/net/ipv6/conf/all/autoconf
echo -n "0" >/proc/sys/net/ipv6/conf/all/accept_ra
$IP6TABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IP6TABLES -A INPUT -i eth0 -p icmpv6 -j ACCEPT
$IP6TABLES -P INPUT ACCEPT
$IP6TABLES -P FORWARD ACCEPT
$IP6TABLES -P OUTPUT ACCEPT
Server.conf:
server-ipv6 2607:f840:44:22::/64
server 10.8.0.0 255.255.255.0
port 1195
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 60
tls-auth ta.key 0
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 5
Client.conf:
client
dev tun
nobind
keepalive 10 60
hand-window 15
remote 209.111.39.160 1195 udp
persist-key
persist-tun
ca ca.crt
key client1.key
cert client1.crt
remote-cert-tls server
tls-auth ta.key 1
comp-lzo
verb 3
cipher AES-256-CBC
I'm not sure where I am going wrong, it could be the firewall, or something missing from server or client.conf. This version of OpenVPN was only released yesterday, and there's little info on the internet about how to setup an IPv6 over IPv4 vpn tunnel. I've read the manual for this new version of OpenVPN (parts pertaining to IPv6) and it provides very little info too.
Thanks for any help.