[eduVPN-deploy] NDP problems using public IPv6

Mon Sep 12 10:52:50 CEST 2022

Hi François, all,

I'm facing a problem in my setup on IPv6 level in one of our customer's
eduVPN server :

My setup uses a Debian 11 server (using latest eduVPN 3.0.5-1)  with
public IPv6 address and no NAT.
On my server, followin settings are activated into the kernel:

net.ipv4.ip_forward = 1
net.ipv4.conf.all.proxy_arp = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1

The problem is that the VPN connexions that receives a public IPv6
address doesn't receive the Neighbor Solicitations (and are thus unable
to answer with Neighbor Advertisement); 

I was able to manually "solve" the problem by proxying the address in
the kernel using :

ip -6 neigh add proxy <the IPv6 address of the VPN's client> dev eth1

Of course, the problem is that you cannot prefill the kernel table with
all the IPv6 addresses (it takes time and resources and is completely
inefficient) -remember that you cannot use a prefix/length syntax if
the "neigh add proxy" command, only single IPv6 at a time.

I've tried to replace kernel proxying with ndppd daemon, but while the
daemon can see the requests, it cannot answer to it; apparently, it
uses relatively old and unmaintained code and doesn't work properly
anymore.

The thing I was finally trying to use is the trick you've setup for
Frank a couple of weeks ago, using the 'connectScriptPath' =>
'/usr/local/bin/addproxy.sh'.

The script (attached) is well called  but apparently the "ip -6 neigh
..." command always return an exit code of 2 (=problem reported by the
kernel)

Any idea what could cause the problem ? 

Or maybe you have a better idea on how to solved this IPv6 problem ?

Wkr,

Pascal

PS: script is following (our antivirus is blocking attached script
mails)

# ! / b i n / b a s h     <== to fool the antivirus ==>
# script launched by hook to proxy the VPN IPv6 address to dev eth1 to
permit the ICMPv6 neighbour solicitation and answers to pass
# by Pascal Panneels 20220911
#
# need to be configured in /etc/vpn-user-portal/config.php as 
# 'connectScriptPath' => '/usr/local/bin/addproxy.sh',
echo "script called" > /tmp/script.txt
echo ${VPN_EVENT} >> /tmp/script.txt
echo "[${VPN_IP_SIX}]" >> /tmp/script.txt

case "${VPN_EVENT}" in
"C")
r=`ip -6 neigh add proxy "${VPN_IP_SIX}" dev eth1`
echo "C case called ($?)" >> /tmp/script.txt
;;
"D")
r=`ip -6 neigh del proxy "${VPN_IP_SIX}" dev eth1`
echo "D case called ($?)" >> /tmp/script.txt
;;
esac

exit 0

-- 
Pascal Panneels
System Architect
Belnet - Services
WTC III
Simon Bolivarlaan 30 Boulevard Simon Bolivar
Brussel 1000 Bruxelles
België - Belgique
T: +32 2 790 33 33
https://www.belnet.be

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220912/fac581ed/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5842 bytes
Desc: not available
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220912/fac581ed/attachment-0001.p7s>