[eduVPN-deploy] NDP problems using public IPv6

Pascal Panneels pascal.panneels at belnet.be
Mon Sep 12 13:49:43 CEST 2022 

Hi François,

> > net.ipv4.ip_forward = 1
> > net.ipv4.conf.all.proxy_arp = 1
> > net.ipv6.conf.all.forwarding = 1
> > net.ipv6.conf.all.proxy_ndp = 1
> 
> All that should be needed is the sysctl options that are already set
> in 
> /etc/sysctl.d/70-vpn.conf (by default).

Yes that 's the content of the file (btw, I've added
net.ipv6.conf.all.proxy_ndp = 1 as it is not defined there as standard
if I remember well)

> Do you have a "non-standard" IPv6 deployment on that site?
> 
> The configuration assumes that (just like it would be with IPv4) the 
> IPv6 prefix that is to be assigned to the VPN clients is routed to
> the 
> public IPv6 address of the VPN server by the first router in the path
> (and allow egress from this prefix as well arriving from the VPN 
> server's public IPv6 address).

As you may remember, we are hosting (and managing) VM servers for our
customers; the servers are in our premises and the link with the
customer's networks is (currently) done via a dedicated VLAN that
travels from cusrtomer's router through the BB and terminates on the
eduvpn server. IPv4 and Ipv6 addresses are assigned to each end of the
VLAN, one being on the eduvpn server.
Customer gave us a public IPv6 subrange (a /64) from his assigned
range. 
I've splitted his range into several /111, each assigned to a couple of
vpn profiles.


> Of course, this all assumes that you use a *static* IPv6 address on
> the 
> VPN server and have the routing properly configured in your router.

Static IPv6 addresses are used.
the /64 is routed by the server into the dedicated ethernet interface
where the VLAN ends (eth1 in the attached file).

> Make sure you update the VPN server firewall to allow the forwarding 
> to/from the correct IP ranges and disable NAT there. Even without
> *any* 
> firewall rules on the VPN server it should work, so you can temporary
> disable the entire firewall to see if that helps

NAT is well disabled (not nat table rules defined)

I've also tested by setting ACCEPT as default policy and ip6tables
flushed (no rule) without any success so far.

The only way I've found to make it work is to issue following command
(for example):

ip -6 neigh add proxy 2001:6a8:2100:136::2:3 dev eth1

After that, 2001:6a8:2100:136::2:3 (=an ipv6 assigned to a VPN client)
can use the IPv6 network and ping or use any allowed trafic to internal
servers... but I cannot use the new script feature to apply it to
connections being setup. (back to the purpose of my initial mail :-) )

> Can you provide the output of `ip6tables -S` and `ip6tables -S -t
> nat` 
> and `ip -6 addr show`

see attached.

-- 
Pascal Panneels
System Architect
Belnet - Services
WTC III
Simon Bolivarlaan 30 Boulevard Simon Bolivar
Brussel 1000 Bruxelles
België - Belgique
T: +32 2 790 33 33
https://www.belnet.be

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220912/613cadc5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: face-smile.png
Type: image/png
Size: 871 bytes
Desc: not available
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220912/613cadc5/attachment-0001.png>
-------------- next part --------------
root at eduvpn-uhasselt:~# ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 51820 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1194:1200 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194:1200 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o tun+ -j ACCEPT
-A FORWARD -i tun+ -o tun+ -j ACCEPT
-A FORWARD -i wg0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o wg0 -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited

root at eduvpn-uhasselt:~# ip6tables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

root at eduvpn-uhasselt:~# ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:6a8:a40::107/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::549a:d4ff:feb5:f710/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:6a8:2100:136::2/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::fc87:6aff:feb5:d959/64 scope link 
       valid_lft forever preferred_lft forever
12: tun4: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 2001:6a8:2100:136::6:1/112 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::1361:9e04:c332:16bf/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
13: tun5: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 2001:6a8:2100:136::7:1/112 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::97ef:1827:9c19:fafc/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 2001:6a8:2100:136::2:1/112 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::5965:cfe4:6b5c:3142/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
15: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 2001:6a8:2100:136::3:1/112 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::36bf:2f5a:626d:2df2/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
16: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 2001:6a8:2100:136::4:1/112 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::fc1e:75a9:8b5e:3c43/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
17: tun3: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 2001:6a8:2100:136::5:1/112 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::47c:df3:71d2:ee0c/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
18: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 fcaf:811b:3b5b:e9c5::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fcaf:811b:3b5b:e9c4::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fcaf:811b:3b5b:e9c3::1/64 scope global 
       valid_lft forever preferred_lft forever

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5842 bytes
Desc: not available
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220912/613cadc5/attachment-0001.p7s>

More information about the eduVPN-deploy mailing list