[eduVPN-deploy] NDP problems using public IPv6

Pascal Panneels pascal.panneels at belnet.be
Thu Sep 15 13:37:28 CEST 2022 

[mail sent once more, attached scripts were blocked by the antivirus]

Hi François,

Well, I've once again passed a few hours scratching my head on it, and
defitively, it cannot work as is even using source routing.

My situation as compared to the one described in your document is a bit
different : there is no NAT implied anymore in the setup. 
I've suppressed NAT because our customer had a lot of problem to have
VoIP working (it is a well known fact that VoIP doesn't work well on
NAT, and a workaround such as STUN was not possible for him).   I was
using NAT before and it worked perfectly well indeed till the VoIP
problems pop up.

It is impossible in my setup that the VPN clients will be able to
answer any IPv6 sollicitation coming from the customer networks,
without ndp proxy on the server itself. 

But I've finally found a solution using a couple of bash scripts :

- one launched by the hook "connectScriptPath" that will pass the IPv6
address to next one;
- one launched as a daemon with root privileges to be able to add/del
IPv6 address as neigh proxy for the eth1 connection.
I'm using a netcat 'service' to glue both.

It works now perfectly well.

I've attached both scripts to the mail for people that could be
interested reusing it.

With kind regards,

Pascal

PS: scripts not attached (filtered out by the antivirus on the
mailserver)


pep at laptop-pep:~/Documents/eduvpn/uhasselt/dedicated-ipv6-scripts$ more
addproxy.sh 
#!/bin/bash
# script launched by hook to proxy the VPN IPv6 address to dev eth1 to
permit the ICMPv6 neighbour solicitation and answers to pass
# by Pascal Panneels 20220911
#
# need to be configured in /etc/vpn-user-portal/config.php as
'connectScriptPath' => '/usr/local/bin/addproxy.sh',
#
case "${VPN_EVENT}" in
"C")
# following doesn't work as the script is launched by user www-data
that has not privileges enough
#r=`ip -6 neigh add proxy "${VPN_IP_SIX}" dev eth1`
echo C "${VPN_IP_SIX}"|nc 127.0.0.1 7373 
;;
"D")
# following doesn't work as the script is launched by user www-data
that has not privileges enough
#r=`ip -6 neigh del proxy "${VPN_IP_SIX}" dev eth1`
echo D "${VPN_IP_SIX}"|nc 127.0.0.1 7373 
;;
esac

exit 0



pep at laptop-pep:~/Documents/eduvpn/uhasselt/dedicated-ipv6-scripts$ more
checkproxy.sh 
#!/bin/bash
#
# Setup the IPv6 NDP proxy addresses
# This is the only way to be able to answer to ICMPv6 Neighbour
Sollicitation requests coming from customer networks
#
# Description:
# The application is launched as root (it is important because "ip"
command needs root access to modify the routing tables, otherwise it
gets error from the kernel).
# It listen using netcat on localhost, tcp port 7373 to get either a
Connect for an IP6 or a Disconnect.
# [C]onnect will add the given IP6 to the proxy neighbour table:
[D]isconnect will remove it.
#
# by Pascal Pannnels, Belnet, 20220914
#
# v0.1 : initial version (20220915)
#

while ( true ); do
while read line; do
cmd="${line:0:1}"
address="${line:2}"

case $cmd in
"C")
ip -6 neigh add proxy $address dev eth1
;;
"D")
ip -6 neigh del proxy $address dev eth1
;;
esac
done < <( ncat -l 127.0.0.1 7373 --keep-open )
done



root at eduvpn:/etc/systemd/system# more checkproxy.service 
[Unit]
Description=Check for eduVPN IPv6 addresses to be set/unset as neigh
proxy
After=network.target 

[Install]
WantedBy=multi-user.target
WantedBy=network-online.target

[Service]
Type=Simple
ExecStart=/usr/local/bin/checkproxy.sh
RemainAfterExit=true
TimeoutStartSec=1min
Restart=Always




Le Tuesday 13 September 2022 à 12:34 +0000, François Kooman a écrit :
> On 13.09.22 12:23, Pascal Panneels wrote:
> > Hi François,
> 
> Hi Pascal,
> 
> > hmm, I'm still not convinced how it could help me.
> 
> Where do the VPN client traffic come from go to? I assume all through
> eth1.
> 
> So you need two default gateways, one for eth0 (the VPN server
> itself) 
> and one for eth1 for all VPN client traffic. This is only possible if
> you use source/policy routing.
> 
> See the SOURCE_ROUTING.md file for how to do this manually to try it
> out 
> and see if that works.
> 
> I think ARP/NDP proxy should not be used at all, seems very much 
> unnecessary as this is a quite simple scenario, solvable with just
> routing.
> 
> Regards,
> François


-- 
Pascal Panneels
System Architect
Belnet - Services
WTC III
Simon Bolivarlaan 30 Boulevard Simon Bolivar
Brussel 1000 Bruxelles
België - Belgique
T: +32 2 790 33 33
https://www.belnet.be

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220915/2d7ddaf3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5842 bytes
Desc: not available
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220915/2d7ddaf3/attachment-0001.p7s>

More information about the eduVPN-deploy mailing list