<html><head></head><body><div>Hi François,</div><div><br></div><div>hmm, I'm still not convinced how it could help me.</div><div><br></div><div>The eduvpn server has indeed several network interfaces :</div><div>- eth0 : the default public interface (public IP in v4 and v6) routed to the Internet;</div><div>- eth1 : the VLAN interface connected to customer's router through our backbone;</div><div>- eth2: a management interface (not in use for the moment );</div><div>- tunX: the various logical tun devices for the VPN.</div><div><br></div><div>And the routing <span style="font-size: 14.660252px;">accross all the interfaces </span>on the server looks correct to me, and works, IPv6 aside.</div><div><br></div><div>In IPv4, it works fine since proxy_arp is enabled; thus, finding the Ethernet address of the VPN clients is properly done via the proxy_arp module.</div><div><br></div><div>In IPv6, as ARP concept doesn't exist as is, it relies on ICMPv6 discovery packets to find the local link addresses, and that doesn't work as the neighbor solicitation packets never reach the VPN clients. (thus traffic coming from IPv6 local link addresses ~ fe80::/10 ==> ff02:: to discover the locla link address)</div><div><br></div><div>Here is a tcpdump extract (on the client vpn host (= IPv6 2001:6a8:2100:136::2:a) I'm pinging in v6 2001:6a8:2100:500::3 which is a host in the customer network not publicly available) :</div><div><br></div><div><a href="mailto:root@eduvpn-uhasselt">root@eduvpn-uhasselt</a>:~# tcpdump -i eth1 -n</div><div>tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</div><div>listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes</div><div>13:31:09.520902 IP6 2001:6a8:2100:136::2:a > 2001:6a8:2100:500::3: ICMP6, echo request, id 14, seq 1, length 64</div><div>13:31:09.523940 IP6 fe80::20d:b4ff:fe0a:8700 > ff02::1:ff02:a: ICMP6, neighbor solicitation, who has 2001:6a8:2100:136::2:a, length 32</div><div>13:31:10.524342 IP6 fe80::20d:b4ff:fe0a:8700 > ff02::1:ff02:a: ICMP6, neighbor solicitation, who has 2001:6a8:2100:136::2:a, length 32</div><div>13:31:10.527612 IP6 2001:6a8:2100:136::2:a > 2001:6a8:2100:500::3: ICMP6, echo request, id 14, seq 2, length 64</div><div>13:31:11.525085 IP6 fe80::20d:b4ff:fe0a:8700 > ff02::1:ff02:a: ICMP6, neighbor solicitation, who has 2001:6a8:2100:136::2:a, length 32</div><div>...</div><div><br></div><div>Thus, I see well the ICMPv6 echo packets coming and sent via the VLAN link to customer's network.</div><div>Right after, I see a packet from the host I'm trying to ping6 sending an ICMPv6 <span style="font-size: 14.660252px;">neighbor solicitation to find the link of the vpn client </span><span style="font-size: 14.660252px;">2001:6a8:2100:136::2:a. </span></div><div>But this packet will never reach the vpn client, and it will thus never get a neigbor advertisement in return.</div><div><br></div><div>But if I use the proxy ndp module and setup it to proxy the address of the vpn host on the eduvpn server, it works :</div><div><br></div><div><a href="mailto:root@eduvpn-uhasselt">root@eduvpn-uhasselt</a>:~# ip -6 neigh add proxy 2001:6a8:2100:136::2:a dev eth1</div><div><br></div><div><a href="mailto:root@eduvpn-uhasselt">root@eduvpn-uhasselt</a>:~# tcpdump -i eth1 -n</div><div>tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</div><div>listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes</div><div>14:15:39.939854 IP6 2001:6a8:2100:136::2:a > 2001:6a8:2100:500::3: ICMP6, echo request, id 15, seq 1, length 64</div><div>14:15:39.943774 IP6 fe80::20d:b4ff:fe0a:8700 > ff02::1:ff02:a: ICMP6, neighbor solicitation, who has 2001:6a8:2100:136::2:a, length 32</div><div>14:15:40.246520 IP6 fe80::fc87:6aff:feb5:d959 > fe80::20d:b4ff:fe0a:8700: ICMP6, neighbor advertisement, tgt is 2001:6a8:2100:136::2:a, length 32</div><div>14:15:40.249188 IP6 2001:6a8:2100:500::3 > 2001:6a8:2100:136::2:a: ICMP6, echo reply, id 15, seq 1, length 64</div><div>14:15:40.765755 ARP, Reply 10.231.0.1 is-at 00:0d:b4:0a:87:00, length 42</div><div>14:15:40.940029 IP6 2001:6a8:2100:136::2:a > 2001:6a8:2100:500::3: ICMP6, echo request, id 15, seq 2, length 64</div><div>14:15:40.942673 IP6 2001:6a8:2100:500::3 > 2001:6a8:2100:136::2:a: ICMP6, echo reply, id 15, seq 2, length 64</div><div><br></div><div>...and then we are back to my initial question, how to dynamically setup ndp proxy for IPv6 vpn clients addresses ?</div><div><br></div><div>If you say that I could use source routing' stuff to make it work, I'm probably too dumb to see how to set it up. <img src="cid:6feecafaf11716f09257c7ffef9091c71fc37e2f.camel@belnet.be-0" alt=";-)" width="16px" height="16px"></div><div> </div><div>Pascal</div><div><br></div><div>Le Monday 12 September 2022 à 23:52 +0200, François Kooman a écrit :</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Hi Pascal,<br></div><div><br></div><div>Ah! You have two interfaces with public addresses. You probably have to <br></div><div>do "source routing":<br></div><div><br></div><div><a href="https://github.com/eduvpn/documentation/blob/v3/SOURCE_ROUTING.md">https://github.com/eduvpn/documentation/blob/v3/SOURCE_ROUTING.md</a><br></div><div><br></div><div>The "Making it permanent" still needs to be updated for Debian, didn't <br></div><div>get around to that yet. If you find out how to do that, please me me know :)<br></div><div><br></div><div>Regards,<br></div><div>François<br></div><div><br></div><div><br></div><div>On 12.09.22 13:49, Pascal Panneels wrote:<br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Hi François,<br></div><div><br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>net.ipv4.ip_forward = 1<br></div><div>net.ipv4.conf.all.proxy_arp = 1<br></div><div>net.ipv6.conf.all.forwarding = 1<br></div><div>net.ipv6.conf.all.proxy_ndp = 1<br></div></blockquote><div><br></div><div>All that should be needed is the sysctl options that are already set in<br></div><div>/etc/sysctl.d/70-vpn.conf (by default).<br></div></blockquote><div><br></div><div>Yes that 's the content of the file (btw, I've added <br></div><div>net.ipv6.conf.all.proxy_ndp = 1 as it is not defined there as standard <br></div><div>if I remember well)<br></div><div><br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Do you have a "non-standard" IPv6 deployment on that site?<br></div><div><br></div><div>The configuration assumes that (just like it would be with IPv4) the<br></div><div>IPv6 prefix that is to be assigned to the VPN clients is routed to the<br></div><div>public IPv6 address of the VPN server by the first router in the path<br></div><div>(and allow egress from this prefix as well arriving from the VPN<br></div><div>server's public IPv6 address).<br></div></blockquote><div><br></div><div>As you may remember, we are hosting (and managing) VM servers for our <br></div><div>customers; the servers are in our premises and the link with the <br></div><div>customer's networks is (currently) done via a dedicated VLAN that <br></div><div>travels from cusrtomer's router through the BB and terminates on the <br></div><div>eduvpn server. IPv4 and Ipv6 addresses are assigned to each end of the <br></div><div>VLAN, one being on the eduvpn server.<br></div><div>Customer gave us a public IPv6 subrange (a /64) from his assigned range.<br></div><div>I've splitted his range into several /111, each assigned to a couple of <br></div><div>vpn profiles.<br></div><div><br></div><div><br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Of course, this all assumes that you use a *static* IPv6 address on the<br></div><div>VPN server and have the routing properly configured in your router.<br></div></blockquote><div><br></div><div>Static IPv6 addresses are used.<br></div><div>the /64 is routed by the server into the dedicated ethernet interface <br></div><div>where the VLAN ends (eth1 in the attached file).<br></div><div><br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Make sure you update the VPN server firewall to allow the forwarding<br></div><div>to/from the correct IP ranges and disable NAT there. Even without *any*<br></div><div>firewall rules on the VPN server it should work, so you can temporary<br></div><div>disable the entire firewall to see if that helps<br></div></blockquote><div><br></div><div>NAT is well disabled (not nat table rules defined)<br></div><div><br></div><div>I've also tested by setting ACCEPT as default policy and ip6tables <br></div><div>flushed (no rule) without any success so far.<br></div><div><br></div><div>The only way I've found to make it work is to issue following command <br></div><div>(for example):<br></div><div><br></div><div>ip -6 neigh add proxy 2001:6a8:2100:136::2:3 dev eth1<br></div><div><br></div><div>After that, 2001:6a8:2100:136::2:3 (=an ipv6 assigned to a VPN client) <br></div><div>can use the IPv6 network and ping or use any allowed trafic to internal <br></div><div>servers... but I cannot use the new script feature to apply it to <br></div><div>connections being setup. (back to the purpose of my initial mail :-) )<br></div><div><br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Can you provide the output of `ip6tables -S` and `ip6tables -S -t nat`<br></div><div>and `ip -6 addr show`<br></div></blockquote><div><br></div><div>see attached.<br></div><div><br></div><div>-- <br></div><div><br></div><div>*Pascal Panneels*<br></div><div>*System Architect*<br></div><div>*Belnet - Services*<br></div><div>WTC III<br></div><div>Simon Bolivarlaan 30 Boulevard Simon Bolivar<br></div><div>Brussel 1000 Bruxelles<br></div><div>België - Belgique<br></div><div>T: +32 2 790 33 33<br></div><div>*<a href="https://www.belnet.be*">https://www.belnet.be*</a> <<a href="http://www.belnet.be">http://www.belnet.be</a>><br></div><div><br></div></blockquote></blockquote><div><br></div><div><span><pre>-- <br></pre><div><b><font face="Arial, Helvetica, sans-serif" size="4" color="#0092d2">Pascal Panneels</font></b></div><div><font face="Arial, Helvetica, sans-serif" size="4"><b>System Architect</b></font></div><div><font face="Arial, Helvetica, sans-serif" size="4"><b>Belnet - Services</b></font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">WTC III</font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">Simon Bolivarlaan 30 Boulevard Simon Bolivar</font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">Brussel 1000 Bruxelles</font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">België - Belgique</font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">T: +32 2 790 33 33</font></div><div><a href="http://www.belnet.be"><b><font color="#0092d2" face="Arial, Helvetica, sans-serif">https://www.belnet.be</font></b></a></div><div><br></div></span></div></body></html>