<html><head></head><body><div>[mail sent once more, attached scripts were blocked by the antivirus]</div><div><br></div><div>Hi François,</div><div><br></div><div>Well, I've once again passed a few hours scratching my head on it, and defitively, it cannot work as is even using source routing.</div><div><br></div><div>My situation as compared to the one described in your document is a bit different : there is no NAT implied anymore in the setup. </div><div>I've suppressed NAT because our customer had a lot of problem to have VoIP working (it is a well known fact that VoIP doesn't work well on NAT, and a workaround such as STUN was not possible for him). I was using NAT before and it worked perfectly well indeed till the VoIP problems pop up.</div><div><br></div><div>It is impossible in my setup that the VPN clients will be able to answer any IPv6 sollicitation coming from the customer networks, without ndp proxy on the server itself. </div><div><br></div><div>But I've finally found a solution using a couple of bash scripts :</div><div><br></div><div>- one launched by the hook "connectScriptPath" that will pass the IPv6 address to next one;</div><div>- one launched as a daemon with root privileges to be able to add/del IPv6 address as neigh proxy for the eth1 connection.</div><div>I'm using a netcat 'service' to glue both.</div><div><br></div><div>It works now perfectly well.</div><div><br></div><div>I've attached both scripts to the mail for people that could be interested reusing it.</div><div><br></div><div>With kind regards,</div><div><br></div><div>Pascal</div><div><br></div><div>PS: scripts not attached (filtered out by the antivirus on the mailserver)</div><div><br></div><div><br></div><div><a href="mailto:pep@laptop-pep">pep@laptop-pep</a>:~/Documents/eduvpn/uhasselt/dedicated-ipv6-scripts$ more addproxy.sh </div><div>#!/bin/bash</div><div># script launched by hook to proxy the VPN IPv6 address to dev eth1 to permit the ICMPv6 neighbour solicitation and answers to pass</div><div># by Pascal Panneels 20220911</div><div>#</div><div># need to be configured in /etc/vpn-user-portal/config.php as 'connectScriptPath' => '/usr/local/bin/addproxy.sh',</div><div>#</div><div>case "${VPN_EVENT}" in</div><div> "C")</div><div> # following doesn't work as the script is launched by user www-data that has not privileges enough</div><div> #r=`ip -6 neigh add proxy "${VPN_IP_SIX}" dev eth1`</div><div> echo C "${VPN_IP_SIX}"|nc 127.0.0.1 7373 </div><div> ;;</div><div> "D")</div><div> # following doesn't work as the script is launched by user www-data that has not privileges enough</div><div> #r=`ip -6 neigh del proxy "${VPN_IP_SIX}" dev eth1`</div><div> echo D "${VPN_IP_SIX}"|nc 127.0.0.1 7373 </div><div> ;;</div><div>esac</div><div><br></div><div>exit 0</div><div><br></div><div><br></div><div><br></div><div><a href="mailto:pep@laptop-pep">pep@laptop-pep</a>:~/Documents/eduvpn/uhasselt/dedicated-ipv6-scripts$ more checkproxy.sh </div><div>#!/bin/bash</div><div>#</div><div># Setup the IPv6 NDP proxy addresses</div><div># This is the only way to be able to answer to ICMPv6 Neighbour Sollicitation requests coming from customer networks</div><div>#</div><div># Description:</div><div># The application is launched as root (it is important because "ip" command needs root access to modify the routing tables, otherwise it gets error from the kernel).</div><div># It listen using netcat on localhost, tcp port 7373 to get either a Connect for an IP6 or a Disconnect.</div><div># [C]onnect will add the given IP6 to the proxy neighbour table: [D]isconnect will remove it.</div><div>#</div><div># by Pascal Pannnels, Belnet, 20220914</div><div>#</div><div># v0.1 : initial version (20220915)</div><div>#</div><div><br></div><div>while ( true ); do</div><div>while read line; do</div><div> cmd="${line:0:1}"</div><div> address="${line:2}"</div><div><br></div><div> case $cmd in</div><div> "C")</div><div> ip -6 neigh add proxy $address dev eth1</div><div> ;;</div><div> "D")</div><div> ip -6 neigh del proxy $address dev eth1</div><div> ;;</div><div> esac</div><div>done < <( ncat -l 127.0.0.1 7373 --keep-open )</div><div>done</div><div><br></div><div><br></div><div><br></div><div><a href="mailto:root@eduvpn-uhasselt">root@eduvpn</a>:/etc/systemd/system# more checkproxy.service </div><div>[Unit]</div><div>Description=Check for eduVPN IPv6 addresses to be set/unset as neigh proxy</div><div>After=network.target </div><div><br></div><div>[Install]</div><div>WantedBy=multi-user.target</div><div>WantedBy=network-online.target</div><div><br></div><div>[Service]</div><div>Type=Simple</div><div>ExecStart=/usr/local/bin/checkproxy.sh</div><div>RemainAfterExit=true</div><div>TimeoutStartSec=1min</div><div>Restart=Always</div><div><br></div><div><br></div><div><br></div><div><br></div><div>Le Tuesday 13 September 2022 à 12:34 +0000, François Kooman a écrit :</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>On 13.09.22 12:23, Pascal Panneels wrote:<br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Hi François,<br></div></blockquote><div><br></div><div>Hi Pascal,<br></div><div><br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>hmm, I'm still not convinced how it could help me.<br></div></blockquote><div><br></div><div>Where do the VPN client traffic come from go to? I assume all through eth1.<br></div><div><br></div><div>So you need two default gateways, one for eth0 (the VPN server itself) <br></div><div>and one for eth1 for all VPN client traffic. This is only possible if <br></div><div>you use source/policy routing.<br></div><div><br></div><div>See the SOURCE_ROUTING.md file for how to do this manually to try it out <br></div><div>and see if that works.<br></div><div><br></div><div>I think ARP/NDP proxy should not be used at all, seems very much <br></div><div>unnecessary as this is a quite simple scenario, solvable with just routing.<br></div><div><br></div><div>Regards,<br></div><div>François<br></div></blockquote><div><br></div><div><span><pre></pre></span></div><div><br></div><div><span><pre>-- <br></pre><div><b><font face="Arial, Helvetica, sans-serif" size="4" color="#0092d2">Pascal Panneels</font></b></div><div><font face="Arial, Helvetica, sans-serif" size="4"><b>System Architect</b></font></div><div><font face="Arial, Helvetica, sans-serif" size="4"><b>Belnet - Services</b></font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">WTC III</font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">Simon Bolivarlaan 30 Boulevard Simon Bolivar</font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">Brussel 1000 Bruxelles</font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">België - Belgique</font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">T: +32 2 790 33 33</font></div><div><a href="http://www.belnet.be"><b><font color="#0092d2" face="Arial, Helvetica, sans-serif">https://www.belnet.be</font></b></a></div><div><br></div></span></div></body></html>