RRAS SSTP VPN IPv6 traffic is not able to be routed through server

Question

I have a Windows Server 2012 R2 Essentials box which is configured with the basic RRAS VPN functionality, it isn't configured as a router, this functionality is not enabled and my R2 Essentials box doesn't have the DHCP role installed (I have a gateway router to handle DHCP), it is however a DNS server as its configured as an Active Directory server.

I've noticed that when using the VPN through SSTP and other protocols, the IPv6 connectivity is broken. Clients get an IPv6 address as per the assigned prefix, but after the first hop from a tracert, it is unroutable and cannot get to the outside, so my server is not handling the IPv6 traffic properly.

My IPv6 connectivity is provided by Hurricane Electric (tunnel), this is configured at the router level with the /64 provided and dynamically pushed to clients on the LAN via radvd. On the box itself, I have disabled auto-configuration and setup IPv6 manually. IPv6 connectivity of the box itself is working fine.

When configuring IPv6 in RRAS the following are all enabled:

IPv6 Remote Access Server [checked]
Enable IPv6 Forwarding [checked]
Enable Default Route Advertisement [checked]

The IPv6 prefix assigned is the /64 provided by Hurricane Electric, I am unsure if this is correct or not, seems its already configured at router level.

I do have a /48 which is not currently used and may be suitable here.

IPv4 traffic is forwarded no problem and a tracert shows the traffic can pass through, this VPN issues are limited to IPv6.

It doesn't appear to be a firewall issue as I've tested with it disabled.

I can post any route/IP information required to help solve the issue. I would appreciate any pointers/additional help on solving this IPv6 connectivity issue with my RRAS VPN.

The /64 is just one subnet, so it's unlikely you will be able to use this for your VPN. Have HE route you a /48 over the tunnel. — Michael Hampton, Aug 12 '15 at 20:42
Yes. I do have a /48 also. It is not configured anywhere currently — James White, Aug 12 '15 at 20:43

score 1 · Accepted Answer · edited Apr 13 '17 at 12:14

I managed to resolve this. It turns out someone else had a similar question:

IPv6 with IPv4 over RRAS SSTP VPN from Client that only has IPv4 access

Turns out its because the client doesn't have a properly configured route back to the VPN with IPv6, so the traffic has no where to go. I needed to add a static route at the router level. I changed my RRAS prefix to another /64 different from the LAN (I carved one out of my /48 instead).

I then added a static route on my DD-WRT router and placed this in the rc_startup:

ip -6 route add [RRAS IPv6 Prefix]::/64 via [RRAS LAN Server IPv6 Address] dev br0

I didn't enable any routing on RRAS, only forwarding and IPv6 Remote Access. I checked all the boxes on the IPv6 tab.

The traffic can then pass through the RRAS server and through my router which is the gateway.

RRAS SSTP VPN IPv6 traffic is not able to be routed through server

1 Answers1