I have a Fedora server running OpenVPN. The VPN in tun mode is reachable via IPv4 and IPv6 and successfully routes all IPv4 traffic through the OpenVPN server. But routing IPv6 traffic is not working. Any advices? Here is my setup:
IPv6 addresses of server interfaces:
ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet6 MYPREFIX::/65 scope global
valid_lft forever preferred_lft forever
tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet6 MYPREFIX:8000::1/65 scope global
valid_lft forever preferred_lft forever
The part of the server config I consider relevant:
port 1194 # actually, I use another port
proto udp6
dev tun
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 MYPREFIX:8000::/65
push "redirect-gateway def1 bypass-dhcp"
push "route-ipv6 2000::/3"
push "dhcp-option DNS 8.8.8.8"
persist-key
persist-tun
It seems some proper routes arrive at the client:
$ ip -6 r
CLIENT_ISP_NET::/64 dev wlp3s0 proto ra metric 600 pref medium
CLIENT_ISP_NET::/56 via fe80::HOME_AP dev wlp3s0 proto ra metric 600 pref medium
MYPREFIX:: via fe80::HOME_AP dev wlp3s0 proto static metric 600 pref medium
MYPREFIX:8000::1 dev tun0 proto kernel metric 256 pref medium
MYPREFIX:8000::/65 dev tun0 proto kernel metric 256 pref medium
2000::/3 via MYPREFIX:8000::1 dev tun0 proto static metric 50 pref medium
fe80::HOME_AP dev wlp3s0 proto static metric 600 pref medium
fe80::/64 dev wlp3s0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default dev tun0 proto static metric 50 pref medium
default via fe80::HOME_AP dev wlp3s0 proto static metric 600 pref medium
But ping -6 google.de
oder curl -L6 google.de
blocks and nothing happens.
After I did sysctl -w net.ipv6.conf.all.forwarding=1
on the server, ping behavior remained the same while curl gives curl: (7) Failed to connect to google.de port 80: Permission denied
.
My current bet is that something is wrong with the firewall setup, but I don't know. The firewall in use is firewalld (default on Fedora). For IPv4 I enabled masquerading, so firewalld configured all the forwarding automatically. For IPv6 it is different since there is no masquerading going on. Certain direct iptables rules from several blog posts did not help so far. Don't know where the problem is.