1
I have following setup:
- remote server that has a static IPv6 /64
- local (for now) IPv4 only home network with a server
- IPv4 OpenVPN connection that tunnels the upper half of IPv6 /64 as /65 between the two servers
Thanks to the tunnel my server can now connect successfully to the internet via IPv6 but I cannot get dnsmasq to provide my other devices with IPv6.
Here is the relevant part of my /etc/dnsmasq.conf:
except-interface=tun0
# pick up prefix from tun0
dhcp-range=::2,::500,constructor:tun0,slaac, 12h
enable-ra
# try to force advertisement on br0
ra-param=br0,30
When starting dnsmasq I get the following outputs (I translated them to english and left out parts that are not about ipv6/router advertisement):
Compile options: IPv6 GNU-getopt DBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile
DHCP, IP-range 192.168.0.2 -- 192.168.0.100, Lease time 12h
DHCPv6, IP-range ::2 -- ::500, Lease Time 12h, template for tun0
Router-Advertisment on tun0
IPv6-Router-Advertisement enabled
By default the br0 interface only has a link local addres and none from the range used by dnsmasq. However, even after giving it an address from this range, the advertisement is still only reported for tun0.
How do I get dnsmasq to do advertisement via br0?
The redacted IP adresses are
remote Server:
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet xx.xx.xx.xx brd xx.xx.xx.xx scope global eth0
valid_lft forever preferred_lft forever
inet6 2a01:xxxx:xxxx:xxxx::1/64 scope global deprecated
valid_lft forever preferred_lft 0sec
inet6 fe80::xxxx:xx:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 2a01:xxxx:xxxx:xxxx:8000::1/65 scope global
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xx:xxxx:xxxx/64 scope link stable-privacy
valid_lft forever preferred_lft forever
On my local server
br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global br0
valid_lft forever preferred_lft forever
inet6 2a01:xxxx:xxxx:xxxx:8000::500/65 scope global
valid_lft forever preferred_lft forever
inet6 fe80::xx:xxxx:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 2a01:xxxx:xxxx:xxxx:8000::1000/65 scope global
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:xxxx/64 scope link stable-privacy
valid_lft forever preferred_lft forever
The 64 bit Prefix is the same for all 2a01 adresses.
EDIT
I tried following settings from grawity's answer:
On the remote server /etc/openvpn/server.conf
server-ipv6 fc00::/96
# use low metric to override existing route
route-ipv6 2a01:xxx:xxxx:xxxx::/64 ::1 1
# enable routing to remote on local server
push "route-ipv6 2a01:xxxx:xxxx:xxxx::1/128 ::1 1"
$ ip addr
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 96:00:00:27:b7:14 brd ff:ff:ff:ff:ff:ff
inet xx.xx.xx.xx brd 116.202.98.219 scope global eth0
valid_lft forever preferred_lft forever
inet6 2a01:xxxx:xxxx:xxxx::1/64 scope global deprecated
valid_lft forever preferred_lft 0sec
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fc00::1/96 scope global
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link stable-privacy
valid_lft forever preferred_lft forever
$ ip -6 route
2a01:xxxx:xxxx:xxxx::/64 dev tun0 metric 1 pref medium
2a01:xxxx:xxxx:xxxx::/64 dev eth0 proto kernel metric 256 pref medium
fc00::/96 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 metric 1024 pref medium
On my local server: /etc/dnsmasq.conf
# start with 3 to avoid assigning the remote eth0 and local br0 addresses
dhcp-range=::3,constructor:br0,slaac, 12h
enable-ra
$ ip addr
br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 0c:c4:7a:02:09:cc brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global br0
valid_lft forever preferred_lft forever
inet6 2a01:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:9cc/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 6930sec preferred_lft 6930sec
inet6 2a01:xxxx:xxxx:xxxx::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fc00::1000/96 scope global
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link stable-privacy
valid_lft forever preferred_lft forever
$ ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2a01:xxxx:xxxx:xxxx::1 dev tun0 metric 1024 pref medium
2a01:xxxx:xxxx:xxxx::/64 dev br0 proto kernel metric 256 pref medium
2a01:xxxx:xxxx:xxxx::/64 dev br0 proto ra metric 1024 expires 6243sec pref medium
fc00::/96 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev br0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default dev tun0 metric 1024 pref medium
Using this config my LAN devices get an IPv6 from 2a01:xxxx:xxxx:xxxx/64. I can successfully ping on these adresses within my LAN but the crossing of the tunnel seems to be broken:
Having following IPs:
- Remote Server eth0 2a01:xxxx:xxxx:xxxx::1
- Remote Server tun0 fc00::1
- Local Server br0 2a01:xxxx:xxxx:xxxx::2
- Local Server tun0 fc00::1000
From remote server I can ping all but the 3rd (local server br0). From local server I can ping all. From my LAN I can ping all local but no remote.
So half of it seems to work. Additionally, I could verify that all traffic for 2a01:xxx:xxxx:xxxx/64 is routed to eth0 on remote via tcpdump on remote and ping from another IPv6 host.
Nobody
Posted 2019-06-06T00:07:13.983
Reputation: 685
Exactly what addresses (or rather, what prefixes and prefix lengths) are you assigning to br0 and tun0? That part seems a bit suspicious. (Would be great if you provided the actual
ip -6 addroutput.) – user1686 – 2019-06-06T04:38:18.273Additionally: Does the server have a /64 routed to it, or does it have a /64 available on-link? (If it's on-link, are you already using something like proxy_ndp on the server?) – user1686 – 2019-06-06T04:49:51.837
@grawity I am not sure what you mean. I posted the
ip addroutput above and have the /64 on eth0. I am not aware of proxy_ndp so I assume I don't use it. – Nobody – 2019-06-06T07:18:22.603