<!-- Some styling for better description lists --><style type='text/css'>dt { font-weight: bold;float: left;display:inline;margin-right: 1em} dd { display:block; margin-left: 2em}</style>
ballen: anyone setup openvpn to tunnel ipv6 before?
***: ballen has quit IRC (Read error: 104 (Connection reset by peer))
<br> ballen has joined #arpnetworks
up_the_irons: <u>ballen</u>: I haven't done openvpn w/ ipv6 tunnel, but if you get it working, let me know how you did it; i've been interested in doing the same thing on my laptop
ballen: yea
<br> so there appears to be two ways
<br> one routed + tunnled
up_the_irons: i c
ballen: second bridged, setting up like your laptop is on the same net, run router advertiser, etc
<br> and if you want ipv4 on the same vpn you'd need to run dhcp as well
<br> openvpn supports ipv6 nativly in option 2
<br> natively*
<br> as the vpn is running at layer 2 instead of 3
<br> not sure which way I'll go with
<br> I can't get my vps to route my /64 subnet off the box, doing option 1
up_the_irons: i'd probably go with routed, if i had the choice
ballen: yea
<br> you just have to use connection/disconnection scripts
up_the_irons: i c
ballen: to setup the tunnel
<br> routes, etc
<br> kinda annoying
up_the_irons: yeah
ballen: basing my work so far on: http://www.zagbot.com/openvpn_ipv6_tunnel.html
up_the_irons: but if you think about it, that's how you connect to the regular internet too, with scripts that set up your IPs and routes and such. It is just so tranparent / automatic these days
ballen: yea its just less elegant when deploying clients
up_the_irons: oh i think i get that guy is saying..
<br> i never did the tunnel mode b/c I generally never have a static IP on my laptop
<br> but with OpenVPN, you get a static
<br> and then can tunnel *over that*
ballen: ## Server ##
<br> ifconfig gif0 create
<br> ifconfig gif0 tunnel 10.8.0.1 10.8.0.6
<br> ifconfig gif0 inet6 2607:f2f8:1100:6::1/64
<br> route add -inet6 2607:f2f8:1100:6::/64 2607:f2f8:1100:6::2
<br> ## Client ##
<br> ifconfig gif0 create
<br> ifconfig gif0 tunnel 10.8.0.6 10.8.0.1
<br> ifconfig gif0 inet6 2607:f2f8:1100:6::2/64
<br> thats basically what I have so far
up_the_irons: yeah, and gif0 is OpenVPN independent, but I assume 10.8.0.x is either end of your OpenVPN tunnel
ballen: right
<br> .6 is the client
<br> .1 the server
obsidieth: i would be real interested to see this work
ballen: with that setup, I can ping 2607:f2f8:1100::2, but not 2607:f2f8:1100::1
<br> from my laptop
up_the_irons: <u>ballen</u>: your server needs a route back to your client
<br> although i think you have that covered above with 'route add ...'
ballen: 2607:f2f8:1100:6::/64 2607:f2f8:1100:6::2 UGS gif0
up_the_irons: <u>ballen</u>: can you ping 2607:f2f8:1100::2 from your server?
ballen: yea thats my local address
up_the_irons: <u>ballen</u>: and your server is 2607:f2f8:1100::1. So you can ping your client from the server, but not the other way around?
ballen: 2607:f2f8:1100::1 is your router (ARP Network)
<br> 2607:f2f8:1100:6::1 is my server's address on the tunnel
<br> 2607:f2f8:1100:6::2 is my laptop's address on the tunnel
up_the_irons: <u>ballen</u>: sorry, i meant to put the ':6::' in there
ballen: heh k
<br> so I can ping from my laptop to :6::1
<br> ::2
<br> but not ::1
<br> so I can't get out to ARP
<br> current routes:
<br> 2607:f2f8:1100::/48 link#1 UC em0
<br> 2607:f2f8:1100::1 52:54:00:27:90:07 UHLW em0
<br> 2607:f2f8:1100::2 52:54:00:27:21:15 UHL lo0
<br> 2607:f2f8:1100:6::/64 2607:f2f8:1100:6::2 UGS gif0
<br> 2607:f2f8:1100:6::1 link#4 UHL lo0
obsidieth: so em0
ballen: em0 is public interface
bigs: lol
-: bigs smacks obsidieth
ballen: let me connect back to the vpn, brb
***: ballen_ has joined #arpnetworks
<br> ballen has quit IRC (Nick collision from services.)
<br> ballen_ is now known as ballen
ballen: k back
up_the_irons: <u>ballen</u>: so you can ping :6::2 from the server and :6::1 from the client, yes?
***: up_the_irons changes topic to: On tonight's show, we bring you IPv6 tunnels over OpenVPN
ballen: one sec
<br> k
<br> <u>up_the_irons</u>: yes both those work
up_the_irons: <u>ballen</u>: what's the output of:
<br> sysctl net.inet6.ip6.forwarding
ballen: 1
up_the_irons: if it's "0", that's the problem
<br> OK
<br> cool
ballen: :-) yea already checked that one
up_the_irons: :)
ballen: also on the laptop: default 2607:f2f8:1100:6::1 UGSc gif0
up_the_irons: <u>ballen</u>: run this on your server:
<br> sudo tcpdump -ni em0 ip6
<br> <u>ballen</u>: then ping from client to server, see where it is going
ballen: one sec change default route
<br> changing
<br> http://pastie.org/592053
<br> thats a ping to the server's gateway
<br> that fails
-: up_the_irons ponders
ballen: net.inet6.ip6.fw.enable: 1 ?
<br> nvm
up_the_irons: this is what I see on my router: http://pastie.org/private/3eg31jycv4ch9ct39unheq
ballen: [root@arp /etc/rc.d]# ndp -a
<br> Neighbor Linklayer Address Netif Expire S Flags
<br> 2607:f2f8:1100::1 52:54:0:27:90:7 em0 expired R R
<br> 2607:f2f8:1100::2 52:54:0:27:21:15 em0 permanent R
<br> 2607:f2f8:1100:6::1 (incomplete) gif0 permanent R
<br> 2607:f2f8:1100:6::2 (incomplete) gif0 expired D
up_the_irons: <u>ballen</u>: that's from your server?
ballen: yea
<br> ndp -a
obsidieth: radvd
ballen: rtadvd?
up_the_irons: on my router I have:
<br> ndp -a | grep 2607:f2f8:1100
<br> 2607:f2f8:1100::1 52:54:0:27:90:7 vlan115 permanent R
<br> 2607:f2f8:1100::2 52:54:0:27:21:15 vlan115 23h59m11s S R
<br> 2607:f2f8:1100:6::2 (incomplete) vlan115 1s I 1
ballen: wonder what will happen if I make a proxy ndp entry
<br> so in ipv4 basically the arp router would have to know about my new subnet
<br> but I assume in ipv6 there's an automagically way of doing this?
up_the_irons: <u>ballen</u>: in IPv4, ARP's router wouldn't need to know about any smaller subnets, it just sees the aggregate
ballen: ah right, I was thinking if I made up a new subnet
up_the_irons: <u>ballen</u>: if you made a completely new subnet (say you had a subnet from another provider), then yes, I'd have to put in a static route to you (simplest case), or we run some routing protocal (rip, ospf, bgp, etc...).
ballen: right
<br> alright will work on this more later, need to sleep
up_the_irons: <u>ballen</u>: now, IPv6 brought with in a boat load of smaller protocols, one of which is this solicited-node multicast thing from which my router wants a reply
<br> <u>ballen</u>: ok, l8r
ballen: any idea how to get my server to give a reply
up_the_irons: <u>ballen</u>: not really; but i'm going to investigate
ballen: cool
<br> might be the gif tunnel
<br> but who knows, be on tomorrow
<br> later
***: ballen is now known as ballen|away
up_the_irons: ballen|away: when you're back, make sure your gif0 tunnel forwards multicast traffic
***: ConquerorX has joined #arpnetworks
up_the_irons: Welcome ConquerorX
<br> ballen|away: OK, check this out:
<br> On my router, if I do:
<br> s3.lax:~> sudo route add -inet6 -net 2607:f2f8:1100:6:: -prefixlen 56 2607:f2f8:1100::2
<br> add net 2607:f2f8:1100:6::: gateway 2607:f2f8:1100::2
<br> Now I can ping your laptop:
<br> s3.lax:~> ping6 2607:f2f8:1100:6::2
<br> PING6(56=40+8+8 bytes) 2607:f2f8:1100::1 --> 2607:f2f8:1100:6::2
<br> 16 bytes from 2607:f2f8:1100:6::2, icmp_seq=0 hlim=63 time=94.476 ms
<br> 16 bytes from 2607:f2f8:1100:6::2, icmp_seq=1 hlim=63 time=87.624 ms
<br> 16 bytes from 2607:f2f8:1100:6::2, icmp_seq=2 hlim=63 time=104.49 ms
<br> ^C
<br> --- 2607:f2f8:1100:6::2 ping6 statistics ---
<br> 3 packets transmitted, 3 packets received, 0.0% packet loss
<br> round-trip min/avg/max/std-dev = 87.624/95.530/104.490/6.926 ms
<br> ballen|away: So, this is what is going on, it helps to think about it like IPv4, and it makes sense --
<br> I'm routing a /48 to you. From my router's POV, that /48 is one huge subnet, it doesn't know about anything beyond its neighbor (your VPS).
<br> If that /48 were in IPv4 (let's say it is a /24), anything I ping behind it would generate an "arp who-has" packet
<br> b/c the router sees that subnet as directly connected, and it is trying to ARP the host belonging the IP I'm pinging
<br> if there are subnets beyond that block, my router wouldn't know about it, and it would rely on static routes, or rip, or ospf, or bgp, etc... like i noted above, to find out about those routes
<br> (err, subnets)
<br> Now, IPv6 doesn't have ARP
<br> It has ND
<br> (neighbor discovery)
<br> which is kinda like ARP on steroids
<br> It can find information not only about directly connected neighbors (like ARP), but also about subnets beyond them
<br> this is why, when my router got an ICMP from your laptop, it saw the return address as 2607:f2f8:6::2, and didn't have this in its ND table (would be ARP cache in IPv4)
<br> so it sends out that "ND who has" packet (neighbor solicitation)
<br> I'm not seeing the corresponding "ND tgt is" packet (neighbor advertisment) from your laptop
<br> and so the ND table isn't updated, therefore the ICMP reply can't be sent to you
<br> <phew...>
<br> I hope that made sense
<br> was pretty educational for me having to deduce it all ;)
<br> why your laptop isn't sending the neighbor advertisement back is unknown at this time; perhaps it doesn't even see the solicitation. if you tcpdump both your VPS and your laptop, you'll see which side is not propagating the ND packets over the tunnel
<br> <u>ConquerorX</u>: how's it goin'
<br> <u>Qsource</u>: you around
<br> ballen|away: also, when you're back, try a speed test on your OpenVPN connection; you should be getting way more than 6 megs; i made some adjustments
obsidieth: im going to have to give this a try soon, ive always wondered if you can ste up a vpn without X to do it
up_the_irons: yeah
***: heavysixer has quit IRC ()
obsidieth: ive got a question if you're still here
***: heavysixer has joined #arpnetworks
<br> ballen|away has quit IRC (Read error: 60 (Operation timed out))
<br> ballen has joined #arpnetworks
<br> ConquerorX has quit IRC ()
<br> ballen_ has joined #arpnetworks
<br> ballen has quit IRC (Nick collision from services.)
<br> ballen_ is now known as ballen
<br> ballen is now known as ballen|away
<br> vtoms has joined #arpnetworks
<br> vtoms has quit IRC ("Leaving.")
<br> ballen|away is now known as ballen
ballen: <u>up_the_irons</u>: so my laptop doesn't get the solicitation from your router
<br> appears the VPS isn't forwarding it
up_the_irons: <u>ballen</u>: do you see the solicitation on your VPS (destined to your laptop) ?
ballen: 15:19:42.584527 IP6 2607:f2f8:1100::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2607:f2f8:1100:6::2, length 32
up_the_irons: <u>ballen</u>: and did you see my rather large explanation after you went |away?
ballen: yep
<br> thats from a dump listening on em0
up_the_irons: yeah
<br> now see, I don't know anough about ND yet to know who is supposed to respond to the solicitation, your VPS or your laptop
ballen: yea no idea either
<br> its not making it to the gif0 on the VPS, and obviously not to the laptop's gif0
up_the_irons: it sends it to a IPv6 multicast group (ff02::1:ff00:2:), so multicast has to be functioning for this to work, have no idea about that and OpenVPN
<br> <u>ballen</u>: so gif0 isn't becoming part of the multicast group
ballen: I would assume not
up_the_irons: <u>obsidieth</u>: you had a question b4?
<br> it's all here: http://tools.ietf.org/html/rfc2461
<br> from the introduction, it would appear your VPS (the directly attached neighbor) would respond to the ND
ballen: yea it seems that would be the logical thing
<br> there is such thing is a Neighbor Proxy
up_the_irons: i c
ballen: http://www.man9.org/bsd/8/ndp.html
<br> If the word proxy
<br> is given, this system will act as a proxy NDP server, responding
<br> to requests for hostname even though the host address is not its
<br> own.
<br> holy shat it works
up_the_irons: <u>ballen</u>: give it a try
ballen: ndp -s 2607:f2f8:1100:6::2 52:54:0:27:21:15 proxy
up_the_irons: oh
<br> really??
ballen: which is the VPS's linklayer address btw
up_the_irons: right
ballen: not sure what else to put there
up_the_irons: so can u ping?
ballen: ping6 2607:f2f8:1100::1
<br> PING6(56=40+8+8 bytes) 2607:f2f8:1100:6::2 --> 2607:f2f8:1100::1
<br> 16 bytes from 2607:f2f8:1100::1, icmp_seq=0 hlim=63 time=99.082 ms
<br> 16 bytes from 2607:f2f8:1100::1, icmp_seq=1 hlim=63 time=93.322 ms
up_the_irons: PING6(56=40+8+8 bytes) 2607:f2f8:1100::1 --> 2607:f2f8:1100:6::2
<br> 16 bytes from 2607:f2f8:1100:6::2, icmp_seq=0 hlim=63 time=91.046 ms
<br> 16 bytes from 2607:f2f8:1100:6::2, icmp_seq=1 hlim=63 time=99.93 ms
<br> :)
ballen: woot
up_the_irons: w00t
<br> $ ndp -a | grep 2607:f2f8:1100
<br> 2607:f2f8:1100::1 52:54:0:27:90:7 vlan115 permanent R
<br> 2607:f2f8:1100::2 52:54:0:27:21:15 vlan115 23h59m21s S R
ballen: so you need to make sure you delete the ndp entry before hand as well
up_the_irons: 2607:f2f8:1100:6::2 52:54:0:27:21:15 vlan115 9s R R
<br> ^^ now my router sees the :6::2 entry
ballen: otherwise ndp will bitch
up_the_irons: delete what ndp entry?
<br> it already has one for :6::2, just not proxy?
ballen: ndp -d 2607:f2f8:1100:6::2
<br> yep
up_the_irons: ah
ballen: the incomplete entry
up_the_irons: gotcha
<br> i wonder why your VPS sees the :6::2 as incomplete
ballen: likely because gif has not mac address
<br> no*
up_the_irons: see, this is probably the source of the prob... it *should* see :6::2
<br> b/c it is directly connected
ballen: right
up_the_irons: OOH, no MAC
<br> yeah, there is something funny going on w/ gif0
<br> I bet you don't even need gif0
<br> is gif the 6to4 tunnel int?
<br> why not a regular sit?
<br> b/c at this point, you don't need a tunnel
<br> i mean, 6to4 tunnel
ballen: hmm
up_the_irons: you're on the native IPv6 Internet
ballen: does sit exist on FreeBSD?
up_the_irons: not sure
ballen: I couldn't find it
<br> also laptop is a mac
<br> which has gif
<br> but yea gif is tunnling 6 over 4
up_the_irons: looks like gif is a generic tunneling interface (man gif)
ballen: as openvpn doesn't support native v6 over tun adapater
<br> yea
<br> adapter*
up_the_irons: ok gotcha, openvpn is the limitation
ballen: woot, laptop can ping www.kame.net
<br> and i have a dancing turtle
up_the_irons: hahhaa
<br> that's pretty cool
ballen: kinda dumb that is basically IPv4 -> SSL Tunnel -> IPv4 Tunnel -> IPv6
<br> lots of tunnels
up_the_irons: right
ballen: mtu is down to 1280
<br> at that point
up_the_irons: right
ballen: now to make this dynamic on vpn connection
up_the_irons: <u>ballen</u>: so what does the inet6 routing table look like on your laptop now?
ballen: http://pastie.org/private/ef0faj3k6yg5hhcgqgw4q
up_the_irons: this is the first time I've seen a major difference between IPv4 and IPv6 routing / subnetting. In IPv4, you wouldn't have been able to subnet your block without us having a /30 PtoP and then running a routing protocol
<br> so 2 blocks per node, at least
ballen: ignore 2607:f2f8:1100::f1ab:2, thats from previous attempts
up_the_irons: I remember reading one of the goals of IPv6 was to be like "one block per node, at that's it, never need more"
ballen: yea
<br> its pretty nifty
up_the_irons: so I give you a /48, and my router can work with subnets within your /48 w/o a routing protocol, it just kinda works
<br> very nifty
<br> cool routing table, so you use the other end of your tunnel as default gateway for ipv6
ballen: yep
up_the_irons: nice
ballen: aww can't assign a gif interface a mac address lame
up_the_irons: sucks
ballen: ya
up_the_irons: food time
ballen: k
***: ballen has quit IRC (Read error: 60 (Operation timed out))
<br> heavysixer has quit IRC ()
<br> vtoms has joined #arpnetworks
<br> ballen has joined #arpnetworks
<br> ballen has quit IRC (Client Quit)
<br> ballen has joined #arpnetworks
<br> vtoms has quit IRC ("Leaving.")
ballen: freenode over the v6 tubes woot
***: ballen is now known as ballen|away
<br> ballen|away is now known as ballen
<br> ballen is now known as ballen|away
<br> vtoms has joined #arpnetworks
<br> heavysixer has joined #arpnetworks
<br> vtoms has quit IRC ("Leaving.")
obsidieth: <u>up_the_irons</u>: i was wondering how reverse dns works for the ip block
<br> i heard of some vps's having a panel/webgui for it.
***: ballen|away is now known as ballen
<br> vtoms has joined #arpnetworks
<br> vtoms has quit IRC (Client Quit)
<br> heavysixer has quit IRC ()
<br> timburke has quit IRC ("leaving")
<br> timburke has joined #arpnetworks
<br> ballen has quit IRC (Read error: 60 (Operation timed out))
<br> ballen has joined #arpnetworks
<br> ballen has quit IRC (Read error: 60 (Operation timed out))
<br> ballen has joined #arpnetworks
ballen: anyone know of a mail service that has smtp servers on ipv6
obsidieth: beats me
ballen: want to test sending email to my sever over ipv6
<br> and none of the big webmail providers have ipv6 setup
obsidieth: ive never considered trying.
<br> would it actually have any advantages?
ballen: no idea
<br> just being able to be assessable by other ipv6 connected people/servers
<br> accessible*
<br> just turned on v6 on all my daemons
<br> so my two websites, imap, and smtp all can be reached via my ipv6 address
<br> and added AAAA records for the various domains
obsidieth: nais
<br> im thinking i might try something similar soon.
ballen: so a /48 is 1,208,925,819,614,629,174,706,176 addresses
<br> seems a smidge overkill
obsidieth: haha
<br> i currently have a /48 and /64 on my home box.
-: obsidieth crunches numbers
ballen: /64 is 18,446,744,073,709,551,616
obsidieth: 1.20894427 × 1024
<br> bleh, hard to paste.
ballen: yea
<br> gonna burn through ipv6 address space in no time
<br> it would be nice to totally do away with NAT though
obsidieth: over 100 million for every sqaure foot of the earths
<br> well, 1500 or something.
ballen: heh
obsidieth: still, lots
ballen: lots and lots
<br> I ended up getting the openvpn setup working
<br> kinda a hack though
<br> likely would work better with linux and sit interface instead of gif
obsidieth: nice
<br> i might save the scrollback and review when i give it a shot
ballen: I ended up need to add a static proxy entry in the server's ndp table for the new subnet
<br> sometime in here I'll get all the configs together and write a post
<br> if you want them jost me know in mean time
<br> just*
<br> its fairly specific to a freebsd server and mac os x client
<br> but should be adaptable
obsidieth: i would only need the freebsd server part most likely.
<br> maybe that wont be as difficult.
ballen: whatever your client is would need to support the gif driver
<br> to work with how I'm tunneling the traffic
-: obsidieth shrugs
ballen: oh someone has to have a freaking smtp server in v6
<br> lmao, http://www.prujem.cz/ IPv6 porn and movies server
obsidieth: Alert!: Unable to connect to remote host.
<br> :(
ballen: lol
<br> IPv6 only
obsidieth: eh, i can ping it
<br> maybe lynx doesnt ipv6 without some set up
ballen: not sure
***: ballen has quit IRC (Read error: 60 (Operation timed out))