ballen: anyone setup openvpn to tunnel ipv6 before? ***: ballen has quit IRC (Read error: 104 (Connection reset by peer))
ballen has joined #arpnetworks up_the_irons: ballen: I haven't done openvpn w/ ipv6 tunnel, but if you get it working, let me know how you did it; i've been interested in doing the same thing on my laptop ballen: yea
so there appears to be two ways
one routed + tunnled up_the_irons: i c ballen: second bridged, setting up like your laptop is on the same net, run router advertiser, etc
and if you want ipv4 on the same vpn you'd need to run dhcp as well
openvpn supports ipv6 nativly in option 2
natively*
as the vpn is running at layer 2 instead of 3
not sure which way I'll go with
I can't get my vps to route my /64 subnet off the box, doing option 1 up_the_irons: i'd probably go with routed, if i had the choice ballen: yea
you just have to use connection/disconnection scripts up_the_irons: i c ballen: to setup the tunnel
routes, etc
kinda annoying up_the_irons: yeah ballen: basing my work so far on: http://www.zagbot.com/openvpn_ipv6_tunnel.html up_the_irons: but if you think about it, that's how you connect to the regular internet too, with scripts that set up your IPs and routes and such. It is just so tranparent / automatic these days ballen: yea its just less elegant when deploying clients up_the_irons: oh i think i get that guy is saying..
i never did the tunnel mode b/c I generally never have a static IP on my laptop
but with OpenVPN, you get a static
and then can tunnel *over that* ballen: ## Server ##
ifconfig gif0 create
ifconfig gif0 tunnel 10.8.0.1 10.8.0.6
ifconfig gif0 inet6 2607:f2f8:1100:6::1/64
route add -inet6 2607:f2f8:1100:6::/64 2607:f2f8:1100:6::2
## Client ##
ifconfig gif0 create
ifconfig gif0 tunnel 10.8.0.6 10.8.0.1
ifconfig gif0 inet6 2607:f2f8:1100:6::2/64
thats basically what I have so far up_the_irons: yeah, and gif0 is OpenVPN independent, but I assume 10.8.0.x is either end of your OpenVPN tunnel ballen: right
.6 is the client
.1 the server obsidieth: i would be real interested to see this work ballen: with that setup, I can ping 2607:f2f8:1100::2, but not 2607:f2f8:1100::1
from my laptop up_the_irons: ballen: your server needs a route back to your client
although i think you have that covered above with 'route add ...' ballen: 2607:f2f8:1100:6::/64 2607:f2f8:1100:6::2 UGS gif0 up_the_irons: ballen: can you ping 2607:f2f8:1100::2 from your server? ballen: yea thats my local address up_the_irons: ballen: and your server is 2607:f2f8:1100::1. So you can ping your client from the server, but not the other way around? ballen: 2607:f2f8:1100::1 is your router (ARP Network)
2607:f2f8:1100:6::1 is my server's address on the tunnel
2607:f2f8:1100:6::2 is my laptop's address on the tunnel up_the_irons: ballen: sorry, i meant to put the ':6::' in there ballen: heh k
so I can ping from my laptop to :6::1
::2
but not ::1
so I can't get out to ARP
current routes:
2607:f2f8:1100::/48 link#1 UC em0
2607:f2f8:1100::1 52:54:00:27:90:07 UHLW em0
2607:f2f8:1100::2 52:54:00:27:21:15 UHL lo0
2607:f2f8:1100:6::/64 2607:f2f8:1100:6::2 UGS gif0
2607:f2f8:1100:6::1 link#4 UHL lo0 obsidieth: so em0 ballen: em0 is public interface bigs: lol -: bigs smacks obsidieth ballen: let me connect back to the vpn, brb ***: ballen_ has joined #arpnetworks
ballen has quit IRC (Nick collision from services.)
ballen_ is now known as ballen ballen: k back up_the_irons: ballen: so you can ping :6::2 from the server and :6::1 from the client, yes? ***: up_the_irons changes topic to: On tonight's show, we bring you IPv6 tunnels over OpenVPN ballen: one sec
k
up_the_irons: yes both those work up_the_irons: ballen: what's the output of:
sysctl net.inet6.ip6.forwarding ballen: 1 up_the_irons: if it's "0", that's the problem
OK
cool ballen: :-) yea already checked that one up_the_irons: :) ballen: also on the laptop: default 2607:f2f8:1100:6::1 UGSc gif0 up_the_irons: ballen: run this on your server:
sudo tcpdump -ni em0 ip6
ballen: then ping from client to server, see where it is going ballen: one sec change default route
changing
http://pastie.org/592053
thats a ping to the server's gateway
that fails -: up_the_irons ponders ballen: net.inet6.ip6.fw.enable: 1 ?
nvm up_the_irons: this is what I see on my router: http://pastie.org/private/3eg31jycv4ch9ct39unheq ballen: [root@arp /etc/rc.d]# ndp -a
Neighbor Linklayer Address Netif Expire S Flags
2607:f2f8:1100::1 52:54:0:27:90:7 em0 expired R R
2607:f2f8:1100::2 52:54:0:27:21:15 em0 permanent R
2607:f2f8:1100:6::1 (incomplete) gif0 permanent R
2607:f2f8:1100:6::2 (incomplete) gif0 expired D up_the_irons: ballen: that's from your server? ballen: yea
ndp -a obsidieth: radvd ballen: rtadvd? up_the_irons: on my router I have:
ndp -a | grep 2607:f2f8:1100
2607:f2f8:1100::1 52:54:0:27:90:7 vlan115 permanent R
2607:f2f8:1100::2 52:54:0:27:21:15 vlan115 23h59m11s S R
2607:f2f8:1100:6::2 (incomplete) vlan115 1s I 1 ballen: wonder what will happen if I make a proxy ndp entry
so in ipv4 basically the arp router would have to know about my new subnet
but I assume in ipv6 there's an automagically way of doing this? up_the_irons: ballen: in IPv4, ARP's router wouldn't need to know about any smaller subnets, it just sees the aggregate ballen: ah right, I was thinking if I made up a new subnet up_the_irons: ballen: if you made a completely new subnet (say you had a subnet from another provider), then yes, I'd have to put in a static route to you (simplest case), or we run some routing protocal (rip, ospf, bgp, etc...). ballen: right
alright will work on this more later, need to sleep up_the_irons: ballen: now, IPv6 brought with in a boat load of smaller protocols, one of which is this solicited-node multicast thing from which my router wants a reply
ballen: ok, l8r ballen: any idea how to get my server to give a reply up_the_irons: ballen: not really; but i'm going to investigate ballen: cool
might be the gif tunnel
but who knows, be on tomorrow
later ***: ballen is now known as ballen|away up_the_irons: ballen|away: when you're back, make sure your gif0 tunnel forwards multicast traffic ***: ConquerorX has joined #arpnetworks up_the_irons: Welcome ConquerorX
ballen|away: OK, check this out:
On my router, if I do:
s3.lax:~> sudo route add -inet6 -net 2607:f2f8:1100:6:: -prefixlen 56 2607:f2f8:1100::2
add net 2607:f2f8:1100:6::: gateway 2607:f2f8:1100::2
Now I can ping your laptop:
s3.lax:~> ping6 2607:f2f8:1100:6::2
PING6(56=40+8+8 bytes) 2607:f2f8:1100::1 --> 2607:f2f8:1100:6::2
16 bytes from 2607:f2f8:1100:6::2, icmp_seq=0 hlim=63 time=94.476 ms
16 bytes from 2607:f2f8:1100:6::2, icmp_seq=1 hlim=63 time=87.624 ms
16 bytes from 2607:f2f8:1100:6::2, icmp_seq=2 hlim=63 time=104.49 ms
^C
--- 2607:f2f8:1100:6::2 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 87.624/95.530/104.490/6.926 ms
ballen|away: So, this is what is going on, it helps to think about it like IPv4, and it makes sense --
I'm routing a /48 to you. From my router's POV, that /48 is one huge subnet, it doesn't know about anything beyond its neighbor (your VPS).
If that /48 were in IPv4 (let's say it is a /24), anything I ping behind it would generate an "arp who-has" packet
b/c the router sees that subnet as directly connected, and it is trying to ARP the host belonging the IP I'm pinging
if there are subnets beyond that block, my router wouldn't know about it, and it would rely on static routes, or rip, or ospf, or bgp, etc... like i noted above, to find out about those routes
(err, subnets)
Now, IPv6 doesn't have ARP
It has ND
(neighbor discovery)
which is kinda like ARP on steroids
It can find information not only about directly connected neighbors (like ARP), but also about subnets beyond them
this is why, when my router got an ICMP from your laptop, it saw the return address as 2607:f2f8:6::2, and didn't have this in its ND table (would be ARP cache in IPv4)
so it sends out that "ND who has" packet (neighbor solicitation)
I'm not seeing the corresponding "ND tgt is" packet (neighbor advertisment) from your laptop
and so the ND table isn't updated, therefore the ICMP reply can't be sent to you
<phew...>
I hope that made sense
was pretty educational for me having to deduce it all ;)
why your laptop isn't sending the neighbor advertisement back is unknown at this time; perhaps it doesn't even see the solicitation. if you tcpdump both your VPS and your laptop, you'll see which side is not propagating the ND packets over the tunnel
ConquerorX: how's it goin'
Qsource: you around
ballen|away: also, when you're back, try a speed test on your OpenVPN connection; you should be getting way more than 6 megs; i made some adjustments obsidieth: im going to have to give this a try soon, ive always wondered if you can ste up a vpn without X to do it up_the_irons: yeah ***: heavysixer has quit IRC () obsidieth: ive got a question if you're still here ***: heavysixer has joined #arpnetworks
ballen|away has quit IRC (Read error: 60 (Operation timed out))
ballen has joined #arpnetworks
ConquerorX has quit IRC ()
ballen_ has joined #arpnetworks
ballen has quit IRC (Nick collision from services.)
ballen_ is now known as ballen
ballen is now known as ballen|away
vtoms has joined #arpnetworks
vtoms has quit IRC ("Leaving.")
ballen|away is now known as ballen ballen: up_the_irons: so my laptop doesn't get the solicitation from your router
appears the VPS isn't forwarding it up_the_irons: ballen: do you see the solicitation on your VPS (destined to your laptop) ? ballen: 15:19:42.584527 IP6 2607:f2f8:1100::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2607:f2f8:1100:6::2, length 32 up_the_irons: ballen: and did you see my rather large explanation after you went |away? ballen: yep
thats from a dump listening on em0 up_the_irons: yeah
now see, I don't know anough about ND yet to know who is supposed to respond to the solicitation, your VPS or your laptop ballen: yea no idea either
its not making it to the gif0 on the VPS, and obviously not to the laptop's gif0 up_the_irons: it sends it to a IPv6 multicast group (ff02::1:ff00:2:), so multicast has to be functioning for this to work, have no idea about that and OpenVPN
ballen: so gif0 isn't becoming part of the multicast group ballen: I would assume not up_the_irons: obsidieth: you had a question b4?
it's all here: http://tools.ietf.org/html/rfc2461
from the introduction, it would appear your VPS (the directly attached neighbor) would respond to the ND ballen: yea it seems that would be the logical thing
there is such thing is a Neighbor Proxy up_the_irons: i c ballen: http://www.man9.org/bsd/8/ndp.html
If the word proxy
is given, this system will act as a proxy NDP server, responding
to requests for hostname even though the host address is not its
own.
holy shat it works up_the_irons: ballen: give it a try ballen: ndp -s 2607:f2f8:1100:6::2 52:54:0:27:21:15 proxy up_the_irons: oh
really?? ballen: which is the VPS's linklayer address btw up_the_irons: right ballen: not sure what else to put there up_the_irons: so can u ping? ballen: ping6 2607:f2f8:1100::1
PING6(56=40+8+8 bytes) 2607:f2f8:1100:6::2 --> 2607:f2f8:1100::1
16 bytes from 2607:f2f8:1100::1, icmp_seq=0 hlim=63 time=99.082 ms
16 bytes from 2607:f2f8:1100::1, icmp_seq=1 hlim=63 time=93.322 ms up_the_irons: PING6(56=40+8+8 bytes) 2607:f2f8:1100::1 --> 2607:f2f8:1100:6::2
16 bytes from 2607:f2f8:1100:6::2, icmp_seq=0 hlim=63 time=91.046 ms
16 bytes from 2607:f2f8:1100:6::2, icmp_seq=1 hlim=63 time=99.93 ms
:) ballen: woot up_the_irons: w00t
$ ndp -a | grep 2607:f2f8:1100
2607:f2f8:1100::1 52:54:0:27:90:7 vlan115 permanent R
2607:f2f8:1100::2 52:54:0:27:21:15 vlan115 23h59m21s S R ballen: so you need to make sure you delete the ndp entry before hand as well up_the_irons: 2607:f2f8:1100:6::2 52:54:0:27:21:15 vlan115 9s R R
^^ now my router sees the :6::2 entry ballen: otherwise ndp will bitch up_the_irons: delete what ndp entry?
it already has one for :6::2, just not proxy? ballen: ndp -d 2607:f2f8:1100:6::2
yep up_the_irons: ah ballen: the incomplete entry up_the_irons: gotcha
i wonder why your VPS sees the :6::2 as incomplete ballen: likely because gif has not mac address
no* up_the_irons: see, this is probably the source of the prob... it *should* see :6::2
b/c it is directly connected ballen: right up_the_irons: OOH, no MAC
yeah, there is something funny going on w/ gif0
I bet you don't even need gif0
is gif the 6to4 tunnel int?
why not a regular sit?
b/c at this point, you don't need a tunnel
i mean, 6to4 tunnel ballen: hmm up_the_irons: you're on the native IPv6 Internet ballen: does sit exist on FreeBSD? up_the_irons: not sure ballen: I couldn't find it
also laptop is a mac
which has gif
but yea gif is tunnling 6 over 4 up_the_irons: looks like gif is a generic tunneling interface (man gif) ballen: as openvpn doesn't support native v6 over tun adapater
yea
adapter* up_the_irons: ok gotcha, openvpn is the limitation ballen: woot, laptop can ping www.kame.net
and i have a dancing turtle up_the_irons: hahhaa
that's pretty cool ballen: kinda dumb that is basically IPv4 -> SSL Tunnel -> IPv4 Tunnel -> IPv6
lots of tunnels up_the_irons: right ballen: mtu is down to 1280
at that point up_the_irons: right ballen: now to make this dynamic on vpn connection up_the_irons: ballen: so what does the inet6 routing table look like on your laptop now? ballen: http://pastie.org/private/ef0faj3k6yg5hhcgqgw4q up_the_irons: this is the first time I've seen a major difference between IPv4 and IPv6 routing / subnetting. In IPv4, you wouldn't have been able to subnet your block without us having a /30 PtoP and then running a routing protocol
so 2 blocks per node, at least ballen: ignore 2607:f2f8:1100::f1ab:2, thats from previous attempts up_the_irons: I remember reading one of the goals of IPv6 was to be like "one block per node, at that's it, never need more" ballen: yea
its pretty nifty up_the_irons: so I give you a /48, and my router can work with subnets within your /48 w/o a routing protocol, it just kinda works
very nifty
cool routing table, so you use the other end of your tunnel as default gateway for ipv6 ballen: yep up_the_irons: nice ballen: aww can't assign a gif interface a mac address lame up_the_irons: sucks ballen: ya up_the_irons: food time ballen: k ***: ballen has quit IRC (Read error: 60 (Operation timed out))
heavysixer has quit IRC ()
vtoms has joined #arpnetworks
ballen has joined #arpnetworks
ballen has quit IRC (Client Quit)
ballen has joined #arpnetworks
vtoms has quit IRC ("Leaving.") ballen: freenode over the v6 tubes woot ***: ballen is now known as ballen|away
ballen|away is now known as ballen
ballen is now known as ballen|away
vtoms has joined #arpnetworks
heavysixer has joined #arpnetworks
vtoms has quit IRC ("Leaving.") obsidieth: up_the_irons: i was wondering how reverse dns works for the ip block
i heard of some vps's having a panel/webgui for it. ***: ballen|away is now known as ballen
vtoms has joined #arpnetworks
vtoms has quit IRC (Client Quit)
heavysixer has quit IRC ()
timburke has quit IRC ("leaving")
timburke has joined #arpnetworks
ballen has quit IRC (Read error: 60 (Operation timed out))
ballen has joined #arpnetworks
ballen has quit IRC (Read error: 60 (Operation timed out))
ballen has joined #arpnetworks ballen: anyone know of a mail service that has smtp servers on ipv6 obsidieth: beats me ballen: want to test sending email to my sever over ipv6
and none of the big webmail providers have ipv6 setup obsidieth: ive never considered trying.
would it actually have any advantages? ballen: no idea
just being able to be assessable by other ipv6 connected people/servers
accessible*
just turned on v6 on all my daemons
so my two websites, imap, and smtp all can be reached via my ipv6 address
and added AAAA records for the various domains obsidieth: nais
im thinking i might try something similar soon. ballen: so a /48 is 1,208,925,819,614,629,174,706,176 addresses
seems a smidge overkill obsidieth: haha
i currently have a /48 and /64 on my home box. -: obsidieth crunches numbers ballen: /64 is 18,446,744,073,709,551,616 obsidieth: 1.20894427 × 1024
bleh, hard to paste. ballen: yea
gonna burn through ipv6 address space in no time
it would be nice to totally do away with NAT though obsidieth: over 100 million for every sqaure foot of the earths
well, 1500 or something. ballen: heh obsidieth: still, lots ballen: lots and lots
I ended up getting the openvpn setup working
kinda a hack though
likely would work better with linux and sit interface instead of gif obsidieth: nice
i might save the scrollback and review when i give it a shot ballen: I ended up need to add a static proxy entry in the server's ndp table for the new subnet
sometime in here I'll get all the configs together and write a post
if you want them jost me know in mean time
just*
its fairly specific to a freebsd server and mac os x client
but should be adaptable obsidieth: i would only need the freebsd server part most likely.
maybe that wont be as difficult. ballen: whatever your client is would need to support the gif driver
to work with how I'm tunneling the traffic -: obsidieth shrugs ballen: oh someone has to have a freaking smtp server in v6
lmao, http://www.prujem.cz/ IPv6 porn and movies server obsidieth: Alert!: Unable to connect to remote host.
:( ballen: lol
IPv6 only obsidieth: eh, i can ping it
maybe lynx doesnt ipv6 without some set up ballen: not sure ***: ballen has quit IRC (Read error: 60 (Operation timed out))