| ↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |
| Who | What | When |
|---|---|---|
| *** | ballen has joined #arpnetworks | [00:21] |
| ballen | anyone setup openvpn to tunnel ipv6 before? | [00:22] |
| *** | ballen has quit IRC (Read error: 104 (Connection reset by peer)) | [00:28] |
| .... (idle for 16mn) | ||
| ballen has joined #arpnetworks | [00:44] | |
| up_the_irons | ballen: I haven't done openvpn w/ ipv6 tunnel, but if you get it working, let me know how you did it; i've been interested in doing the same thing on my laptop | [00:45] |
| ballen | yea
so there appears to be two ways one routed + tunnled | [00:45] |
| up_the_irons | i c | [00:47] |
| ballen | second bridged, setting up like your laptop is on the same net, run router advertiser, etc
and if you want ipv4 on the same vpn you'd need to run dhcp as well openvpn supports ipv6 nativly in option 2 natively* as the vpn is running at layer 2 instead of 3 not sure which way I'll go with I can't get my vps to route my /64 subnet off the box, doing option 1 | [00:47] |
| up_the_irons | i'd probably go with routed, if i had the choice | [00:48] |
| ballen | yea
you just have to use connection/disconnection scripts | [00:49] |
| up_the_irons | i c | [00:49] |
| ballen | to setup the tunnel
routes, etc kinda annoying | [00:50] |
| up_the_irons | yeah | [00:50] |
| ballen | basing my work so far on: http://www.zagbot.com/openvpn_ipv6_tunnel.html | [00:51] |
| up_the_irons | but if you think about it, that's how you connect to the regular internet too, with scripts that set up your IPs and routes and such. It is just so tranparent / automatic these days | [00:51] |
| ballen | yea its just less elegant when deploying clients | [00:51] |
| up_the_irons | oh i think i get that guy is saying..
i never did the tunnel mode b/c I generally never have a static IP on my laptop but with OpenVPN, you get a static and then can tunnel *over that* | [00:53] |
| ballen | ## Server ##
ifconfig gif0 create ifconfig gif0 tunnel 10.8.0.1 10.8.0.6 ifconfig gif0 inet6 2607:f2f8:1100:6::1/64 route add -inet6 2607:f2f8:1100:6::/64 2607:f2f8:1100:6::2 ## Client ## ifconfig gif0 create ifconfig gif0 tunnel 10.8.0.6 10.8.0.1 ifconfig gif0 inet6 2607:f2f8:1100:6::2/64 thats basically what I have so far | [00:53] |
| up_the_irons | yeah, and gif0 is OpenVPN independent, but I assume 10.8.0.x is either end of your OpenVPN tunnel | [00:54] |
| ballen | right
.6 is the client .1 the server | [00:54] |
| obsidieth | i would be real interested to see this work | [00:55] |
| ballen | with that setup, I can ping 2607:f2f8:1100::2, but not 2607:f2f8:1100::1
from my laptop | [00:55] |
| up_the_irons | ballen: your server needs a route back to your client
although i think you have that covered above with 'route add ...' | [00:57] |
| ballen | 2607:f2f8:1100:6::/64 2607:f2f8:1100:6::2 UGS gif0 | [00:59] |
| up_the_irons | ballen: can you ping 2607:f2f8:1100::2 from your server? | [00:59] |
| ballen | yea thats my local address | [00:59] |
| up_the_irons | ballen: and your server is 2607:f2f8:1100::1. So you can ping your client from the server, but not the other way around? | [01:01] |
| ballen | 2607:f2f8:1100::1 is your router (ARP Network)
2607:f2f8:1100:6::1 is my server's address on the tunnel 2607:f2f8:1100:6::2 is my laptop's address on the tunnel | [01:01] |
| up_the_irons | ballen: sorry, i meant to put the ':6::' in there | [01:02] |
| ballen | heh k
so I can ping from my laptop to :6::1 ::2 but not ::1 so I can't get out to ARP current routes: 2607:f2f8:1100::/48 link#1 UC em0 2607:f2f8:1100::1 52:54:00:27:90:07 UHLW em0 2607:f2f8:1100::2 52:54:00:27:21:15 UHL lo0 2607:f2f8:1100:6::/64 2607:f2f8:1100:6::2 UGS gif0 2607:f2f8:1100:6::1 link#4 UHL lo0 | [01:02] |
| obsidieth | so em0 | [01:04] |
| ballen | em0 is public interface | [01:04] |
| bigs | lol
bigs smacks obsidieth | [01:04] |
| ballen | let me connect back to the vpn, brb | [01:05] |
| *** | ballen_ has joined #arpnetworks
ballen has quit IRC (Nick collision from services.) ballen_ is now known as ballen | [01:05] |
| ballen | k back | [01:06] |
| up_the_irons | ballen: so you can ping :6::2 from the server and :6::1 from the client, yes? | [01:06] |
| *** | up_the_irons changes topic to: On tonight's show, we bring you IPv6 tunnels over OpenVPN | [01:06] |
| ballen | one sec
k up_the_irons: yes both those work | [01:07] |
| up_the_irons | ballen: what's the output of:
sysctl net.inet6.ip6.forwarding | [01:10] |
| ballen | 1 | [01:10] |
| up_the_irons | if it's "0", that's the problem
OK cool | [01:10] |
| ballen | :-) yea already checked that one | [01:10] |
| up_the_irons | :) | [01:10] |
| ballen | also on the laptop: default 2607:f2f8:1100:6::1 UGSc gif0 | [01:11] |
| up_the_irons | ballen: run this on your server:
sudo tcpdump -ni em0 ip6 ballen: then ping from client to server, see where it is going | [01:12] |
| ballen | one sec change default route
changing http://pastie.org/592053 thats a ping to the server's gateway that fails | [01:13] |
| up_the_irons | up_the_irons ponders | [01:19] |
| ballen | net.inet6.ip6.fw.enable: 1 ?
nvm | [01:22] |
| up_the_irons | this is what I see on my router: http://pastie.org/private/3eg31jycv4ch9ct39unheq | [01:27] |
| ballen | [root@arp /etc/rc.d]# ndp -a
Neighbor Linklayer Address Netif Expire S Flags 2607:f2f8:1100::1 52:54:0:27:90:7 em0 expired R R 2607:f2f8:1100::2 52:54:0:27:21:15 em0 permanent R 2607:f2f8:1100:6::1 (incomplete) gif0 permanent R 2607:f2f8:1100:6::2 (incomplete) gif0 expired D | [01:27] |
| up_the_irons | ballen: that's from your server? | [01:29] |
| ballen | yea
ndp -a | [01:29] |
| obsidieth | radvd | [01:30] |
| ballen | rtadvd? | [01:30] |
| up_the_irons | on my router I have:
ndp -a | grep 2607:f2f8:1100 2607:f2f8:1100::1 52:54:0:27:90:7 vlan115 permanent R 2607:f2f8:1100::2 52:54:0:27:21:15 vlan115 23h59m11s S R 2607:f2f8:1100:6::2 (incomplete) vlan115 1s I 1 | [01:30] |
| ballen | wonder what will happen if I make a proxy ndp entry | [01:38] |
| so in ipv4 basically the arp router would have to know about my new subnet
but I assume in ipv6 there's an automagically way of doing this? | [01:45] | |
| up_the_irons | ballen: in IPv4, ARP's router wouldn't need to know about any smaller subnets, it just sees the aggregate | [01:48] |
| ballen | ah right, I was thinking if I made up a new subnet | [01:48] |
| up_the_irons | ballen: if you made a completely new subnet (say you had a subnet from another provider), then yes, I'd have to put in a static route to you (simplest case), or we run some routing protocal (rip, ospf, bgp, etc...). | [01:50] |
| ballen | right
alright will work on this more later, need to sleep | [01:50] |
| up_the_irons | ballen: now, IPv6 brought with in a boat load of smaller protocols, one of which is this solicited-node multicast thing from which my router wants a reply
ballen: ok, l8r | [01:55] |
| ballen | any idea how to get my server to give a reply | [01:56] |
| up_the_irons | ballen: not really; but i'm going to investigate | [01:57] |
| ballen | cool
might be the gif tunnel but who knows, be on tomorrow later | [01:57] |
| *** | ballen is now known as ballen|away | [01:58] |
| up_the_irons | ballen|away: when you're back, make sure your gif0 tunnel forwards multicast traffic | [02:00] |
| ........ (idle for 37mn) | ||
| *** | ConquerorX has joined #arpnetworks | [02:37] |
| up_the_irons | Welcome ConquerorX
ballen|away: OK, check this out: On my router, if I do: s3.lax:~> sudo route add -inet6 -net 2607:f2f8:1100:6:: -prefixlen 56 2607:f2f8:1100::2 add net 2607:f2f8:1100:6::: gateway 2607:f2f8:1100::2 Now I can ping your laptop: s3.lax:~> ping6 2607:f2f8:1100:6::2 PING6(56=40+8+8 bytes) 2607:f2f8:1100::1 --> 2607:f2f8:1100:6::2 16 bytes from 2607:f2f8:1100:6::2, icmp_seq=0 hlim=63 time=94.476 ms 16 bytes from 2607:f2f8:1100:6::2, icmp_seq=1 hlim=63 time=87.624 ms 16 bytes from 2607:f2f8:1100:6::2, icmp_seq=2 hlim=63 time=104.49 ms ^C --- 2607:f2f8:1100:6::2 ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 87.624/95.530/104.490/6.926 ms ballen|away: So, this is what is going on, it helps to think about it like IPv4, and it makes sense -- I'm routing a /48 to you. From my router's POV, that /48 is one huge subnet, it doesn't know about anything beyond its neighbor (your VPS). If that /48 were in IPv4 (let's say it is a /24), anything I ping behind it would generate an "arp who-has" packet b/c the router sees that subnet as directly connected, and it is trying to ARP the host belonging the IP I'm pinging if there are subnets beyond that block, my router wouldn't know about it, and it would rely on static routes, or rip, or ospf, or bgp, etc... like i noted above, to find out about those routes (err, subnets) Now, IPv6 doesn't have ARP It has ND (neighbor discovery) which is kinda like ARP on steroids It can find information not only about directly connected neighbors (like ARP), but also about subnets beyond them this is why, when my router got an ICMP from your laptop, it saw the return address as 2607:f2f8:6::2, and didn't have this in its ND table (would be ARP cache in IPv4) so it sends out that "ND who has" packet (neighbor solicitation) I'm not seeing the corresponding "ND tgt is" packet (neighbor advertisment) from your laptop and so the ND table isn't updated, therefore the ICMP reply can't be sent to you <phew...> I hope that made sense was pretty educational for me having to deduce it all ;) why your laptop isn't sending the neighbor advertisement back is unknown at this time; perhaps it doesn't even see the solicitation. if you tcpdump both your VPS and your laptop, you'll see which side is not propagating the ND packets over the tunnel | [02:38] |
| ConquerorX: how's it goin' | [03:03] | |
| Qsource: you around
ballen|away: also, when you're back, try a speed test on your OpenVPN connection; you should be getting way more than 6 megs; i made some adjustments | [03:10] | |
| ................... (idle for 1h30mn) | ||
| obsidieth | im going to have to give this a try soon, ive always wondered if you can ste up a vpn without X to do it | [04:43] |
| up_the_irons | yeah | [04:47] |
| ................. (idle for 1h23mn) | ||
| *** | heavysixer has quit IRC () | [06:10] |
| obsidieth | ive got a question if you're still here | [06:22] |
| ................. (idle for 1h22mn) | ||
| *** | heavysixer has joined #arpnetworks | [07:44] |
| ............. (idle for 1h2mn) | ||
| ballen|away has quit IRC (Read error: 60 (Operation timed out)) | [08:46] | |
| .... (idle for 15mn) | ||
| ballen has joined #arpnetworks
ConquerorX has quit IRC () | [09:01] | |
| ..... (idle for 20mn) | ||
| ballen_ has joined #arpnetworks
ballen has quit IRC (Nick collision from services.) ballen_ is now known as ballen | [09:22] | |
| ........ (idle for 39mn) | ||
| ballen is now known as ballen|away | [10:01] | |
| vtoms has joined #arpnetworks | [10:15] | |
| ............ (idle for 55mn) | ||
| vtoms has quit IRC ("Leaving.") | [11:10] | |
| ballen|away is now known as ballen | [11:16] | |
| ........... (idle for 51mn) | ||
| ballen | up_the_irons: so my laptop doesn't get the solicitation from your router
appears the VPS isn't forwarding it | [12:07] |
| up_the_irons | ballen: do you see the solicitation on your VPS (destined to your laptop) ? | [12:19] |
| ballen | 15:19:42.584527 IP6 2607:f2f8:1100::1 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2607:f2f8:1100:6::2, length 32 | [12:19] |
| up_the_irons | ballen: and did you see my rather large explanation after you went |away? | [12:19] |
| ballen | yep
thats from a dump listening on em0 | [12:19] |
| up_the_irons | yeah
now see, I don't know anough about ND yet to know who is supposed to respond to the solicitation, your VPS or your laptop | [12:19] |
| ballen | yea no idea either
its not making it to the gif0 on the VPS, and obviously not to the laptop's gif0 | [12:20] |
| up_the_irons | it sends it to a IPv6 multicast group (ff02::1:ff00:2:), so multicast has to be functioning for this to work, have no idea about that and OpenVPN
ballen: so gif0 isn't becoming part of the multicast group | [12:21] |
| ballen | I would assume not | [12:21] |
| up_the_irons | obsidieth: you had a question b4?
it's all here: http://tools.ietf.org/html/rfc2461 from the introduction, it would appear your VPS (the directly attached neighbor) would respond to the ND | [12:22] |
| ballen | yea it seems that would be the logical thing
there is such thing is a Neighbor Proxy | [12:25] |
| up_the_irons | i c | [12:28] |
| ballen | http://www.man9.org/bsd/8/ndp.html
If the word proxy is given, this system will act as a proxy NDP server, responding to requests for hostname even though the host address is not its own. holy shat it works | [12:29] |
| up_the_irons | ballen: give it a try | [12:31] |
| ballen | ndp -s 2607:f2f8:1100:6::2 52:54:0:27:21:15 proxy | [12:31] |
| up_the_irons | oh
really?? | [12:31] |
| ballen | which is the VPS's linklayer address btw | [12:31] |
| up_the_irons | right | [12:31] |
| ballen | not sure what else to put there | [12:31] |
| up_the_irons | so can u ping? | [12:31] |
| ballen | ping6 2607:f2f8:1100::1
PING6(56=40+8+8 bytes) 2607:f2f8:1100:6::2 --> 2607:f2f8:1100::1 16 bytes from 2607:f2f8:1100::1, icmp_seq=0 hlim=63 time=99.082 ms 16 bytes from 2607:f2f8:1100::1, icmp_seq=1 hlim=63 time=93.322 ms | [12:32] |
| up_the_irons | PING6(56=40+8+8 bytes) 2607:f2f8:1100::1 --> 2607:f2f8:1100:6::2
16 bytes from 2607:f2f8:1100:6::2, icmp_seq=0 hlim=63 time=91.046 ms 16 bytes from 2607:f2f8:1100:6::2, icmp_seq=1 hlim=63 time=99.93 ms :) | [12:32] |
| ballen | woot | [12:32] |
| up_the_irons | w00t
$ ndp -a | grep 2607:f2f8:1100 2607:f2f8:1100::1 52:54:0:27:90:7 vlan115 permanent R 2607:f2f8:1100::2 52:54:0:27:21:15 vlan115 23h59m21s S R | [12:32] |
| ballen | so you need to make sure you delete the ndp entry before hand as well | [12:32] |
| up_the_irons | 2607:f2f8:1100:6::2 52:54:0:27:21:15 vlan115 9s R R
^^ now my router sees the :6::2 entry | [12:32] |
| ballen | otherwise ndp will bitch | [12:33] |
| up_the_irons | delete what ndp entry?
it already has one for :6::2, just not proxy? | [12:33] |
| ballen | ndp -d 2607:f2f8:1100:6::2
yep | [12:33] |
| up_the_irons | ah | [12:33] |
| ballen | the incomplete entry | [12:33] |
| up_the_irons | gotcha
i wonder why your VPS sees the :6::2 as incomplete | [12:33] |
| ballen | likely because gif has not mac address
no* | [12:34] |
| up_the_irons | see, this is probably the source of the prob... it *should* see :6::2
b/c it is directly connected | [12:34] |
| ballen | right | [12:34] |
| up_the_irons | OOH, no MAC
yeah, there is something funny going on w/ gif0 I bet you don't even need gif0 is gif the 6to4 tunnel int? why not a regular sit? b/c at this point, you don't need a tunnel i mean, 6to4 tunnel | [12:34] |
| ballen | hmm | [12:35] |
| up_the_irons | you're on the native IPv6 Internet | [12:35] |
| ballen | does sit exist on FreeBSD? | [12:35] |
| up_the_irons | not sure | [12:35] |
| ballen | I couldn't find it
also laptop is a mac which has gif but yea gif is tunnling 6 over 4 | [12:35] |
| up_the_irons | looks like gif is a generic tunneling interface (man gif) | [12:36] |
| ballen | as openvpn doesn't support native v6 over tun adapater
yea adapter* | [12:36] |
| up_the_irons | ok gotcha, openvpn is the limitation | [12:37] |
| ballen | woot, laptop can ping www.kame.net
and i have a dancing turtle | [12:37] |
| up_the_irons | hahhaa
that's pretty cool | [12:38] |
| ballen | kinda dumb that is basically IPv4 -> SSL Tunnel -> IPv4 Tunnel -> IPv6
lots of tunnels | [12:39] |
| up_the_irons | right | [12:39] |
| ballen | mtu is down to 1280
at that point | [12:40] |
| up_the_irons | right | [12:40] |
| ballen | now to make this dynamic on vpn connection | [12:48] |
| up_the_irons | ballen: so what does the inet6 routing table look like on your laptop now? | [12:49] |
| ballen | http://pastie.org/private/ef0faj3k6yg5hhcgqgw4q | [12:51] |
| up_the_irons | this is the first time I've seen a major difference between IPv4 and IPv6 routing / subnetting. In IPv4, you wouldn't have been able to subnet your block without us having a /30 PtoP and then running a routing protocol
so 2 blocks per node, at least | [12:51] |
| ballen | ignore 2607:f2f8:1100::f1ab:2, thats from previous attempts | [12:51] |
| up_the_irons | I remember reading one of the goals of IPv6 was to be like "one block per node, at that's it, never need more" | [12:52] |
| ballen | yea
its pretty nifty | [12:52] |
| up_the_irons | so I give you a /48, and my router can work with subnets within your /48 w/o a routing protocol, it just kinda works
very nifty cool routing table, so you use the other end of your tunnel as default gateway for ipv6 | [12:52] |
| ballen | yep | [12:53] |
| up_the_irons | nice | [12:54] |
| ballen | aww can't assign a gif interface a mac address lame | [12:54] |
| up_the_irons | sucks | [12:56] |
| ballen | ya | [12:57] |
| up_the_irons | food time | [12:59] |
| ballen | k | [12:59] |
| ....... (idle for 30mn) | ||
| *** | ballen has quit IRC (Read error: 60 (Operation timed out)) | [13:29] |
| ........ (idle for 35mn) | ||
| heavysixer has quit IRC () | [14:04] | |
| ............. (idle for 1h4mn) | ||
| vtoms has joined #arpnetworks | [15:08] | |
| ...... (idle for 26mn) | ||
| ballen has joined #arpnetworks
ballen has quit IRC (Client Quit) ballen has joined #arpnetworks vtoms has quit IRC ("Leaving.") | [15:34] | |
| ballen | freenode over the v6 tubes woot | [15:36] |
| *** | ballen is now known as ballen|away | [15:38] |
| ....... (idle for 30mn) | ||
| ballen|away is now known as ballen | [16:08] | |
| .... (idle for 16mn) | ||
| ballen is now known as ballen|away | [16:24] | |
| .................. (idle for 1h26mn) | ||
| vtoms has joined #arpnetworks | [17:50] | |
| ........ (idle for 35mn) | ||
| heavysixer has joined #arpnetworks | [18:25] | |
| vtoms has quit IRC ("Leaving.") | [18:32] | |
| .... (idle for 16mn) | ||
| obsidieth | up_the_irons: i was wondering how reverse dns works for the ip block
i heard of some vps's having a panel/webgui for it. | [18:48] |
| ..... (idle for 21mn) | ||
| *** | ballen|away is now known as ballen | [19:09] |
| vtoms has joined #arpnetworks
vtoms has quit IRC (Client Quit) | [19:19] | |
| ......... (idle for 44mn) | ||
| heavysixer has quit IRC () | [20:04] | |
| timburke has quit IRC ("leaving")
timburke has joined #arpnetworks | [20:16] | |
| ballen has quit IRC (Read error: 60 (Operation timed out)) | [20:25] | |
| ballen has joined #arpnetworks | [20:36] | |
| ballen has quit IRC (Read error: 60 (Operation timed out)) | [20:46] | |
| ballen has joined #arpnetworks | [20:59] | |
| ballen | anyone know of a mail service that has smtp servers on ipv6 | [20:59] |
| obsidieth | beats me | [20:59] |
| ballen | want to test sending email to my sever over ipv6
and none of the big webmail providers have ipv6 setup | [21:04] |
| obsidieth | ive never considered trying.
would it actually have any advantages? | [21:11] |
| ballen | no idea
just being able to be assessable by other ipv6 connected people/servers accessible* just turned on v6 on all my daemons so my two websites, imap, and smtp all can be reached via my ipv6 address and added AAAA records for the various domains | [21:11] |
| obsidieth | nais
im thinking i might try something similar soon. | [21:14] |
| ballen | so a /48 is 1,208,925,819,614,629,174,706,176 addresses
seems a smidge overkill | [21:14] |
| obsidieth | haha
i currently have a /48 and /64 on my home box. obsidieth crunches numbers | [21:15] |
| ballen | /64 is 18,446,744,073,709,551,616 | [21:15] |
| obsidieth | 1.20894427 × 1024
bleh, hard to paste. | [21:16] |
| ballen | yea
gonna burn through ipv6 address space in no time it would be nice to totally do away with NAT though | [21:16] |
| obsidieth | over 100 million for every sqaure foot of the earths
well, 1500 or something. | [21:17] |
| ballen | heh | [21:18] |
| obsidieth | still, lots | [21:18] |
| ballen | lots and lots
I ended up getting the openvpn setup working kinda a hack though likely would work better with linux and sit interface instead of gif | [21:18] |
| obsidieth | nice
i might save the scrollback and review when i give it a shot | [21:19] |
| ballen | I ended up need to add a static proxy entry in the server's ndp table for the new subnet
sometime in here I'll get all the configs together and write a post if you want them jost me know in mean time just* its fairly specific to a freebsd server and mac os x client but should be adaptable | [21:20] |
| obsidieth | i would only need the freebsd server part most likely.
maybe that wont be as difficult. | [21:21] |
| ballen | whatever your client is would need to support the gif driver
to work with how I'm tunneling the traffic | [21:22] |
| obsidieth | obsidieth shrugs | [21:23] |
| ballen | oh someone has to have a freaking smtp server in v6
lmao, http://www.prujem.cz/ IPv6 porn and movies server | [21:28] |
| obsidieth | Alert!: Unable to connect to remote host.
:( | [21:31] |
| ballen | lol
IPv6 only | [21:31] |
| obsidieth | eh, i can ping it
maybe lynx doesnt ipv6 without some set up | [21:31] |
| ballen | not sure | [21:32] |
| .......... (idle for 45mn) | ||
| *** | ballen has quit IRC (Read error: 60 (Operation timed out)) | [22:17] |
| ↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |