IPv6 tunnel broker with OpenVPN on OpenVZ

dnwk

@Nyr said:
If 2602:ffca:a:6612::/64 is routed for you, then use that subnet. Just make sure IPv6 is properly configured on your VM and the subnet is routed for the VM.

I use netmask 48 in VM. When I use 64, I cannot ping any IPv6 on vm

Nyr

@dnwk said:
I use netmask 48 in VM. When I use 64, I cannot ping any IPv6 on vm

Ok, but OpenVPN isn't going to like the supposed /48 so put a /64 from there in the config.

Anyway, I still don't understand why you supposedly get a /48 assigned and then only a random /64 from there is routed.

eddynetweb

@dnwk said:
I use netmask 48 in VM. When I use 64, I cannot ping any IPv6 on vm

First, in @Nyr's tutorial, he's asking you to route the /64 allocation, as OpenVPN does not support the /48 subnet (nag at the developers).

If you can't ping through the /64 correctly, troubleshoot. What is making the /64 allocation not function, as the /48 is able to? Are you setting gateways with the /48? Show us your "ifconfig".

Nice wiki Nyr, worked for me on a ChicagoVPS server just fine.

Nyr

He could/should set up the /48 for the server if he wants as long as he then uses a /64 from there for OpenVPN.

@eddynetweb happy to know it did help. Just out of curiosity, may I know what are you using here? https://eddynetweb.co/status/ Is it custom coded or something open source?

eddynetweb

@Nyr said:
He could/should set up the /48 for the server if he wants as long as he then uses a /64 from there for OpenVPN.

eddynetweb happy to know it did help. Just out of curiosity, may I know what are you using here? https://eddynetweb.co/status/ Is it custom coded or something open source?

https://github.com/eddynetweb/php-status

Planning on adding a active server tab of sorts, where it shows the status of the server itself (i.e. RAM usage, disk space used, uptime).

mike0000

@sc754 @heyits_bob @trexos @guitarfire

So I had the exact same problem as you. I originally installed using @Nyr's OpenVPN script, awhile back - so I added the openvpn apt repo and updated it.

https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos

apt-get update && apt-get dist-upgrade

The one thing I kinda skipped over while reading was that I needed to use the "Routed IPv6 Prefixes" - don't ask, just skimmed past it.

So with HE they show 2001:XXX:a:XXX::1/64 as server endpoint addr, and 2001:XXX:a:XXX::2/64 as client endpoint. You need to disregard that and skip down to the routed prefixes which gives me:

2001:XXX:b:XXX::/64

For my tunnel the endpoints are 2001:xxx:a.. while the prefixes I'll get are 2001:xxx:b. Make sure you use the routed prefixes in your config.

Still didn't work after all of this mind you. The important line was:

route-ipv6 2001:xxx:b:xxx::/64

Found it after some googling and looking at other people's configs. So the only lines added to my config were:

server-ipv6 2001:xxx:b:xxx::/64 route-ipv6 2001:xxx:b:xxx::/64 push "route-ipv6 2000::/3"

And.. it works! I just wanted IPv6-only to be routed over it, so I did as @Nyr mentioned previously and commented out the redirect-gateway line:

;push "redirect-gateway def1 bypass-dhcp"

Took a bit of head scratching but really happy I finally got it to work!

jimmyvu

Nice article, thinking to support IPv6 for my service.

Nyr

Just so it's clear: my instal script doesn't use the official OpenVPN repos because they have not been always maintained in the past.

mike0000

@Nyr said:
Just so it's clear: my instal script doesn't use the official OpenVPN repos because they have not been always maintained in the past.

Ah ok. Makes sense. I just did it because I only had 2.2 or something installed and it was my understanding that 2.3.x had the proper IPv6 support.

XxNisseGamerxX

root@BWH:~# openvpn --version
OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jun  6 2013
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. 

Hmmm..... using Nyr's script.

heyits_bob

mikeyur said: Found it after some googling and looking at other people's configs. So the only lines added to my config were:

server-ipv6 2001:xxx:b:xxx::/64

route-ipv6 2001:xxx:b:xxx::/64
push "route-ipv6 2000::/3"

Thank you so much! I finally got the old VPS I tried using earlier to work!

mike0000

@Nyr Was curious if you tried this with any providers that are now including a /64 via Solus?

dnwk

@mikeyur said:
Nyr Was curious if you tried this with any providers that are now including a /64 via Solus?

I want to know that too

lhobas

Won't work unfortunately, because you cannot assign a subnet to an openvz venet - only single /128's.

Nyr

Yeah, will not work with Solus implementation since it isn't routed.

dnwk

@Nyr said:
Yeah, will not work with Solus implementation since it isn't routed.

But I think right now some provider with SolusVM can assign /64 to you. Isn't that routed?

Nyr

@dnwk said:
But I think right now some provider with SolusVM can assign /64 to you. Isn't that routed?

With OVZ, it isn't.

mpkossen

@Nyr said:
Yeah, will not work with Solus implementation since it isn't routed.

Yeah, that's actually a real shame since that'd be a nice use of their new functionality.

rm_

Nyr said: will not work with Solus implementation since it isn't routed.

Check out NDPPD: http://priv.nu/projects/ndppd/
it can sort of turn non-routed prefixes into "routed".
Though no idea if it'll work on OpenVZ.

dnwk

@Nyr said:
With OVZ, it isn't.

HOw about KVM?

Nyr

@dnwk said:
HOw about KVM?

Not sure how the implementation on SolusVM is but it should work if they aren't stupid or if the provider can manually assign a subnet manually to the VM.

Sorry, I have zero experience with Solus and KVM, but it should work one way or another since KVM doesn't have this limitation.

cygni

@mikeyur said:
Nyr Was curious if you tried this with any providers that are now including a /64 via Solus?

I had to use NAT with kernel >= 3.7 and ip6tables >= 1.4.17 to get it working on BuyVM. Though BuyVM does not use Solus, but does offer /64 subnet.

Nyr

cygni said: I had to use NAT with kernel >= 3.7 and ip6tables >= 1.4.17 to get it working on BuyVM. Though BuyVM does not use Solus, but does offer /64 subnet.

So you did not use the native OpenVPN implementation, I assume?

I ask because being OpenVZ it shouldn't be routed even if they have implemented IPv6 in a different way. Looks like it's the case since you have used ip6tables with NAT which is available only from the versions you listed.

Is BuyVM using a 3.7 kernel with OpenVZ or am I missing something here? Could you please provide more detail? Did you use NAT with ip6tables on OpenVZ?

dnwk

@Francisco

cygni

@Nyr said:
Is BuyVM using a 3.7 kernel with OpenVZ or am I missing something here? Could you please provide more detail? Did you use NAT with ip6tables on OpenVZ?

Sorry, it wasn't clear in the initial comment, but it is ip6tables NAT on KVM.

Nyr

@cygni said:
Sorry, it wasn't clear in the initial comment, but it is ip6tables NAT on KVM.

Oh, that's very different then

dnwk

@Nyr

I am using

server-ipv6 2001:470:1234:5678::/64 # your tunneled /64
push "route-ipv6 2000::/3"

on my Vultr VM. But it does not seems work. I get an IPv6 address but not route.

Nyr

dnwk said: I get an IPv6 address but not route.

Is IPv6 forwarding enabled in the system?

Sorry but I don't have experience with Vultr, do they provide a full routed /64?

dnwk

@Nyr said:
Sorry but I don't have experience with Vultr, do they provide a full routed /64?

They said it is routed.

And once I set
net.ipv6.conf.all.forwarding=1
I immediately lose IPv6 connectivity on my VM.
Not sure why

BlazeMuis

I do get an IPv6 address assigned, but i can't ping/access any IPv6 only websites

Same with Google, can't ping their IPv6 address

C:\Users\Wesley>ping google.com

Pinging google.com [2a00:1450:4013:c01::65] with 32 bytes of data:
Request timed out.
Request timed out.

It's running on a RamNode VPS with a /64 block

Some help would be great!