Re: [Openvpn-devel] IPv6 client IP pool configuration issues (2.4/2.5)

Fri, 06 Aug 2021 02:20:59 -0700 

Hi,

On Fri, Aug 06, 2021 at 10:38:36AM +0200, François Kooman wrote:
> However, it does not explain how it exactly would rewrite --server-ipv6 
> fd42::/112 to those three statements.
> 
> --ifconfig-ipv6 fd42::1/112 <????>
> --ifconfig-ipv6-pool fd42::1000/112
> --push "tun-ipv6"

This should work.  And you can leave off the "push" bit :-)

> What would the second parameter to --ifconfig-ipv6 be in this case? 

A random IP in that subnet, like "fd42::1/112 fd42::2" - this is a
somewhat unlucky artefact of the implementation of --ifconfig-ipv6,
which insists on having a "remote" even if that is not used in 
many cases.

It is required in tap mode, to have "something to point route-ipv6
routes to" - default setting for --route-gateway-ipv6 - but since tun
does not use next-hop IP addresses anyway, this is just stupid code.

> 2021-08-06 10:21:30 us=717994   ifconfig_ipv6_netbits = 112
> 2021-08-06 10:21:30 us=718149   ifconfig_ipv6_remote = 'fd42::2'

That should work :-)

[..]
> Would this mean the --server-ivp6 fd42::/112 expands to this?
> 
> OpenVPN 2.4:
> 
> --ifconfig-ipv6 fd42::1/112 fd42::2
> --ifconfig-ipv6-pool fd42::1000/112
> --push "tun-ipv6"
> 
> OpenVPN 2.5:
> 
> --ifconfig-ipv6 fd42::1/112 fd42::2
> --ifconfig-ipv6-pool fd42::2/112
> --push "tun-ipv6"

Without having tested it, I would agree that this is what it is.

(The reason it was changed from :1000 to ::2 is "small pool size" - 
if you have only a /112 or smaller, starting from :1000 reduces the pool 
size significantly.  If you use a /111 or bigger, it will actually stick
to the old behaviour - see helper.c, around line 200)


> it does not seem to work (no traffic over VPN), and the output of the log:

The log snippet is too short to give meaningful advice.  Please show 
the "ifconfig" or "ip address" statements, and what (if anything) is
pushed to clients.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to