Ipv6 VPN

Keith keith at fernie.eu
Sun Oct 6 21:55:55 CEST 2013 

Hello

I've done similar before, to add ipv6 addresses to ipv4 only vps's
The ipv6 addresses have come from either the /56 native ipv6 from my isp
or from /48 6to4 subnets from dual stack vps's with a limited number of
ipv6 addresses, sometimes just one.
This has worked ok without having to look at proxy_ndp or ip neigh
proxy.

With a new OVH server myself I have also got this working with proxy_ndp
set to 1, using ip neigh in tinc-up and some tweaking to the ipv6 route
table.

A /48 of 6to4 addresses is also available to you if you want to test
this.

  On Sun, 2013-10-06 at 15:49 +0200, Ismael Bouya wrote:
> Hi,
> I finally solved my problem (I planned to send an email "later", but since
> you answered to me I'll make an effort :D ) :
> 
> The server (who "owns" the /64 addr) needs more than just "forwarding" set
> to 1, I also need to specify proxy_ndp to 1 (in
> /proc/sys/net/ipv6/conf/***/proxy_ndp) and to do
> 
> ip neigh add proxy ***ipv6*** dev eth0
> 
> for each address that will go through the router (including the one on the
> vpn6 interface of the server)
> 
> Note that if you follow strictly the doc at
> http://www.tinc-vpn.org/examples/ipv6-network/
> you only need to run the above command for 2001:db8:beef::{2,3,4} on
> routera
> and then on each router{b,c} you'll have to worry about their own subnet
> only
> 
> 
> Maybe it should be tried somewhere else. I think it's a problem due to the
> fact that I have "only" a /64, and thus all the ip addresses I can address
> are in the "interface" scope of the ip6 address. Since I don't have access
> to a /48 I cannot run more tests about this asumption, but I'd be quite
> interested in knowing whether it is true or not (maybe someone there has
> this kind of network and can check both the value of
> /proc/sys/net/ipv6/conf/***/proxy_ndp on "routera" and 
> run ip -6 neigh show proxy
> to check the necessity of this in larger network?)
> 
> > Hm, that's indeed strange. However, the example on the website is a bit
> > complicated, maybe you could simplify your setup. Does home need its own /64 or
> > does it need only a /128? Do you plan to add more nodes or not?
> 
> Each "node" only needed a /128, the /96 was a "bonus", but none of the
> methods I tried worked
> 
> > > I also put /proc/sys/net/ipv{4,6}/conf/all/forwarding to 1 everywhere,
> > > but without success.
> > > 
> > > Did I miss anything?
> > 
> > Make sure you don't have firewall rules blocking the forwarding of IPv6
> > packets. Also, what does the routing table look like on home?
> 
> I also checked that, and the routing table at home was correct. The example
> documentation is perfect but for the proxy_ndp problem.
> 
> Maybe you should put a note about it in the example?
> 
> Anyway, thanks for all (and especially for this wonderfull program :D )
> 
> Best regards,
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

More information about the tinc mailing list