Hi. On Tue, Nov 27, 2018 at 01:20:25PM +0100, tony wrote: > On 27/11/2018 12:44, Reco wrote: > > Hi. > > > > On Tue, Nov 27, 2018 at 12:26:03PM +0100, tony wrote: > >> OK, that fixed it, thanks. Almost there. I had expected the host's > >> openVPN ip (2a03:9800:10:54:8000::1000) to propagate, but I'm seeing my > >> server's address: > >> > >> tony@tony-fr:~$ dig +short any myip.opendns.com @resolver1.opendns.com > >> 2a03:9800:10:54::2 > >> > >> Is that fixable? > > > > Probably. My suspicion is that openvpn has configured NAT66 for you, > > along with the routing. > > Can I see the result of "ip6tables-save" from your openvpn server? > > OK: > root@shell:~# ip6tables-save > # Generated by ip6tables-save v1.6.0 on Tue Nov 27 11:50:18 2018 > *nat > :PREROUTING ACCEPT [12346:1595144] > :INPUT ACCEPT [1726:141923] > :OUTPUT ACCEPT [743:66648] > :POSTROUTING ACCEPT [743:66648] > -A POSTROUTING -s 2a03:9800:10:54:8000::/65 -o eth0 -j SNAT --to-source > 2a03:9800:10:54::2
Yep. Good old NAT, in this case in IPv6 form. What they call NAT66. > If I remove the line > -A POSTROUTING -s 2a03:9800:10:54:8000::/65 -o eth0 -j SNAT --to-source > 2a03:9800:10:54::2 > I lose any ipv6 routing Strictly speaking, that's expected. Outside world does not know about your network topology. What is does know is to send packets to 2a03:9800:10:54::1 (*not* :2) in hope of reaching your :8000::/65. The problem is - how your IPv6 gateway (54::1) can possibly know that your custom subnet (:8000::/65) is reachable if you have not announced a route? That's something that I need to think about. Reco