Hi everyone,
I'm running an OpenVPN server on OpenBSD where clients connect over IPv4 and
are assigned IPv6 addresses (IPv6-in-IPv4 tunnel). My ISP delegates a full /64
range (aaaa:bbbb:cccc:dddd::/64), but only the address configured at boot via
autoconf (aaaa:bbbb:cccc:dddd:92::1/64) is actually routed to the server —
effectively as a /128.
I'd like to assign IPv6 addresses from the /64 to OpenVPN clients. The OpenVPN
config looks like this:
server-ipv6 aaaa:bbbb:cccc:dddd:93::/112
push "route-ipv6 aaaa:bbbb:cccc:dddd::/64"
push "route-ipv6 2000::/3"
> net.inet6.ip6.forwarding=1 is enabled.
> pf isn't blocking anything (pflog0 shows no drops).
> When VPN is up and tun0 is active, clients properly get assigned an address
> from aaaa:bbbb:cccc:dddd:93::/112 and with it can ping6 the server’s VPN
> gateway (aaaa:bbbb:cccc:dddd:93::1) and host IP (aaaa:bbbb:cccc:dddd:92::1) —
> but can't reach anything beyond.
> tcpdump on tun0 shows clients’ echo requests leaving, but no replies ever
> return.
> From the server itself, trying to ping6 -S aaaa:bbbb:cccc:dddd:93::1
> google.com fails with:
ping6: sendmsg: Permission denied (even with doas used)
This seems like a routing issue — possibly because the server’s upstream isn’t
routing the rest of the /64 to the host, just the boot-assigned /128.
Has anyone dealt with a similar setup? Any advice or workarounds — such as
using NDP proxying, static routing tricks, or other ways to get the full prefix
routed behind OpenVPN?
Thank you very much in advance for your answers.
Best regards,
Michael,
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users