Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenVPN client: add support for IPv6 dynamic interface configuration #2522

Closed
QuentinC opened this issue Jul 7, 2018 · 3 comments
Closed

OpenVPN client: add support for IPv6 dynamic interface configuration #2522

QuentinC opened this issue Jul 7, 2018 · 3 comments

Comments

@QuentinC
Copy link

QuentinC commented Jul 7, 2018

Hello,

I've been trying to configure a VPN client to do IPv6 inside the VPN tunnel.
My server sends me a single IPv6 address, but that is dynamically allocated.

I need to do IPv6 NAT and force-gateway rules to allow IPv6 traffic to get in the tunnel.

Here is the issue:

  • When the VPN connects, the assigned IPv4 is set to the interface and the gateway is set, but not on IPv6
  • If I manually set the IPv6 addresses everything works.

I think that the parsing script has to be adapted to get the IPv6 settings.

Thanks,

Quentin
@QuentinC
Copy link
Author

QuentinC commented Jul 7, 2018

Here is the first message:
https://forum.opnsense.org/index.php?topic=8997.0

Thanks !

@QuentinC
Copy link
Author

QuentinC commented Jul 13, 2018
edited
Loading

Some news on this:
By tweaking the ovpn-linkup ( https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/openvpn/ovpn-linkup) I can get the IPv6 gateway on the control socket.

This allows me to auto-set the gateway, and enable the IPv6 "route-to" firewall setting.

But, I still need o have NATing on the VPN interface (in IPv6, yes..) and this won't work.
Currently I have the NAT rule set to "use interface address", and because of this:
https://lists.freebsd.org/pipermail/freebsd-pf/2014-September/007441.html the IP used if the link-local IP, and I won't get any answer from the VPN...

If I manually set the NAT address to the public IPv6, everything works well...

Here are my (not very clean) code for the ovpn-linkup file:

#!/bin/sh

# let the configuration system know that the ip has changed.
# /usr/local/opnsense/service/configd_ctl.py interface newip $interface
if [ "${dev_type}" = "tun" ]; then
        if [ "" != "$route_vpn_gateway" ]; then
                /bin/echo $route_vpn_gateway > /tmp/$1_router
        else
                /bin/echo $5 > /tmp/$1_router
        fi
fi

/usr/bin/touch /tmp/$1up
# reload filter
/usr/local/opnsense/service/configd_ctl.py interface newip $1

(
sleep 5
link=`echo -n $1 | sed 's/ovpn//' | sed 's/c/client/' | sed 's/s/server/'`
socket="/var/etc/openvpn/"$link".sock"
ipv6=`echo 'state 3' | nc -U ${socket} -w 1 | grep CONNECTED | cut -d, -f9`
/bin/echo $ipv6 > /tmp/$1_ipv6
base=`echo $ipv6 | rev | cut -d: -f2- | rev`
echo $base":1" > /tmp/$1_routerv6
/usr/local/opnsense/service/configd_ctl.py interface newipv6 $1
)&

exit 0

Edit: fixed links

@AdSchellevis
Copy link
Member

some things have changed in the meantime, reference #2799

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@QuentinC @AdSchellevis