OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Dronov on October 09, 2017, 02:53:37 pm

Title: [SOLVED] IPv6 via OpenVPN + NPT, incorrect source address for the router itself
Post by: Dronov on October 09, 2017, 02:53:37 pm

Dear helpful opnsense users,

This is follow up question for my update-related question[1], which turned out to be an IPv6 connectivity issue. I suspect it might be something known and straightforward.

I have an OpenVPN tunnel set up on opnsense box, with all the traffic (IPv4 and IPv6) going through the tunnel. My ISP does not provide v6 connectivity, so v6 has only one way out - via VPN (for v4 I have "kill switch" floating rule). VPN server assigns routed X.Y.Z::/64 network to the opnsense. Opnsense box uses NPT to translate it to/from internal network A.B.C::/64 (not site local, a regular net for historical reasons, using the "OpenVPN" interface, I did not assign one manually via Interfaces -> Assignments). LAN boxes get their IPv4 and IPv6 connectivity, and all seems to be OK.

Now, I recently found that the opnsense box itself has no IPv6 connectivity (due to NPT?). Here is what happens:

When I ping6 google.com from a LAN machine I see the following going out (and in) via the vpn interface:

Code: [Select]

# tcpdump -i ovpnc2 icmp6
12:30:00.852675 IP6 X:Y:Z:0:b4f3:a128:d588:5fa6 > lhr35s07-in-x0e.1e100.net: ICMP6, echo request, seq 1, length 64
12:30:00.863742 IP6 lhr35s07-in-x0e.1e100.net > X:Y:Z:0:b4f3:a128:d588:5fa6: ICMP6, echo reply, seq 1, length 64

However, when I do the same from the opnsenses box, I see:

Code: [Select]

# tcpdump -i ovpnc2 icmp6
12:32:25.379827 IP6 A:B:C::1002 > lhr35s07-in-x0e.1e100.net: ICMP6, echo request, seq 0, length 16
12:32:26.442561 IP6 A:B:C::1002 > lhr35s07-in-x0e.1e100.net: ICMP6, echo request, seq 1, length 16

It looks like it takes the external address assigned to the ovpnc2 interface by the server (X.Y.Z::1002), do NPT for that address (which results in the internal A.B.C:: prefix) and then sends it out. Basically, address A.B.C::1002 does not exist anywhere, the ovpnc2 interface has address X.Y.Z::1002.

I appreciate any pointers, how do I debug it further?

Thanks a lot.

1. https://forum.opnsense.org/index.php?topic=6033.0

Title: Re: IPv6 via OpenVPN + NPT, incorrect source address for the router itself
Post by: Dronov on October 10, 2017, 11:42:09 pm

Found it :) One should never assemble configuration from bits and pieces over a month.

It was using the same v6 net for the VPN link itself. Once I switched the VPN to use ULA addresses for the link, it all works just fine.

Title: Re: [SOLVED] IPv6 via OpenVPN + NPT, incorrect source address for the router itself
Post by: franco on October 12, 2017, 08:41:01 pm

Yay, glad to hear that. :)


Cheers,
Franco