I have been gradually moving more tinc servers over to ipv6 addresses on the tinc 1.1 branch. Tinc is inserting a default route for ipv6 for some reason... default via 2600:3c01:e030:f2::1 dev tinc6 proto static metric 950 pref medium In my case the default route supplied by ra is still the correct thing, but I don't see where in the code tinc is inserting this route from.... which, as I'm also connecting tinc over ipv6 makes things rather circular in some instances. Is there a way to suppress this behavior, or make it insert a source specific route? I'm also using source specific routing to manage the different ipv6 address spaces, which generally works well in linux 3.10.12 and later, e.g.: default from 2600:3c01:e030:f2::/64 via 2600:3c01:e030:f2::1 dev tinc6 metric 1024 pref medium default from 2601:646:4103:56c0::/60 via fe80::16cc:20ff:fee5:64c2 dev eno1 proto babel metric 1024 pref medium (not my real ip addresses)
On Fri, Mar 04, 2016 at 12:16:37PM -0800, Dave Taht wrote:> I have been gradually moving more tinc servers over to ipv6 addresses > on the tinc 1.1 branch. > > Tinc is inserting a default route for ipv6 for some reason... > > default via 2600:3c01:e030:f2::1 dev tinc6 proto static metric 950 > pref medium > > In my case the default route supplied by ra is still the correct > thing, but I don't see where in the code tinc is inserting this route > from.... which, as I'm also connecting tinc over ipv6 makes things > rather circular in some instances.I see the problem. However, tinc itself does not insert any routes. If you have a router advertisement daemon that's listening on the VPN interface, then other nodes may indeed pick this up because their kernel will see those. If that's not what you want, then there are several options: - Configure the router advertisement daemon to not listen on tinc's interface. - Add "Broadcast = no" to tinc.conf on nodes running such a daemon. - Use firewall rules to block router advertisement messages. - On Linux, add "echo 0 >/proc/sys/net/ipv6/conf/$INTERFACE/accept_ra" to tinc-up before any ifconfig or ip commands. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20160304/aabd8f5e/attachment.sig>
On Fri, Mar 04, 2016 at 09:43:44PM +0100, Guus Sliepen wrote:> - On Linux, add "echo 0 >/proc/sys/net/ipv6/conf/$INTERFACE/accept_ra" > to tinc-up before any ifconfig or ip commands.Ah, if it's only the default route you don't want, then it's: echo 0 >/proc/sys/net/ipv6/conf/$INTERFACE/accept_ra_defrtr -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20160304/18faf149/attachment.sig>