Hello,
I already consulted related lists @freebsd.org [1,2] but I have remained
unsuccessful to solve the following issue: VPN works for an internal
IPv4 subnet, but I doesn't for an internal IPv6 subnet with ULAs. To be
honest, I don't have any experience setting up a local IPv6; so I guess
that I'm doing something wrong here.
For those that know FreeBSD: The main aim is to connect several jails
that are running on two different machines. For those who don't: jails
are like virtual machines but actually they aren't.
I want to serve IPv4 subnets 10.1.0.0/16 (machine A) and 10.2.0.0/16
(machine B), and IPv6 subnets fd16:dcc0:f4cc:0:0:1::/96 (machine A) and
fd16:dcc0:f4cc:0:0:2::/96 (machine B) respectively. The jails are
connected on lo1.
A $ netstat -rn | grep -e 'fd16' -e '10\.'
10.0.0.0/8 link#4 U tap0
10.1.0.1 link#4 UHS lo0
10.1.1.1 link#3 UH lo1
10.2.0.0/16 10.1.0.1 UGS tap0
10.2.0.1 10.1.0.1 UGHS tap0
fd16:dcc0:f4cc::/80 link#4 U
tap0
fd16:dcc0:f4cc::1:0:0/96 link#3 U
lo1
fd16:dcc0:f4cc::1:0:1 link#4 UHS
lo0
fd16:dcc0:f4cc::1:1:1 link#3 UHS
lo0
fd16:dcc0:f4cc::2:0:0/96 fd16:dcc0:f4cc::1:0:1 UGS
lo1
fd16:dcc0:f4cc::2:0:1 fd16:dcc0:f4cc::1:0:1 UGHS
lo1
ff01::%lo1/32 fd16:dcc0:f4cc::1:1:1 U
lo1
ff01::%tap0/32 fd16:dcc0:f4cc::1:0:1 U
tap0
ff02::%lo1/32 fd16:dcc0:f4cc::1:1:1 U
lo1
ff02::%tap0/32 fd16:dcc0:f4cc::1:0:1 U
tap0
B $ netstat -rn | grep -e 'fd16' -e '10\.'
10.0.0.0/8 link#4 U tap0
10.1.0.0/16 10.2.0.1 UGS tap0
10.1.0.1 10.2.0.1 UGHS tap0
10.2.0.1 link#4 UHS lo0
10.2.1.1 link#3 UH lo1
fd16:dcc0:f4cc::/80 link#4 U
tap0
fd16:dcc0:f4cc::1:0:0/96 fd16:dcc0:f4cc::2:0:1 UGS
lo1
fd16:dcc0:f4cc::1:0:1 fd16:dcc0:f4cc::2:0:1 UGHS
lo1
fd16:dcc0:f4cc::2:0:0/96 link#3 U
lo1
fd16:dcc0:f4cc::2:0:1 link#4 UHS
lo0
fd16:dcc0:f4cc::2:1:1 link#3 UHS
lo0
ff01::%lo1/32 fd16:dcc0:f4cc::2:1:1 U
lo1
ff01::%tap0/32 fd16:dcc0:f4cc::2:0:1 U
tap0
ff02::%lo1/32 fd16:dcc0:f4cc::2:1:1 U
lo1
ff02::%tap0/32 fd16:dcc0:f4cc::2:0:1 U
tap0
Note: 10.{1,2}.1.1 are two jails running on machine A and B respectively.
These jails have also assigned IPv6 addresses fd16:dcc0:f4cc::{1,2}:1:1
respectively. 10.{1,2}.0.1 and fd16:dcc0:f4cc::{1,2}:0:1 are manually
assigned because tinc's documentation asks me to do so.
So, on both machines I can `ping 10.{1,2}.{0,1}.1` and I get a response.
But if I `ping6 fd16:dcc0:f4cc::{1,2}:{0,1}:1` I only get a response
from the machine the ping6 originates from; that is, routing over the
VPN seems to work for IPv4 but not for IPv6.
This is how the interfaces look like:
A $ ifconfig tap0
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
options=80000<LINKSTATE>
ether 00:bd:6b:e5:19:00
inet6 fd16:dcc0:f4cc::1:0:1 prefixlen 80
inet6 fe80::2bd:6bff:fee5:1900%tap0 prefixlen 64 scopeid 0x4
inet 10.1.0.1 netmask 0xff000000 broadcast 10.255.255.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: active
Opened by PID 6110
B $ ifconfig tap0
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
options=80000<LINKSTATE>
ether 00:bd:60:ca:17:00
inet6 fd16:dcc0:f4cc::2:0:1 prefixlen 80
inet6 fe80::2bd:60ff:feca:1700%tap0 prefixlen 64 scopeid 0x4
inet 10.2.0.1 netmask 0xff000000 broadcast 10.255.255.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: active
Opened by PID 16037
I have configured both machines as IPv6 gateway (/etc/rc.conf):
ipv6_gateway_enable="YES"
See also:
A $ sysctl net.inet6.ip6.forwarding
net.inet6.ip6.forwarding: 1
B $ sysctl net.inet6.ip6.forwarding
net.inet6.ip6.forwarding: 1
I don't think it's a firewall problem because I I've already tried
disabling the firewall without any success: IPv4 worked while IPv6
didn't.
The following is the tinc-up script on each machine that assignes IP
addresses and creates routes. I commented out some variations that
I tried but haven't had success with either:
A $ cat /usr/local/etc/tinc/klaas/tinc-up
ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:0:0:1:0:1 prefixlen 80
route -6 add -host fd16:dcc0:f4cc:0:0:2:0:1 fd16:dcc0:f4cc:0:0:1:0:1
route -6 add -net fd16:dcc0:f4cc:0:0:2::/96 fd16:dcc0:f4cc:0:0:1:0:1
#route -6 add -ifp $INTERFACE -host fd16:dcc0:f4cc::2:0:1
fd16:dcc0:f4cc::1:0:1
#route -6 add -ifp $INTERFACE -net fd16:dcc0:f4cc::2:0:0/96
fd16:dcc0:f4cc::1:0:1
ifconfig $INTERFACE 10.1.0.1 netmask 255.0.0.0
route -4 add -host 10.2.0.1 10.1.0.1
route -4 add -net 10.2.0.0/16 10.1.0.1
This looks pretty the same on machine B.
I tried the variants with explicitly setting `-ifp $INTERFACE` because
I realised that
vvv
fd16:dcc0:f4cc::1:0:0/96 link#3 U
lo1
although
vvvv
10.2.0.0/16 10.1.0.1 UGS tap0
Explicitly setting the interface changes the first entry above to tap0.
Still, I couldn't ping the other machine over the VPN via IPv6.
Is there anything specifically IPv6-related that I am missing?
This is tinc.conf on machine A:
Name = A
ConnectTo = B
BindToAddress = <public-ipv4>
BindToAddress = <public-ipv6>
Device = /dev/tap0
It looks pretty the same for machine B. Since the tinc daemons can
connect, I assume everything is set up correctly here.
This is the host configuration file for A:
Address = A.domain.tld
Subnet = fd16:dcc0:f4cc:0:0:1::/96
Subnet = 10.1.0.0/16
-----BEGIN RSA PUBLIC KEY-----
<secret>
-----END RSA PUBLIC KEY-----
Again, the configuration file for machine B looks pretty the same. Except
that the subnets are the ones mentioned above.
I already stumbled upon http://www.tinc-vpn.org/examples/ipv6-network/
but setting `Mode = switch` resulted in IPv4 not working either. So
I reverted to the configuration as stated above.
Any help is very much appreciated!
Niklaas
References:
1. http://docs.freebsd.org/cgi/mid.cgi?20160519124446.GB2444
2. https://lists.freebsd.org/pipermail/freebsd-net/2016-May/045349.html
On Tue, May 24, 2016 at 08:17:07AM +0200, Niklaas Baudet von Gersdorff wrote:> I want to serve IPv4 subnets 10.1.0.0/16 (machine A) and 10.2.0.0/16 > (machine B), and IPv6 subnets fd16:dcc0:f4cc:0:0:1::/96 (machine A) and > fd16:dcc0:f4cc:0:0:2::/96 (machine B) respectively. The jails are > connected on lo1.[...]> A $ cat /usr/local/etc/tinc/klaas/tinc-up > ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:0:0:1:0:1 prefixlen 80 > route -6 add -host fd16:dcc0:f4cc:0:0:2:0:1 fd16:dcc0:f4cc:0:0:1:0:1 > route -6 add -net fd16:dcc0:f4cc:0:0:2::/96 fd16:dcc0:f4cc:0:0:1:0:1 > #route -6 add -ifp $INTERFACE -host fd16:dcc0:f4cc::2:0:1 fd16:dcc0:f4cc::1:0:1 > #route -6 add -ifp $INTERFACE -net fd16:dcc0:f4cc::2:0:0/96 fd16:dcc0:f4cc::1:0:1All those route commands are unnecessary. The ifconfig command already ensures there is a route for fd16:dcc0:f4cc::/80 to tinc's interface.> This is tinc.conf on machine A: > > Name = A > ConnectTo = B > BindToAddress = <public-ipv4> > BindToAddress = <public-ipv6> > Device = /dev/tap0Hm, what if you use Device = /dev/tun0 instead? If this still doesn't work, then try to find out what happens with the packets you are sending. Run tinc in the foreground (use the options -d5 -D), and then run ping6 fd16:dcc0:f4cc:0:0:2:0:1 in another terminal. Does tinc see the packets? Does it send them to B? If so, the problem might be on B. If it doesn't get the packets, try tcpdump on all the interfaces to see where those packets are going. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160524/bf42391c/attachment.sig>
Guus Sliepen [2016-05-24 11:26 +0200] :> On Tue, May 24, 2016 at 08:17:07AM +0200, Niklaas Baudet von Gersdorff wrote:[...]> > A $ cat /usr/local/etc/tinc/klaas/tinc-up > > ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:0:0:1:0:1 prefixlen 80 > > route -6 add -host fd16:dcc0:f4cc:0:0:2:0:1 fd16:dcc0:f4cc:0:0:1:0:1 > > route -6 add -net fd16:dcc0:f4cc:0:0:2::/96 fd16:dcc0:f4cc:0:0:1:0:1 > > #route -6 add -ifp $INTERFACE -host fd16:dcc0:f4cc::2:0:1 fd16:dcc0:f4cc::1:0:1 > > #route -6 add -ifp $INTERFACE -net fd16:dcc0:f4cc::2:0:0/96 fd16:dcc0:f4cc::1:0:1 > > All those route commands are unnecessary. The ifconfig command already > ensures there is a route for fd16:dcc0:f4cc::/80 to tinc's interface.Thanks a lot for pointing that out. I cleaned both `tinc-up` and `tinc-down`; now they only contain `ifconfig $INTERFACE [...]` for both IPv4 and IPv6.> Hm, what if you use Device = /dev/tun0 instead? > > If this still doesn't work, then try to find out what happens with the > packets you are sending. Run tinc in the foreground (use the options > -d5 -D), and then run ping6 fd16:dcc0:f4cc:0:0:2:0:1 in another > terminal. Does tinc see the packets? Does it send them to B? If so, > the problem might be on B. If it doesn't get the packets, try tcpdump > on all the interfaces to see where those packets are going.Although I had checked my configuration by running tinc in the foreground, it seems that I have never done so while setting `-d5` and ping6ing simultaneously. Thanks a lot for mentioning that again -- I made some progress! So, when I try to `ping6 fd16:dcc0:f4cc:0:0:2:1:1` `tinc -D -d5` gives me the following output: Cannot route packet: neighbor solicitation request for unknown address fd16:dcc0:f4cc:0:0:2:1:1 Thus, it seems that my IPv6 setup is broken (somehow). I'll search for FreeBSD related solutions and will keep you updated. Niklaas
I was eventually able to solve this issue. I asked for help on several mailing lists. So, for reference, here are links to the relevant threads: https://lists.freebsd.org/pipermail/freebsd-questions/2016-May/271810.html https://lists.freebsd.org/pipermail/freebsd-net/2016-May/045349.html https://www.tinc-vpn.org/pipermail/tinc/2016-May/004573.html Niklaas Baudet von Gersdorff [2016-05-24 08:17 +0200] :> I want to serve IPv4 subnets 10.1.0.0/16 (machine A) and 10.2.0.0/16 > (machine B), and IPv6 subnets fd16:dcc0:f4cc:0:0:1::/96 (machine A) and > fd16:dcc0:f4cc:0:0:2::/96 (machine B) respectively. The jails are > connected on lo1.Here lies the first problem. It seems that it's not legitimate to assign /96 subnets when using unique local addresses (ULAs). I was right getting some /48 subnet for my local IPv6 network; some easy way to get one generated randomly is http://unique-local-ipv6.com/ . But instead of assigning /96 subnets to each host, you must assign /64 subnets. I guess (but I am not sure because I have not found any reference that mentions this explicitly) you *must not* use any other subnet when dealing with ULAs. So I decided for the following two subnets for machine A and B respectively: fd16:dcc0:f4cc:1::/64 and fd16:dcc0:f4cc:2::/64.> The following is the tinc-up script on each machine that assignes IP > addresses and creates routes. I commented out some variations that > I tried but haven't had success with either: > > A $ cat /usr/local/etc/tinc/klaas/tinc-up > ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:0:0:1:0:1 prefixlen 80 > route -6 add -host fd16:dcc0:f4cc:0:0:2:0:1 fd16:dcc0:f4cc:0:0:1:0:1 > route -6 add -net fd16:dcc0:f4cc:0:0:2::/96 fd16:dcc0:f4cc:0:0:1:0:1 > #route -6 add -ifp $INTERFACE -host fd16:dcc0:f4cc::2:0:1 fd16:dcc0:f4cc::1:0:1 > #route -6 add -ifp $INTERFACE -net fd16:dcc0:f4cc::2:0:0/96 fd16:dcc0:f4cc::1:0:1 > > ifconfig $INTERFACE 10.1.0.1 netmask 255.0.0.0 > route -4 add -host 10.2.0.1 10.1.0.1 > route -4 add -net 10.2.0.0/16 10.1.0.1In addition, it seems not sufficient to solely assign IP address, but you must also assign a route for the respective foreign (!) subnet(s) to the tap interface. Without these I couldn't get the connection working. Thus, you get the following tinc-up scripts for both machines: A $ cat /usr/local/etc/tinc/tinc-up ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:1::1 prefixlen 48 alias ifconfig $INTERFACE 10.1.0.1 netmask 255.0.0.0 alias route add -inet6 -net fd16:dcc0:f4cc:2::/64 -interface $INTERFACE B $ cat /usr/local/etc/tinc/tinc-up ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:2::1 prefixlen 48 alias ifconfig $INTERFACE 10.2.0.1 netmask 255.0.0.0 alias route add -inet6 -net fd16:dcc0:f4cc:1::/64 -interface $INTERFACE The following you should include into tinc-down to clean up the route when the daemon is shut down (alter this for machine B respectively): route add -inet6 -net fd16:dcc0:f4cc:1::/64 -interface $INTERFACE To make this complete, these are the relevant host configurations for tinc: A $ cat /usr/local/etc/tinc/hosts/A Address = A Subnet = fd16:dcc0:f4cc:1::/64 Subnet = 10.1.0.0/16 -----BEGIN RSA PUBLIC KEY----- <secret> -----END RSA PUBLIC KEY----- A $ cat /usr/local/etc/tinc/hosts/B Address = B Subnet = fd16:dcc0:f4cc:2::/64 Subnet = 10.2.0.0/16 -----BEGIN RSA PUBLIC KEY----- <secret> -----END RSA PUBLIC KEY----- For reference -- in hope that duckduckgo does a good job indexing this and prevents others from struggling the same way as I did -- here are the errors I would get from tinc if either the subnet was not set up correctly (see above) or if I had not configured the routes: Cannot route packet: neighbor solicitation request for unknown address fd16:dcc0:f4cc:0:0:1:0:1 In hope that nobody else has to struggle with this as long as I did. Niklaas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160526/24307b1c/attachment.sig>
Niklaas Baudet von Gersdorff
2016-May-27 08:11 UTC
IPv6, ULAs and FreeBSD,Re: IPv6, ULAs and FreeBSD
sthaug at nethelp.no [2016-05-27 08:53 +0200] :> I don't see any problem using ULA with for instance /124 netmask:[...]> 96 bit works too:[...] FreeBSD version? Mine is 10.3-RELEASE-p3. Dunno. Could be that I made some mistake but I also tried the setup with /96 and adding the route to the tap0 interface and it did not work. Niklaas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160527/2ffb8bad/attachment.sig>
Kevin Oberman [2016-05-27 12:02 -0700] :> This is fine, but why not use link-local for the VPN links? That's the > primary reason for them. (N.B. I am not aware of your architectural > details, and ULAs for the VPNs might be appropriate.)Is it? I didn't know that I can use link-local addresses for the VPN too. How do I decide between link-local or unique-local addresses for the VPN? What do I make the decision dependent on? Niklaas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160527/d51a59a8/attachment.sig>