Connecting a Split-Traffic Connection and a All-Traffic Connection with IPv6

[zombie1982 5]

Hello my friends,
on an debian box Im using two vpn IPv6 connections. One for the default route and the other for foreign services via local proxys for my clients.
The problem is that if I connect the Split-Traffic-VPN (ignored def/route) first, it reconnects after All-Traffic-VPN is connected b/c of:

Quote

 Preserving previous TUN/TAP instance: tun0
 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
 Closing TUN/TAP interface
 /sbin/ip addr del dev tun0 10.4.104.xx/24
 /sbin/ip -6 addr del fde6:7a:7d20:68::xx/64 dev tun0

I tried this config in All-Traffic-VPN like for IPv4 connections but its ignored:
route-ipv6 2001:ac8:28:8:c4d0:d13a:3b31:4d        fe80::d63f:cbff:fe8a:xxxx
How can I prevent the non def/routed IPv6 tunnel to connect through the def/route IPv6 tunnel ?
How can I set a static route to my local default gateway fe80::d63f:cbff:fe8a:xxxx ?
 

[OpenSourcerer 1435]

3 hours ago, zombie1982 said:

route-ipv6 2001:ac8:28:8:c4d0:d13a:3b31:4d        fe80::d63f:cbff:fe8a:xxxx

You are misinterpreting what this option does. It's not a v6 version of route:
 

Quote

--route-ipv6 ipv6addr/bits [gateway] [metric]

setup IPv6 routing in the system to send the specified IPv6 network into OpenVPN's ``tun''. The gateway parameter is only used for IPv6 routes across ``tap'' devices, and if missing, the ``ipv6remote'' field from --ifconfig-ipv6 is used.

This option is there to specify what v6 subnets you explicitly want to route through the tunnel. Since dev tun is used, [gateway] is ignored, and so the whole route-ipv6 line is useless. There is no way to set arbitrary v6 routes in OpenVPN, unless you use an up script doing so. For this you might need to set script-security 2 because by default user-defined scripts cannot be called.

[zombie1982 5]

Thanks. Yes I'm using script-security 2 and up and down scripts to route the VPN locally to a device, proxys listen to.
But how can I add routes to bypass the default IPv6 route with up-scripts ?
Lets say my Inet device is wan0 and its connected to a router with 192.168.0.1 and fe80::d63f:cbff:fe8a:xxxx

In the default/route vpn logs I see this :
add_route_ipv6(2001:ac8:20:2a:fa58:8bc5:ea41:6ecc/128 -> fe80::d63f:cbff:fe8a:xxxx metric 1) dev wan0
 /sbin/ip -6 route add 2001:ac8:20:2a:fa58:8bc5:ea41:6ecc/128 dev wan0 via fe80::d63f:cbff:fe8a:xxxx metric 1

Do I need the same for the second tunnel ?


 

[OpenSourcerer 1435]

4 hours ago, zombie1982 said:

But how can I add routes to bypass the default IPv6 route with up-scripts ?

The default route actually has got a reasonably high metric, which is 100. So if you want to route something outside of the tunnel, you specify the metric to be 99 or lower.
 

4 hours ago, zombie1982 said:

 /sbin/ip -6 route add 2001:ac8:20:2a:fa58:8bc5:ea41:6ecc/128 dev wan0 via fe80::d63f:cbff:fe8a:xxxx metric 1

See? Here OpenVPN adds a route to the OpenVPN server, and the metric is 1 because we want this to be used under all circumstances. So add your routes with a metric between 2 and 99.

[zombie1982 5]

11 hours ago, giganerd said:

The default route actually has got a reasonably high metric, which is 100. So if you want to route something outside of the tunnel, you specify the metric to be 99 or lower.
 
See? Here OpenVPN adds a route to the OpenVPN server, and the metric is 1 because we want this to be used under all circumstances. So add your routes with a metric between 2 and 99. 

Thanks, I see. And how can I bypass this OpenVPN route with metric 1 with my second OpenVPN connection? Can I configure a static route with metric 1 too or I need to ignore the pushed route settings from server for both VPN connections ?

[OpenSourcerer 1435]

3 hours ago, zombie1982 said:

And how can I bypass this OpenVPN route with metric 1 with my second OpenVPN connection?

Why would you want that? It's just the route ensuring the VPN server can still be reached over the original connection after OpenVPN adds its own default routes to route everything via tun. As I wrote, you'd want a metric between 2 and 99 for exceptions.