Jump to content
Not connected, Your IP: 34.200.252.156
zombie1982

Connecting a Split-Traffic Connection and a All-Traffic Connection with IPv6

Recommended Posts

Hello my friends,
on an debian box Im using two vpn IPv6 connections. One for the default route and the other for foreign services via local proxys for my clients.
The problem is that if I connect the Split-Traffic-VPN (ignored def/route) first, it reconnects after All-Traffic-VPN is connected b/c of:

Quote

 Preserving previous TUN/TAP instance: tun0
 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
 Closing TUN/TAP interface
 /sbin/ip addr del dev tun0 10.4.104.xx/24
 /sbin/ip -6 addr del fde6:7a:7d20:68::xx/64 dev tun0


I tried this config in All-Traffic-VPN like for IPv4 connections but its ignored:
route-ipv6 2001:ac8:28:8:c4d0:d13a:3b31:4d        fe80::d63f:cbff:fe8a:xxxx
How can I prevent the non def/routed IPv6 tunnel to connect through the def/route IPv6 tunnel ?
How can I set a static route to my local default gateway fe80::d63f:cbff:fe8a:xxxx ?
 

Share this post


Link to post
3 hours ago, zombie1982 said:

route-ipv6 2001:ac8:28:8:c4d0:d13a:3b31:4d        fe80::d63f:cbff:fe8a:xxxx


You are misinterpreting what this option does. It's not a v6 version of route:
 
Quote
--route-ipv6 ipv6addr/bits [gateway] [metric]
setup IPv6 routing in the system to send the specified IPv6 network into OpenVPN's ``tun''. The gateway parameter is only used for IPv6 routes across ``tap'' devices, and if missing, the ``ipv6remote'' field from --ifconfig-ipv6 is used.

This option is there to specify what v6 subnets you explicitly want to route through the tunnel. Since dev tun is used, [gateway] is ignored, and so the whole route-ipv6 line is useless. There is no way to set arbitrary v6 routes in OpenVPN, unless you use an up script doing so. For this you might need to set script-security 2 because by default user-defined scripts cannot be called.

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Thanks. Yes I'm using script-security 2 and up and down scripts to route the VPN locally to a device, proxys listen to.
But how can I add routes to bypass the default IPv6 route with up-scripts ?
Lets say my Inet device is wan0 and its connected to a router with 192.168.0.1 and fe80::d63f:cbff:fe8a:xxxx

In the default/route vpn logs I see this :

add_route_ipv6(2001:ac8:20:2a:fa58:8bc5:ea41:6ecc/128 -> fe80::d63f:cbff:fe8a:xxxx metric 1) dev wan0
 /sbin/ip -6 route add 2001:ac8:20:2a:fa58:8bc5:ea41:6ecc/128 dev wan0 via fe80::d63f:cbff:fe8a:xxxx metric 1

Do I need the same for the second tunnel ?


 

Share this post


Link to post
4 hours ago, zombie1982 said:

But how can I add routes to bypass the default IPv6 route with up-scripts ?


The default route actually has got a reasonably high metric, which is 100. So if you want to route something outside of the tunnel, you specify the metric to be 99 or lower.
 
4 hours ago, zombie1982 said:

 /sbin/ip -6 route add 2001:ac8:20:2a:fa58:8bc5:ea41:6ecc/128 dev wan0 via fe80::d63f:cbff:fe8a:xxxx metric 1


See? Here OpenVPN adds a route to the OpenVPN server, and the metric is 1 because we want this to be used under all circumstances. So add your routes with a metric between 2 and 99. :)

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post
11 hours ago, giganerd said:

The default route actually has got a reasonably high metric, which is 100. So if you want to route something outside of the tunnel, you specify the metric to be 99 or lower.
 
See? Here OpenVPN adds a route to the OpenVPN server, and the metric is 1 because we want this to be used under all circumstances. So add your routes with a metric between 2 and 99. :)
Thanks, I see. And how can I bypass this OpenVPN route with metric 1 with my second OpenVPN connection? Can I configure a static route with metric 1 too or I need to ignore the pushed route settings from server for both VPN connections ?

Share this post


Link to post
3 hours ago, zombie1982 said:

And how can I bypass this OpenVPN route with metric 1 with my second OpenVPN connection?


Why would you want that? It's just the route ensuring the VPN server can still be reached over the original connection after OpenVPN adds its own default routes to route everything via tun. As I wrote, you'd want a metric between 2 and 99 for exceptions.

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...