我正在尝试向 OpenVPN 服务器添加 IPv6 隧道支持(即客户端可以通过 VPN 访问 IPv6 互联网)。
运行 OpenVPN 的路由器(运行 Tomato v1.28-140 的 Netgear WNDR4500v1)通过 Hurricane Electric 具有 IPv6(路由 /64 和路由 /48)- 2001:xxxx:7:3b3::2 是 WAN IPv6 地址 - 2001:xxxx:8:3b3::1/64 路由到 LAN 接口(br0) - 2001:xxxx:e1ca::/48 路由到 OpenVPN 接口(tun21)
IPv6 在 LAN 上工作,test-ipv6.com 返回 10/10。
我可以通过 IPv4 或 IPv6 从客户端连接到 OpenVPN 服务器,客户端会获得一个前缀为 2001:xxxx:e1ca::/48 的 v6 地址。但是,客户端根本没有 IPv6 连接。我已尝试使用多个客户端(Tunnelblick/macOS、OpenVPN for Android、OpenVPN Connect/iOS)。test-ipv6.com 显示“未检测到 IPv6 地址”。此外,服务器日志中还会显示以下内容:
SM-N910V/2610:xxxx:7f97 MULTI: bad source address from client [2610:xxxx:7f97], packet dropped
我看过OpenVPN IPv6 维基百科, 也Jacob D Evans 的指南以及其他资源。服务器/客户端配置如下。
服务器配置:
# Automatically generated configuration
daemon
server 192.168.2.0 255.255.255.0
proto udp
port 1194
dev tun21
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
tls-auth static.key 0
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status
# Custom Configuration
proto udp6
topology subnet
push "topology subnet"
server-ipv6 2001:xxxx:e1ca::/64
push "route-ipv6 2001:xxxx:8:3b3::/64"
push "route-ipv6 2001:xxxx:e1ca::/48"
push "comp-lzo adaptive"
verb 4
auth sha256
客户端配置:
client
dev tun
remote vpn.server.com 1194 udp6
float
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
key-direction 1
auth sha256
explicit-exit-notify
comp-lzo adaptive
pull
<ca>...</ca>
<cert>...</cert>
<key>...</key>
<tls-auth>...</tls-auth>
ip -6 route连接到 VPN 之前:
2001:xxxx:7:3b3::2 via fe80::6c5:a4ff:feea:9cc1 dev enp0s3 proto static metric 100 pref medium
2610:xxxx::/64 dev enp0s3 proto ra metric 100 pref medium
fe80::6c5:a4ff:feea:9cc1 dev enp0s3 proto static metric 100 pref medium
fe80::/64 dev enp0s3 proto kernel metric 100 pref medium
fe80::/64 dev enp0s3 proto kernel metric 256 pref medium
default via fe80::6c5:a4ff:feea:9cc1 dev enp0s3 proto ra metric 100 pref medium
ip -6 route连接到 VPN 后:
2001:xxxx:7:3b3::2 via fe80::6c5:a4ff:feea:9cc1 dev enp0s3 proto static metric 100 pref medium
2001:xxxx:8:3b3::/64 via 2001:xxxx:e1ca::1 dev tun0 proto static metric 50 pref medium
2001:xxxx:e1ca::1 dev tun0 proto kernel metric 50 pref medium
2001:xxxx:e1ca::1 dev tun0 proto kernel metric 256 pref medium
2001:xxxx:e1ca::1000 dev tun0 proto kernel metric 50 pref medium
2001:xxxx:e1ca::/48 via 2001:xxxx:e1ca::1 dev tun0 proto static metric 50 pref medium
2610:xxxx::/64 dev enp0s3 proto ra metric 100 pref medium
fe80::6c5:a4ff:feea:9cc1 dev enp0s3 proto static metric 100 pref medium
fe80::/64 dev enp0s3 proto kernel metric 100 pref medium
fe80::/64 dev enp0s3 proto kernel metric 256 pref medium
default dev tun0 proto static metric 50 pref medium
default via fe80::6c5:a4ff:feea:9cc1 dev enp0s3 proto ra metric 100 pref medium
ip -6 route运行下面@grawity 发布的命令后:
default from 2001:xxxx:e1ca::/64 dev tun0 metric 1024 pref medium
default from 2610:xxxx::/64 via 2610:xxxx::1 dev enp0s3 metric 1024 pref medium
2001:xxxx:7:3b3::2 via fe80::6c5:a4ff:feea:9cc1 dev enp0s3 proto static metric 100 pref medium
2001:xxxx:8:3b3::/64 via 2001:xxxx:e1ca::1 dev tun0 proto static metric 50 pref medium
2001:xxxx:e1ca::1 dev tun0 proto kernel metric 50 pref medium
2001:xxxx:e1ca::1 dev tun0 proto kernel metric 256 pref medium
2001:xxxx:e1ca::1000 dev tun0 proto kernel metric 50 pref medium
2001:xxxx:e1ca::/48 via 2001:xxxx:e1ca::1 dev tun0 proto static metric 50 pref medium
2610:xxxx::/64 dev enp0s3 proto ra metric 100 pref medium
fe80::6c5:a4ff:feea:9cc1 dev enp0s3 proto static metric 100 pref medium
fe80::/64 dev enp0s3 proto kernel metric 100 pref medium
fe80::/64 dev enp0s3 proto kernel metric 256 pref medium
default dev tun0 proto static metric 50 pref medium
default via fe80::6c5:a4ff:feea:9cc1 dev enp0s3 proto ra metric 100 pref medium
有人知道发生了什么事吗?
OpenVPN日志:https://gist.github.com/abraha2d/f339ff163dd93e20ba3b499c69d6abe3
答案1
您的服务器配置中缺少推送选项。
你有:
push "redirect-gateway def1"
您还需要有以下ipv6选择,即:
push "redirect-gateway def1 ipv6"