I am running a Pi-Hole Server on a VPS instance. To protect it from being an open relay i configured OpenVPN on IPv4 and only routed the DNS traffic over the VPN. My home network ist connected to that VPN as well as my business network.
I recently installed a surveillance camera on my business network and tried to stream that content to my home network. That didn't work because my home network is connected via DS-Lite.
I modified both networks to use IPv6 and configured the OpenVPN server accordingly. I still want to only route most of the DNS-traffic but connect two devices from each network to tunnel the traffic over the VPN.
Here comes my problem: After starting the OpenVPN service on the server, the server and connected clients (tunneled) are no longer able to reach into the internet by IPv6:
user@server:~$ ping -6 ipv6.google.com
PING ipv6.google.com(fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e))
56 data bytes
^C
--- ipv6.google.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 38ms
The clients connected to the DNS are able to resolve any hostname but neither the camera nor the server on my home network can reach IPv6 destinations. IPv4 is working though:
user@server:~$ ping -4 google.com
PING google.com (172.217.23.110) 56(84) bytes of data.
64 bytes from mil04s23-in-f14.1e100.net (172.217.23.110): icmp_seq=1 ttl=54 time=3.34 ms
64 bytes from mil04s23-in-f14.1e100.net (172.217.23.110): icmp_seq=2 ttl=54 time=3.42 ms
64 bytes from mil04s23-in-f14.1e100.net (172.217.23.110): icmp_seq=3 ttl=54 time=3.47 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 3.344/3.412/3.468/0.051 ms
IPv6 forwarding is enabled on the server and the clients can ping each other.
My OpenVPN server.conf:
user@server:~$ cat /etc/openvpn/server.conf
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 2a01:XXXX:XXXX:YYYY::/64
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
iptables List:
user@server:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:2202
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
REJECT udp -- anywhere anywhere udp dpt:80 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:https reject-with tcp-reset
REJECT udp -- anywhere anywhere udp dpt:443 reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ip6tables List:
user@server:~$ sudo ip6tables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp anywhere anywhere tcp dpt:domain
ACCEPT udp anywhere anywhere udp dpt:domain
ACCEPT tcp anywhere anywhere tcp dpt:http
ACCEPT tcp anywhere anywhere tcp dpt:ssh
ACCEPT tcp anywhere anywhere tcp dpt:2202
ACCEPT tcp anywhere anywhere tcp dpt:openvpn
ACCEPT udp anywhere anywhere udp dpt:openvpn
REJECT udp anywhere anywhere udp dpt:80 reject-with icmp6-port-unreachable
REJECT tcp anywhere anywhere tcp dpt:https reject-with tcp-reset
REJECT udp anywhere anywhere udp dpt:443 reject-with icmp6-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
route:
user@server:~$ sudo route -A inet6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
ip6-localhost/128 [::] U 256 2 0 lo
2a01:XXXX:XXXX:XXXX::/64 [::] U 256 3 0 eth0
2a01:XXXX:XXXX:YYYY::/64 [::] U 256 2 0 tun0
fe80::/64 [::] U 256 1 0 eth0
fe80::/64 [::] U 256 1 0 tun0
[::]/0 fe80::1 UGH 1024 2 0 eth0
ip6-localhost/128 [::] Un 0 4 0 lo
2a01:XXXX:XXXX:XXXX::/128 [::] Un 0 4 0 eth0
hostname.tld/128 [::] Un 0 5 0 eth0
2a01:XXXX:XXXX:YYYY::/128 [::] Un 0 3 0 tun0
hostname/128 [::] Un 0 4 0 tun0
fe80::/128 [::] Un 0 4 0 eth0
fe80::/128 [::] Un 0 3 0 tun0
fe80::1d23:2dc3:XXX:XXX/128 [::] Un 0 2 0 tun0
fe80::9400:ff:XXX:XXX/128 [::] Un 0 5 0 eth0
ip6-mcastprefix/8 [::] U 256 2 0 eth0
ip6-mcastprefix/8 [::] U 256 2 0 tun0
[::]/0 [::] !n -1 1 0 lo
I tried to add different gateways, tried different ip6tables rules and mixed up my VPN server.conf with different options. Only deleting the tun0 interface or stopping the OpenVPN service brings the IPv6 connectivity back. What am i doing wrong?