networking – How do I assign IPv6 addresses to the interfaces of my linux-based router?

I’m using a commodity PC running Ubuntu Server 18.04 as the router for my home network. This has been working great for me for years with IPv4, but I’ve been trying to make it dual-stack, and I’m struggling with how address allocation works in this scenario – all of the documentation I’ve found is oriented toward end users already behind a configured router, or enterprises with static addressing needs.

My ISP fully supports IPv6 without tunneling, and indeed has already assigned my router’s WAN interface a 2xxx global unicast address, with a subnet number of 0.

My LAN interface, however, has no IPv6 address other than the link-local fe80 address, which makes it impossible for me to set up packet forwarding for my LAN. How does this interface get an IPv6 address? It doesn’t seem appropriate to statically assign it an address, since it needs to be a member of the prefix that my ISP has dynamically assigned me, which could presumably change. And specifying iface $LAN inet6 auto in /etc/network/interfaces has had no effect.

It’s my (vague) understanding that DHCPv6 is usually unnecessary and inappropriate for home network scenarios, and regardless, I’d like to satisfy myself that I understand how SLAAC and router advertisement works before I set that up.

openvpn – VPN Server for IPv6 based Connection

I´m running several gameservers (like ARK oder Garry’s Mod) on several servers. Last week my friends were not able to connect anymore. I found out that my provider is not providing a public IPv6 anymore.

Unfortunately ARK/Garry’s Mod/Steam!! cannot build up connection to servers via IPv6 (If they can please correct me). I can simply build the connection via the local IPv4 address within my network and i want to provide this functionality to my friends.

My idea was to provide a vpn server within my network. I did not find any reliable tutorial since everyone is writing in its dependencies “you need a public ipv4”. And they are not dealing with IPv6 traffic either..

I got the CA up and running an i am able to create certificates/keys for the new clients.

But i dont get the vpn up and running.

here is my server config so far:

port 1194

proto udp6

dev tun

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

topology subnet

server 10.0.100.1  255.255.255.0
server-ipv6 2a02:810d:8940:fd::/64

push "redirect-gateway def1 bypass-dhcp"
push "route-ipv6 2a02:80d:890:fd::/64"
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"

#google dns servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push “dhcp-option DNS6 2001:4860:4860::8888”
push “dhcp-option DNS6 2001:4860:4860::8844”

keepalive 10 120
verb 3

and my client config so far

dev tun
proto udp6
remote <vpn.mydomain.ipv6> 1337

persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
cipher AES-128-CBC
auth SHA256
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
blabla
-----END CERTIFICATE-----
</ca>
<cert>

-----BEGIN CERTIFICATE-----
blabla
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
blabla
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
blabla
-----END OpenVPN Static key V1-----
</tls-auth>

That doesnt work out so far.
Has someone already a setup that is working and wants to help me get this running ?

I thought about two possible ways to get my friends connected:

  1. They wont receive a 10.x adress from my VPN. They should only insert the IP (for example 10.0.100.10 ark server) in steam and the vpn client on the computer will send this traffic to my network.
  2. They will receive a 10.x address from me and the vpn will send all traffic to my network.

The first one would be the best solution for me, because the second one would route all internet traffic to my network too. And i guess 20 people using my internet connection will lead to other problems..

I guess the best solution would be that everyone gets their own ovpn file, isnt it ? Or can i use the same file for everyone ?

Thank you for any help !!

Best regards
Michael

The reason behind IPv6 adoption rate dramatical drop in China according to Google measurements?

Google has an IPv6 measurement page that reports that their numbers report on the percentage of users that access Google over IPv6.

According to the report by Jan 2020 0.3% of users in China used IPv6 to access Google

However, looking at this metric in dynamic we see the substantial drop starting from June 2019.
enter image description here

I failed to find any solid news that may cause such behavior. I have two hypotheses in mind.

  1. Also as it is a percentage metric, they can adjust their calculation on the total internet penetration rate in China.
  2. Previously open discussions between netizens took place on Google Plus groups. In April 2019,
    Google shut down Google Plus. Technical discussions continue on
    Chinese-language blogs, forums, and groups. For obvious reasons,
    discussions must be hosted outside China, and posters must register under pseudonyms. So probably that caused the shift from Google services but I hardly believe that it may cause such plummet.

windows – Why can I ping an ipv6 but not an ipv4 and vice versa? (Hamachi)

I’m using Hamachi LogMe-In to connect a laptop (A with Win8.1) to a work computer (B with Win10) for SSH, both running Windows Firewall allowing SSH port 22, and the PING.EXE.

Somehow I got that to work. Then I tried to open a port for another python app on a different port trying to communicate for a remote computation setup, and it’s not working as expected. Trying to debug I was pinging (after allowing ping.exe on both machines through FW) the different machines from each side, and to my surprise I found this happening.

# On: machine A
ping -4 <ipv4-B> 
# results in timeout!

# On: machine A
ping -6 <ipv6-B>
# OK

Then doing the opposite:

# On: machine B
ping -4 <ipv4-A> 
# OK

# On: machine B
ping -6 <ipv6-A>
# results in timeout!

What is going on?

My Hamachi machines are green on both sides so that connection seem ok.
So I guess it must be some FW thing going on in windows.
How can I debug and understand this?


Possibly related questions (but not helpful to my case):

Network – IPv6 cannot connect to libvirt guests from outside

I have a dedicated service provider with Ikoula running Centos 8. I created a bridge "bridgevm" on which some virtual libvirt machines connect. This bridge is not associated with "eth0" and was not created through libvirt. The aim is to isolate the virtual machines in an internal network and to act as a router / firewall between the Internet and this internal network.

In firewalld I moved the real interface "eth0" to the "external" zone and the bridge "bridgevm" to the "internal" zone. The masquerade is activated by default in the external zone. For IPv4, I set up dnsmasq on the host so it can give the VMs an IP v4 and it works. Thanks to NAT, guests can connect to the Internet.

Ikoula gave me the 2a00: c70: 1: XXX: XXX: XXX: JJJ: 0/96 subnet for ipv6 and 2a00: c70: 1: XXX: XXX: XXX: 0: 1 for the gateway. See here: https: / /en-wiki.ikoula.com/de/How_to_calculate_my_IPV6

I configured the host with 2a00: c70: 1: XXX: XXX: XXX: YYY: 2/128 on eth0 and 2a00: c70: 1: XXX: XXX: XXX: YYY: 102/120 on the bridge. I then gave a guest as static IPv6 2a00: c70: 1: 178: 170: 41: 26: 107 and as a gateway the address of the host on the bridge: 2a00: c70: 1: 178: 170: 41: 26: 102.

The interfaces on the host are configured as follows:

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
IPADDR=XXX.XXX.XXX.YYY
NETMASK=255.255.255.0
NETWORK=""
BROADCAST=""
HWADDR=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ
DNS1=213.246.33.144
DNS2=213.246.36.14
DNS3=80.93.83.11
DNS4=80.93.83.25
GATEWAY=ZZZ.ZZZ.ZZZ.ZZZ
NOZEROCONF=yes
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME="System eth0"
UUID=[...]
ZONE=external
IPV6ADDR=2a00:c70:1:XXX:XXX:XXX:YYY:2/128
IPV6_DEFAULTGW=2a00:c70:1:XXX:XXX:XXX:0:1
IPV6FORWARDING=yes
STP=no
TYPE=Bridge
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=10.10.0.1
PREFIX=24
DOMAIN=myname.local
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
NAME=Bridge-VMs
UUID=[...]
DEVICE=bridgevm
ONBOOT=yes
ZONE=internal
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
IPV6ADDR=2a00:c70:1:XXX:XXX:XXX:YYY:102/120
IPV6_AUTOCONF=no
IPV6FORWARDING=yes

The interface on the guest is defined as follows:

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eth0
UUID=[...]
DEVICE=eth0
ONBOOT=yes
IPV6ADDR=2a00:c70:1:XXX:XXX:XXX:YYY:107/128
IPV6_DEFAULTGW=2a00:c70:1:XXX:XXX:XXX:YYY:102

From the guest I can connect to the Internet via IPv6. For example, I can use his IPv6 address to ssh to another server that I hosted at Hetzner. However, I cannot establish a connection from the server at Hetzner to the guest via the static IPv6 address of the guest on the bridge. I get "No route to the host".

However, I can connect to the host from the Hetzner server via IPv6. I can also connect to the guest from the host over IPv6.

When I ssh from a guest to the server at Hetzner, I can see in the logs of the Hetzner server that the connection is made with the host's IPv6 address. 2a00: c70: 1: XXX: XXX: XXX: YYY: 2. From this I concluded that the "masquerade" in the host's external zone also applies to IPv6 and that the host masks the guest's data traffic before forwarding it to the Internet.

If I deactivate "Masquerade" from the external zone on the firewall, IPv6 no longer works for the guest. But it seems to me that all routes on the host are correct:

::1 dev lo proto kernel metric 256 pref medium
2a00:c70:1:XXX:XXX:XXX:0:1 dev eth0 proto static metric 100 pref medium
2a00:c70:1:XXX:XXX:XXX:YYY:2 dev eth0 proto kernel metric 100 pref medium
2a00:c70:1:XXX:XXX:XXX:YYY:100/120 dev bridgevm proto kernel metric 425 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
fe80::/64 dev vnet0 proto kernel metric 256 pref medium
fe80::/64 dev bridgevm proto kernel metric 425 pref medium
default via 2a00:c70:1:XXX:XXX:XXX:0:1 dev eth0 proto static metric 100 pref medium

The guest's trace route seems to indicate that traffic stops at the host's address on the bridge.

But cat /proc/sys/net/ipv6/conf/all/forwarding returns 1.

I miss something

Network – IPv6 and DNSMASQ on LAN. Macs have no route to hosting, Windows and Linux work

I have a small mixed network of Ubuntu Linux (04/20) Windows 10 and three Macs. My ISP is starting to roll out IPv6 (not near me yet) and I wanted to try it on my network.
I manage the network with dnsmasq (runs on an Ubuntu server) and it assigns the IP address and runs as a caching DNS server.
I disabled all IPv6 options in my router (except the firewall).

To test IPv6, I added the following lines to dnsmasq.conf:

dhcp-range=fd52:a81c:df85::02,fd52:a81c:df85::ff,12h
enable-ra
ra-param=net1,0,0

and it works sympathetically for the Windows and Linux machines. e.g.

nick@serv2:~$ ping6 htpc
PING htpc(htpc.njj.chickenkiller.com (fd52:a81c:df85::85)) 56 data bytes
64 bytes from htpc.njj.chickenkiller.com (fd52:a81c:df85::85): icmp_seq=1 ttl=64 time=0.573 ms

However, all Macs seem to be unsatisfied with the setup, e.g.

nick@deathrow ~ % ping6 serv2
ping6: UDP connect: No route to host

As background, the ifconfig on my Mac is as follows:

nick@deathrow ~ % ifconfig en0
en0: flags=8863 mtu 1500
    options=400
    ether 34:36:3b:78:15:54 
    inet6 fe80::64:48f:2265:db5%en0 prefixlen 64 secured scopeid 0x5 
    inet 192.168.2.49 netmask 0xffffff00 broadcast 192.168.2.255
    inet6 fd52:a81c:df85::2c prefixlen 64 dynamic 
    nd6 options=201
    media: autoselect
    status: active

The other curiosity is, when I look at the rental contracts issued by dnsmasq, I get the following:

nick@serv2:~$ cat /var/lib/misc/dnsmasq.leases
1589092434 34:36:3b:78:15:54 192.168.2.49 deathrow 01:34:36:3b:78:15:54
1589085665 b4:2e:99:41:5d:bc 192.168.2.11 kenickie 01:b4:2e:99:41:5d:bc
1589081204 38:f9:d3:90:fd:dd 192.168.2.50 richard 01:38:f9:d3:90:fd:dd
1589084172 8c:85:90:56:bc:bf 192.168.2.48 Hal 01:8c:85:90:56:bc:bf
1589093362 70:85:c2:7d:06:f7 192.168.2.91 htpc ff:48:6b:fd:2c:00:02:00:00:ab:11:ae:2f:a0:8e:34:1e:dd:53
1589093437 b4:2e:99:02:99:47 192.168.2.89 DESKTOP-N5V06NB 01:b4:2e:99:02:99:47
duid 00:01:00:01:26:49:5c:40:18:31:bf:6a:35:bc
1589085667 611457736 fd52:a81c:df85::b3 kenickie 00:04:ae:f8:4e:bd:71:95:c3:42:1b:ef:bd:3b:8f:e6:1a:86
1589093364 1215036716 fd52:a81c:df85::85 htpc 00:02:00:00:ab:11:ae:2f:a0:8e:34:1e:dd:53
1589093429 112471705 fd52:a81c:df85::11 DESKTOP-N5V06NB 00:01:00:01:25:90:f0:6c:b4:2e:99:02:99:47
1589080658 0 fd52:a81c:df85::42 * 00:01:00:01:25:b1:94:dc:38:f9:d3:90:fd:dd
1589084172 0 fd52:a81c:df85::f * 00:01:00:01:22:48:2d:b0:8c:85:90:56:bc:bf
1589092435 0 fd52:a81c:df85::2c * 00:01:00:01:24:86:78:14:34:36:3b:78:15:54

You can see that the three Macs (Deathrow, Hal and Richard) all have their IPv4 names in order, but for IPv6 you can see (not three lines) that their names are replaced with * (the Ubuntu hosts – Kenickie and HTCPC and the Windows machine DESKTOP-N5V06NB) are listed with an IPv6 address by name. (serv2 is not listed – it has a static address)

Do I have to do anything extra in dnsmasq for Mac (or have I done something that basically works and it's just that the Macs are less tolerant)?