IPv6 NDP proxying with ocserv
Kevin Cernekee
cernekee at gmail.com
Tue Jun 14 12:51:45 PDT 2016
A $5/mo DigitalOcean VPS only seems to come with 16 static globally
routable IPv6 addresses, e.g. 2001:db8::4000 through 2001:db8::400f.
AFAICT they will not issue a /48 or a /56 (unlike Linode).
The virtual ethernet interface on the system (eth0) is configured to
respond to 2001:db8::4001/64. Traffic destined for other IPv6
addresses outside of the 4000-400f range cannot be seen by the VPS;
therefore it does not behave like a typical /64 where hosts are free
to generate EUI-64 or temporary addresses at will. SLAAC is not
supported.
Because of this limitation I would like ocserv to statically assign
IPv6 addresses in the range 2001:db8::4002 - 2001:db8::400f to a few
specific VPN clients, and assign no IPv6 address to clients that lack
an explicit-ipv6 address. I ran into a few issues trying to set this
up:
1) If I don't set ipv6-network in ocserv.conf, the explicit-ipv6
address in the user configuration file is ignored. I could set a
bogus ipv6-network address for non-IPv6 users, but their clients may
erroneously try to send traffic through that stack. I could also
experiment with NAT, but it's probably cleaner just to shut down IPv6
entirely for the clients that do not have static globally routable
addresses.
2) I did not see a way to tell the VPN server to answer neighbor
solicitation requests for the VPN clients' IP addresses. I was able
to enable this manually by doing:
echo 1 > /proc/sys/net/ipv6/conf/all/proxy_ndp
ip -6 neigh add proxy 2001:db8::4002 dev eth0
ocserv mentions supporting proxy ARP (for IPv4) in the docs, so I am
wondering whether it makes sense to add this logic directly to ocserv
or if it is better to just use the connect-script and
disconnect-script to add/remove the entries?
More information about the openconnect-devel
mailing list