This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[ipv6-wg] IPv6 Only Network at RIPE 67

Previous message (by thread): [ipv6-wg] IPv6 Only Network at RIPE 67
Next message (by thread): [ipv6-wg] IPv6 Only Network at RIPE 67

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Gert Doering gert at space.net
Wed Oct 16 15:37:01 CEST 2013

Hi,

On Wed, Oct 16, 2013 at 04:03:27PM +0300, Tore Anderson wrote:
> I'm successfully using OpenVPN on the IPv6-only LAN. 

Seconded, using "Android for OpenVPN" and "OpenVPN Connect" on Android
(Nexus 7, with the caveat of "needing static IPv4 address and manual 
DNS config" to make ipv6-only wifi work in the first place), connecting 
to an IPv6-enabled server (over UDP, server running with --proto udp6).  

Connecting to a test OpenVPN server that deliberately has only IPv4
in DNS worked as well (udp).  So OpenVPN handles NAT64/DNS64 fine,
and both the 2.3 and 3.0 code bases work on an IPv6-only network (yay).

As expected, connecting using OpenVPN profiles that have IPv4-literals
in there ("server 1.2.3.4") fail.  Don't do that, then.

> However there are a few caveats:
>
> 3) The OpenVPN server pushes a DNS server which gets higher priority
> than the DNS64 one here, which in turn breaks NAT64 and access to
> IPv4-only content. I found no way to override this in NM-OpenVPN,
> although I suppose I could do chattr +i /etc/resolv.conf instead... (not
> saying this is a bug in OpenVPN, more a general caveat when doing VPN
> from NAT64/DNS64 networks).

In my case, the server does *not* push a DNS server, which means that
trying to use the VPN to access *IPv4* hosts *inside* the VPN fails
in interesting ways - DNS64 interferes, and due to the way routing
is set up, IPv4 hosts *inside* the VPN are now accessed via NAT64
*around* the VPN (my test host - http://v6.de/ - is purposely available
over that VPN or without it).

So indeed, DNS and VPN interaction is more complex if DNS64/NAT64 is
also intermixed, and if you are not redirecting "all IPv4+IPv6 traffic"
through the tunnel (redirect-gateway).

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 306 bytes
Desc: not available
URL: </ripe/mail/archives/ipv6-wg/attachments/20131016/20943b41/attachment.sig>

Previous message (by thread): [ipv6-wg] IPv6 Only Network at RIPE 67
Next message (by thread): [ipv6-wg] IPv6 Only Network at RIPE 67

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ipv6-wg Archives ]