This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[ipv6-wg] IPv6 Only Network at RIPE 67

Previous message (by thread): [ipv6-wg] IPv6 Only Network at RIPE 67
Next message (by thread): [ipv6-wg] IPv6 Only Network at RIPE 67

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Gert Doering gert at space.net
Mon Oct 21 15:40:34 CEST 2013

Hi,

just for the record, as this is veering wildly off the original topic...

On Thu, Oct 17, 2013 at 08:57:28PM +0200, Philipp Kern wrote:
> > As expected, connecting using OpenVPN profiles that have IPv4-literals
> > in there ("server 1.2.3.4") fail.  Don't do that, then.
> 
> there is one instance where this is actually needed: if split DNS is in
> use and the resolvers are not available from outside the tunnel and if
> you're on Linux (the latter is a guess, and I only tested with
> resolvconf present).
> 
> In this case, when the client loses its tunnel, the DNS servers are not
> reset to the non-VPN ones. OpenVPN will do a fresh DNS lookup for the
> VPN server to a now unreachable DNS server, which fails. Hence the
> tunnel will not come back up.
> 
> That's the reason why we opted for IPv4 literals in the OpenVPN
> deployment at my alma mater.

I can only strongly recommend against that, again.  It will break your
OpenVPN setup on mobile devices that sit behind a NAT64/DNS64, while
OpenVPN would otherwise work perfectly well, connecting from an IPv6-
capable client to an IPv4-only OpenVPN server - and it will also impair
connectivity if you happen to dual-stack the server later (because 
you'll need to roll out new certificates).

I'll go testing why the DNS settings are not restored if the tunnel
breaks down, while at the same time doing a fresh DNS lookup - that 
sounds like a bug to me, as it can't work, obviously.  OTOH the whole
"change DNS while OpenVPN is running" is a bit wacky on *Linux*, as
it's done by distribution-specific external scripts...

I'm happy to continue that discussion over at the openvpn-devel list 
(@lists.sourceforge.net), though :-)

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </ripe/mail/archives/ipv6-wg/attachments/20131021/ee106af9/attachment.sig>

Previous message (by thread): [ipv6-wg] IPv6 Only Network at RIPE 67
Next message (by thread): [ipv6-wg] IPv6 Only Network at RIPE 67

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ipv6-wg Archives ]