Solved OpenVPN IPv6 PF set

W

Wasserquelle

Hey folks,
I'm in progress of migrating my centos openvpn dualstack server to freebsd.
I got a problem with ipv6 connection and im not shure what is the problem.
IPv4 is working fine through the tunnel. IPv6 icmp is possible, but nameservers are not reachable on :53 or anything else except via icmp. I tried various configs with pf, but im not sure how to solve this issue.
On my CentOS, the server.conf is working fine. I've rsynced them so i guess the problem is somewhere with pf. Any Ideas ?

OpenVPN server.conf
Code: 
port 1194
proto udp
proto udp6
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
server-ipv6 2001:XXXX:XX:XXX:8000::/65 # IPv6
tun-ipv6
push "route-ipv6 2001:XXXX:XX:XXX::/64"
push "route-ipv6 2000::/3"
ifconfig-pool-persist ipp.txt
#push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun

pf.conf
Code: 
####################
#      MACROS      #
####################
ext_if = "vtnet0"
vpn_if = "tun0"
vpn_net4 = "10.8.0.0/24"
vpn_net6 = "2001:XXXX:XX:XXX:8000::/65"
tcp_pass = "{ 22 }"
udp_pass = "{ 1194 }"

####################
#     OPTIONS      #
####################
set skip on lo0

####################
#   TRANSLATION    #
####################
nat on $ext_if from $vpn_net4 to any -> ($ext_if)
nat on $ext_if from $vpn_net6 to any -> ($ext_if)
####################
# PACKET FILTERING #
####################
block in all

pass in proto tcp to any port $tcp_pass keep state
pass in proto udp to any port $udp_pass keep state
pass in proto icmp to any
pass in proto ipv6-icmp from any to any

pass out quick all keep state

shorted rc.conf
Code: 
###PF###
pf_enable="YES"
pf_rules="/etc/pf.conf"

###OpenVPN###
gateway_enable="YES"
ipv6_gateway_enable="YES"

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"

Code: 
sysctl -a |grep forwarding
net.inet.ip.forwarding: 1
net.inet6.ip6.forwarding: 1
 
After a while of searching I got it working:

Code: 
cat /boot/loader.conf 
kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"
zfs_load="YES"
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
hw.vtnet.lro_disable=1
hw.vtnet.tso_disable=1
hw.vtnet.csum_disable=1
fixed it :D
 
Wasserquelle said:
Code: 
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
Click to expand...
Those two don't belong in loader.conf. They're already set automatically by these settings in rc.conf:
Code: 
gateway_enable="YES"
ipv6_gateway_enable="YES"
 
By setting it in rc.conf it will be also set in loader.conf. I've just copied the hole config. Of course these two were already there.
The NIC offloading and params of my KVM vtnet0 caused the problem.
 
Wasserquelle said:
By setting it in rc.conf it will be also set in loader.conf.
Click to expand...
No, it does not.
Code: 
dice@maelcum:~ % cat /etc/rc.conf | grep gateway
gateway_enable="YES"
ipv6_gateway_enable="YES"
dice@maelcum:~ % cat /boot/loader.conf
zfs_load="YES"
vfs.root.mountfrom="zfs:zroot"
coretemp_load="YES"
autoboot_delay="3"
 
You must log in or register to reply here.
Back
Top