vpnclient_ynh icon indicating copy to clipboard operation
vpnclient_ynh copied to clipboard
verified publisher icon YunoHost-Apps

Iptables rules not working for ipv6 traffic on local network

Open HugoPoi opened this issue 6 years ago • 4 comments

  • The actual rules drop ARP v6 traffic for ffx2::/16
  • So you can't use public ipv6 to join yunohost in the same local network as your device drop the returning traffic because the ARP v6 can't resolve the MAC address
  • The packet currently dropped are the ICMPv6 TYPE=135 aka Neighbor Solicitation new name for ARP in v6
  • I think the proper way is to allow ICMPv6 to go out eth0 for local prefix ffx2::/16

HugoPoi avatar Mar 27 '20 08:03 HugoPoi

Workaround sudo ip6tables -I vpnclient_out -d ff02::/16 -j ACCEPT

Maybe use some of the rules here https://unix.stackexchange.com/questions/452880/what-are-the-essential-iptables-rules-for-ipv6-to-work-properly#452905

Check this also https://en.wikipedia.org/wiki/Multicast_address

Need to check some RFCs

HugoPoi avatar Jun 04 '20 09:06 HugoPoi

i did this / works for me (policy based routing)

echo "1 send_over_tun" >> /etc/iproute2/rt_tables

ip -6 route flush table send_over_tun
ip -6 route add default via $VPN_SERVER dev tun0 table send_over_tun proto static

ip -6 rule add from $MY_VPN_IP pref 1 table send_over_tun

ptrhere avatar Nov 19 '20 22:11 ptrhere

Is it better than asymmetric routing that can be done with my solution ?

HugoPoi avatar Nov 23 '20 09:11 HugoPoi

@ptrhere For your solution to be working, the default routes inserted by openvpn should be disable, I think.

  • https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

HugoPoi avatar Apr 23 '21 09:04 HugoPoi

This is fixed with #136, released in 2.3~ynh1

There is now an option in config panel to setup @ptrhere scripts.

hidrarga avatar May 01 '25 16:05 hidrarga