Hi,
i have routed a ipv6 net to a lxc container and i want to route a single ip to a openvpn tun device but its not working. If i setup a local device inside the container it works. If i ping the container itself it works. What can i do to solve this problem can is setup npd proxy inside a container ?
Please can you describe more about your network setup, including examples of network subnets and where the routes you have configured so far are. Is the openvpn tun inside the container?
As above, need more info, if your trying to hit a tun with an IP inside the container then set the next hop for the tun ip to be your containers “outside” facing interface and make sure ip6 forwarding is enabled.
Or are you trying to route to a VPN network behind the tun?
Hi,
here is my setup
2a02:180:2:97::/64 is routed to my container from outside.
#openvpn configuration simple test
##lxd container
proto udp
dev tun
cipher none
auth none
ncp-disable
##linux at home simple test
remote [IPV4 FROM lxd container]
proto udp
dev tun
cipher none
auth none
ncp-disable
#network configuration
##lxd container
ip addr add 2a02:180:2:97::1/128 dev tun0
ip link set tun0 up
ip route add 2a02:180:2:97::2/128 dev tun0
##linux at home
ip addr add 2a02:180:2:97::2/128 dev tun0
ip link set tun0 up
ip route add 2a02:180:2:97::1/128 dev tun0
ip route add default via 2a02:180:2:97::1
With this configuration it is possible to
ping6 2a02:180:2:97::1 from a other server in an other datacenter
ping6 2a02:180:2:97::2 from lxd container
ping6 2a02:180:2:97::1 from linux at home
But its not possible to
ping6 2a00:1450:4001:80b::200e (google.com with the other server in the other datacenter it is the same) from linux at home
ping6 2a02:180:2:97::2 from a other server in an other datacenter
and i don’t know why.
You say that 2a02:180:2:97::/64 is routed to your container, how is this achieved specifically?
Is it routed to the container’s IPv6 address?
Please can you show the routing table on the host and the container.
Also have you used tcpdump tool to check whether the packets are getting into the container’s interface and/or going into the tun interface?
Hi,
my container have an additional IPv6 Adress:
2a02:180:6:1::25d this adress is active and reachable via icmpv6. The net is routed to this IPv6.
###Routingtables
#Host
~]# ip -6 route show | grep ‘2a02:180:6:1::25d’
2a02:180:2:97::/64 via 2a02:180:6:1::25d dev brlxc metric 1024 pref medium
2a02:180:6:1::25d dev brlxc metric 1024 pref medium
#Container
~]# ip -6 route show
unreachable ::/96 dev lo metric 1024 pref medium
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 pref medium
unreachable 2002:a00::/24 dev lo metric 1024 pref medium
unreachable 2002:7f00::/24 dev lo metric 1024 pref medium
unreachable 2002:a9fe::/32 dev lo metric 1024 pref medium
unreachable 2002:ac10::/28 dev lo metric 1024 pref medium
unreachable 2002:c0a8::/32 dev lo metric 1024 pref medium
unreachable 2002:e000::/19 dev lo metric 1024 pref medium
2a02:180:2:97::1 dev tun0 proto kernel metric 256 pref medium
2a02:180:2:97::2 dev tun0 metric 1024 pref medium
2a02:180:6:1::25d dev eth0 proto kernel metric 256 pref medium
unreachable 3ffe:ffff::/32 dev lo metric 1024 pref medium
fd78:232c:fe45:8338::1 dev eth0 metric 1024 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fd78:232c:fe45:8338::1 dev eth0 metric 1024 pref medium
Currently i have not used the traffic with tcp dump can you tell me how i can do this ?
OK thanks that is useful.
And how is 2a02:180:2:97::/64 routed to your host? Does your ISP/hosting provide route that subnet to your host via its external IP or is it done via layer 2?
Do you have the sysctls enabled to allow routing too?
As for tcpdump, I would suggest you start with answering the question “are the packets for my tun arriving at my host?”.
To do this setup a ping to the tun’s IP from another machine in your data center and then on the host run tcpdump -i <hosts external interface> host 2a02:180:2:97::1 -nn and see if you can see the packets coming in on that interface. If not then thats where you need to focus first.