SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
cmd wh0ami
Posts: 90
Joined: Sun Jul 16, 2017 6:58 pm

SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Post by cmd wh0ami » Sat Sep 22, 2018 4:00 pm

I've been trying to figure out how to Bridge to TAP_INTERFACE to tunnel Dual Stack... I am able to get IPv4 to work. But IPv6 seems not able to forward or is getting blocked somewhere. Im using CentOS 7 with firewalld removed. This set up is on a test server behind NAT. Testing for production VPS.

My ISP assigned me 2603:9001:3c8a:101::/56 IPv6 subnet.

/etc/sysctl.d/99-sysctl.conf

Code: Select all

# For binary values, 0 is disabled, 1 is enabled.
# To save changes run command  sysctl -p
# For more information, see sysctl.conf(5) and sysctl.d(5).

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls IPv6 packet forwarding
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.all.proxy_ndp = 1
softether.fw

Code: Select all

#######################################################################################
#               ip6tables Rules
#######################################################################################
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A FORWARD -j ACCEPT
ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT

ip6tables -t nat -A POSTROUTING -o tap_soft -j MASQUERADE
#######################################################################################
#               End
#######################################################################################

/etc/dnsmasq.conf

Code: Select all

##################################################################################
# SoftEther VPN server
################################################################################## Interface Settings

# Listen to interface
# In this case it is the Softether bridge
interface=tap_soft

# Don't ever listen to anything on eth0, you wouldn't want that.
except-interface=eth0

listen-address=192.168.30.1

bind-interfaces
################################################################################## Options

# Let's give the connecting clients an internal IP
dhcp-range=tap_softether,192.168.30.10,192.168.30.20,12h

# Default route and dns
dhcp-option=tap_soft,3,192.168.30.1

# enable dhcp
dhcp-authoritative

#  have your simple hosts expanded to domain
expand-hosts

# stops dnsmasq from getting DNS server addresses from /etc/resolv.conf
no-resolv
no-poll

# Let dnsmasq use the dns servers in the order you chose.
strict-order

# Let's try not giving the same IP to all, right?
dhcp-no-override

# Stop reverse lookups for private IP ranges not in /etc/hosts
bogus-priv

# All of your clients can have a real and unique IPv6 address.
# you can try slaac,ra-only | slaac,ra-names | slaac,ra-stateless | slaac,ra-advrouter  in case you have trouble connecting
dhcp-range=tap_soft,2603:9001:3c8a:101:0000:0000:0000:0032,2603:9001:3c8a:101:0000:0000:0000:ffff,slaac,ra-only,64,4W


################################################################################## External DNS Servers
# Use this DNS servers for incoming DNS requests
server=1.1.1.1
server=1.0.0.1
server=208.67.222.222

# Use these IPv6 DNS Servers for lookups/ Cloudflare and OpenDNS
server=2606:4700:4700::1111
server=2606:4700:4700::1001
server=2620:0:ccd::2
#########################################

################################################################################## Client DNS Servers
# Let's send these DNS Servers to clients.
# The first IP is the IPv4 address that are already assigned to the tap_softether

# Set IPv4 DNS server for client machines
dhcp-option=option:dns-server,192.168.30.1,1.1.1.1

# Set IPv6 DNS server for clients
# You can change the first IP with the ipv6 address of your tap_softether if you
# want all dns queries to go through your server...
dhcp-option=option6:dns-server,[2603:9001:3C8A:101:110:110:110:110],[2606:4700:4700::1111]
#########################################
/etc/init.d/vpnserver

Code: Select all

#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $network $remote_fs
# Required-Stop:     $network $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: SoftEther VPN Server
### END INIT INFO

DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=192.168.30.1
TAP_INTERFACE=tap_soft
IPV6_ADDR=2603:9001:3C8A:101:110:110:110:110
IPV6_SUBNET=2603:9001:3C8A:101::/64

test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3
######################################################################################
#       Rules for IPTables.
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
#       End of IPTables Rules
#######################################################################################
sleep 3
service dnsmasq restart
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
######################################################################################
#       
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
# 
#######################################################################################
sleep 3
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
Last edited by cmd wh0ami on Tue Oct 02, 2018 3:57 pm, edited 3 times in total.
VPN Discord invite: https://discord.gg/QByKXA9

cmd wh0ami
Posts: 90
Joined: Sun Jul 16, 2017 6:58 pm

Re: [SOLVED] SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Post by cmd wh0ami » Mon Oct 01, 2018 7:41 pm

I figured it out. I was using the IPv6 global unicast when I should have been using a link local for dhcp push to clients from dnsmasq. I only needed to enable IPv6 forwarding for all in sysctl

Code: Select all

# For binary values, 0 is disabled, 1 is enabled.
# To save changes run command  sysctl -p
# For more information, see sysctl.conf(5) and sysctl.d(5).

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls IPv6 packet forwarding
net.ipv6.conf.all.forwarding = 1
I had to make quite a few changes in dnsmasq.conf

Code: Select all

# I'm not feeling that generous ATM 
# since I got no help what so ever
I needed to change my t-nat iptables in softether.fw

Code: Select all

#######################################################################################
#               ip6tables Rules
#######################################################################################
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A FORWARD -j ACCEPT
ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT

# NAT using Local Bridge
# fc00:0000:2ac:7af1::/64 = Local Bridge & SoftEther VPN Clients Link Local (dnsmasq)
# 2603:9001:3c8a:101:596a:2ebc:472:7be6 = SoftEther VPN Server's network interface Global Unicast
ip6tables -t nat -A POSTROUTING -s fc00:0000:2ac:7af1::/64 -j SNAT --to-source 2603:9001:3c8a:101:596a:2ebc:472:7be6
#######################################################################################
#               End
#######################################################################################
And I had to change the IP in /etc/init.d/vpnserver

Code: Select all

#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $network $remote_fs
# Required-Stop:     $network $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: SoftEther VPN Server
### END INIT INFO

DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=192.168.30.1
TAP_INTERFACE=tap_soft
IPV6_ADDR=fc00:0000:2ac:7af1::1
IPV6_SUBNET=fc00:0000:2ac:7af1::/64

test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3
######################################################################################
#       Rules for IPTables.
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
#       End of IPTables Rules
#######################################################################################
sleep 3
service dnsmasq restart
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
######################################################################################
#       
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
# 
#######################################################################################
sleep 3
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
VPN Discord invite: https://discord.gg/QByKXA9

cmd wh0ami
Posts: 90
Joined: Sun Jul 16, 2017 6:58 pm

Re: SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Post by cmd wh0ami » Tue Oct 02, 2018 4:01 pm

Now I'm stuck agian...

I got it working on the test server... But the production server is running OpenVZ and the kernel doesnt support IPv6 nat. I can't update the kernel on a OpenVZ container because I don't have control over the host. Bridging interfaces is not a option with OpenVZ so FML....

Anyone have any suggestions?
VPN Discord invite: https://discord.gg/QByKXA9

Post Reply