Page 1 of 1

SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Posted: Sat Sep 22, 2018 4:00 pm
by cmd wh0ami
I've been trying to figure out how to Bridge to TAP_INTERFACE to tunnel Dual Stack... I am able to get IPv4 to work. But IPv6 seems not able to forward or is getting blocked somewhere. Im using CentOS 7 with firewalld removed. This set up is on a test server behind NAT. Testing for production VPS.

My ISP assigned me 2603:9001:3c8a:101::/56 IPv6 subnet.

/etc/sysctl.d/99-sysctl.conf

Code: Select all

# For binary values, 0 is disabled, 1 is enabled.
# To save changes run command  sysctl -p
# For more information, see sysctl.conf(5) and sysctl.d(5).

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls IPv6 packet forwarding
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.all.proxy_ndp = 1
softether.fw

Code: Select all

#######################################################################################
#               ip6tables Rules
#######################################################################################
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A FORWARD -j ACCEPT
ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT

ip6tables -t nat -A POSTROUTING -o tap_soft -j MASQUERADE
#######################################################################################
#               End
#######################################################################################

/etc/dnsmasq.conf

Code: Select all

##################################################################################
# SoftEther VPN server
################################################################################## Interface Settings

# Listen to interface
# In this case it is the Softether bridge
interface=tap_soft

# Don't ever listen to anything on eth0, you wouldn't want that.
except-interface=eth0

listen-address=192.168.30.1

bind-interfaces
################################################################################## Options

# Let's give the connecting clients an internal IP
dhcp-range=tap_softether,192.168.30.10,192.168.30.20,12h

# Default route and dns
dhcp-option=tap_soft,3,192.168.30.1

# enable dhcp
dhcp-authoritative

#  have your simple hosts expanded to domain
expand-hosts

# stops dnsmasq from getting DNS server addresses from /etc/resolv.conf
no-resolv
no-poll

# Let dnsmasq use the dns servers in the order you chose.
strict-order

# Let's try not giving the same IP to all, right?
dhcp-no-override

# Stop reverse lookups for private IP ranges not in /etc/hosts
bogus-priv

# All of your clients can have a real and unique IPv6 address.
# you can try slaac,ra-only | slaac,ra-names | slaac,ra-stateless | slaac,ra-advrouter  in case you have trouble connecting
dhcp-range=tap_soft,2603:9001:3c8a:101:0000:0000:0000:0032,2603:9001:3c8a:101:0000:0000:0000:ffff,slaac,ra-only,64,4W


################################################################################## External DNS Servers
# Use this DNS servers for incoming DNS requests
server=1.1.1.1
server=1.0.0.1
server=208.67.222.222

# Use these IPv6 DNS Servers for lookups/ Cloudflare and OpenDNS
server=2606:4700:4700::1111
server=2606:4700:4700::1001
server=2620:0:ccd::2
#########################################

################################################################################## Client DNS Servers
# Let's send these DNS Servers to clients.
# The first IP is the IPv4 address that are already assigned to the tap_softether

# Set IPv4 DNS server for client machines
dhcp-option=option:dns-server,192.168.30.1,1.1.1.1

# Set IPv6 DNS server for clients
# You can change the first IP with the ipv6 address of your tap_softether if you
# want all dns queries to go through your server...
dhcp-option=option6:dns-server,[2603:9001:3C8A:101:110:110:110:110],[2606:4700:4700::1111]
#########################################
/etc/init.d/vpnserver

Code: Select all

#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $network $remote_fs
# Required-Stop:     $network $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: SoftEther VPN Server
### END INIT INFO

DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=192.168.30.1
TAP_INTERFACE=tap_soft
IPV6_ADDR=2603:9001:3C8A:101:110:110:110:110
IPV6_SUBNET=2603:9001:3C8A:101::/64

test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3
######################################################################################
#       Rules for IPTables.
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
#       End of IPTables Rules
#######################################################################################
sleep 3
service dnsmasq restart
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
######################################################################################
#       
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
# 
#######################################################################################
sleep 3
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

Re: [SOLVED] SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Posted: Mon Oct 01, 2018 7:41 pm
by cmd wh0ami
I figured it out. I was using the IPv6 global unicast when I should have been using a link local for dhcp push to clients from dnsmasq. I only needed to enable IPv6 forwarding for all in sysctl

Code: Select all

# For binary values, 0 is disabled, 1 is enabled.
# To save changes run command  sysctl -p
# For more information, see sysctl.conf(5) and sysctl.d(5).

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls IPv6 packet forwarding
net.ipv6.conf.all.forwarding = 1
I had to make quite a few changes in dnsmasq.conf

Code: Select all

# I'm not feeling that generous ATM 
# since I got no help what so ever
I needed to change my t-nat iptables in softether.fw

Code: Select all

#######################################################################################
#               ip6tables Rules
#######################################################################################
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A FORWARD -j ACCEPT
ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT

# NAT using Local Bridge
# fc00:0000:2ac:7af1::/64 = Local Bridge & SoftEther VPN Clients Link Local (dnsmasq)
# 2603:9001:3c8a:101:596a:2ebc:472:7be6 = SoftEther VPN Server's network interface Global Unicast
ip6tables -t nat -A POSTROUTING -s fc00:0000:2ac:7af1::/64 -j SNAT --to-source 2603:9001:3c8a:101:596a:2ebc:472:7be6
#######################################################################################
#               End
#######################################################################################
And I had to change the IP in /etc/init.d/vpnserver

Code: Select all

#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $network $remote_fs
# Required-Stop:     $network $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: SoftEther VPN Server
### END INIT INFO

DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=192.168.30.1
TAP_INTERFACE=tap_soft
IPV6_ADDR=fc00:0000:2ac:7af1::1
IPV6_SUBNET=fc00:0000:2ac:7af1::/64

test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3
######################################################################################
#       Rules for IPTables.
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
#       End of IPTables Rules
#######################################################################################
sleep 3
service dnsmasq restart
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
######################################################################################
#       
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
# 
#######################################################################################
sleep 3
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

Re: SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Posted: Tue Oct 02, 2018 4:01 pm
by cmd wh0ami
Now I'm stuck agian...

I got it working on the test server... But the production server is running OpenVZ and the kernel doesnt support IPv6 nat. I can't update the kernel on a OpenVZ container because I don't have control over the host. Bridging interfaces is not a option with OpenVZ so FML....

Anyone have any suggestions?

Re: SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Posted: Fri Dec 28, 2018 5:59 am
by qazesz
YOU ARE GREAT!
I tried you methods and successfully access IPv6 on the client.
Plenty of thanks!

Re: SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Posted: Sun Dec 30, 2018 2:40 pm
by cmd wh0ami
Here is the dnsmasq.conf I ended up using...

Code: Select all

##################################################################################
# SoftEther VPN server dnsmasq.conf
################################################################################## Interface Settings

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=tap_soft

# If you want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
bind-interfaces

################################################################################## Options

# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=192.168.30.10,192.168.30.255,12h

# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
dhcp-option=3,192.168.30.1

# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
no-poll

# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
no-resolv

# Disable re-use of the DHCP servername and filename fields as
# extra option space. This makes extra space available in the
# DHCP packet for options but can, rarely, confuse old or broken
# clients. This flag forces "simple and safe" behavior to avoid
# problems in such a case.
dhcp-no-override

# Never forward addresses in the non-routed address spaces.
bogus-priv

# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overridden by ra-stateless, ra-names, et al, the router
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the
# clients don't use SLAAC addresses.
enable-ra

# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
dhcp-range=::100,::1ff,constructor:tap_soft, 64, 12h

################################################################################## External DNS Servers

# Use this DNS servers for incoming DNS requests = Cloudflare
server=1.1.1.1
server=1.0.0.1

# Use these IPv6 DNS Servers for lookups = Cloudflare
server=2606:4700:4700::1111
server=2606:4700:4700::1001

#########################################

################################################################################## Client DNS Servers

# Let's send these DNS Servers to clients.
# The first IP is the IPv4 address that are already assigned to the tap_soft

# Set IPv4 DNS server for client machines
dhcp-option=option:dns-server,192.168.30.1,1.1.1.1

# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
dhcp-option=option6:dns-server,[fc00:0000:2ac:7af1::1],[2606:4700:4700::1111]

#########################################