{"id":13,"date":"2015-04-24T17:35:36","date_gmt":"2015-04-24T16:35:36","guid":{"rendered":"https:\/\/tollana.d-tor.org\/notes-to-self\/?p=13"},"modified":"2016-11-27T01:18:24","modified_gmt":"2016-11-27T00:18:24","slug":"openvpn-and-ipv6-bridging","status":"publish","type":"post","link":"https:\/\/tollana.d-tor.org\/notes-to-self\/?p=13","title":{"rendered":"OpenVPN and IPv6-Bridging"},"content":{"rendered":"<p>Nothing is as easy as it seems. Sigh&#8230; \ud83d\ude41<\/p>\n<p>I was getting strange timeouts when accessing sites via tunneled IPv6 (OpenVPN). Turned out that the sender never got the ICMPv6-Redirect from the tunnel endpoint, i.e. OpenVPN-Server. The ICMPv6-Packet is sent from the link-local address of the gateway (fe80::some:thin:g\/64), because it gets dropped in the FORWARD-Chain of the gateway if the policy is DROP.<\/p>\n<p>Setting it to ACCEPT magically makes things work, but that&#8217;s equal to turning off the firewall. Allowing traffic from and to fe80::\/8 doesn&#8217;t help, either. Never figured out why.<\/p>\n<p>What now? The physdev-module comes to rescue! Despite its name it can match the (virtual) tap-interface of the OpenVPN-Server. Just add the following rules to the beginning of the FORWARD-Chain:<\/p>\n<pre>ip6tables -I FORWARD -m physdev --physdev-out tap0 -j ACCEPT\r\nip6tables -I FORWARD -m physdev --physdev-in tap0 -j ACCEPT<\/pre>\n<p>and things run smoothly again \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Nothing is as easy as it seems. Sigh&#8230; \ud83d\ude41 I was getting strange timeouts when accessing sites via tunneled IPv6 (OpenVPN). Turned out that the sender never got the ICMPv6-Redirect from the tunnel endpoint, i.e. OpenVPN-Server. The ICMPv6-Packet is sent from the link-local address of the gateway (fe80::some:thin:g\/64), because it gets dropped in the FORWARD-Chain &hellip; <a href=\"https:\/\/tollana.d-tor.org\/notes-to-self\/?p=13\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">OpenVPN and IPv6-Bridging<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[77,76],"tags":[8,6,7],"class_list":["post-13","post","type-post","status-publish","format-standard","hentry","category-linux","category-network","tag-firewall","tag-ip6tables","tag-iptables"],"_links":{"self":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts\/13","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=13"}],"version-history":[{"count":3,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts\/13\/revisions"}],"predecessor-version":[{"id":16,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts\/13\/revisions\/16"}],"wp:attachment":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=13"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=13"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=13"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}