SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!
Posted: Sat Sep 22, 2018 4:00 pm
I've been trying to figure out how to Bridge to TAP_INTERFACE to tunnel Dual Stack... I am able to get IPv4 to work. But IPv6 seems not able to forward or is getting blocked somewhere. Im using CentOS 7 with firewalld removed. This set up is on a test server behind NAT. Testing for production VPS.
My ISP assigned me 2603:9001:3c8a:101::/56 IPv6 subnet.
/etc/sysctl.d/99-sysctl.conf
softether.fw
/etc/dnsmasq.conf
/etc/init.d/vpnserver
My ISP assigned me 2603:9001:3c8a:101::/56 IPv6 subnet.
/etc/sysctl.d/99-sysctl.conf
Code: Select all
# For binary values, 0 is disabled, 1 is enabled.
# To save changes run command sysctl -p
# For more information, see sysctl.conf(5) and sysctl.d(5).
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls IPv6 packet forwarding
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.all.proxy_ndp = 1
Code: Select all
#######################################################################################
# ip6tables Rules
#######################################################################################
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -j ACCEPT
ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT
ip6tables -t nat -A POSTROUTING -o tap_soft -j MASQUERADE
#######################################################################################
# End
#######################################################################################
/etc/dnsmasq.conf
Code: Select all
##################################################################################
# SoftEther VPN server
################################################################################## Interface Settings
# Listen to interface
# In this case it is the Softether bridge
interface=tap_soft
# Don't ever listen to anything on eth0, you wouldn't want that.
except-interface=eth0
listen-address=192.168.30.1
bind-interfaces
################################################################################## Options
# Let's give the connecting clients an internal IP
dhcp-range=tap_softether,192.168.30.10,192.168.30.20,12h
# Default route and dns
dhcp-option=tap_soft,3,192.168.30.1
# enable dhcp
dhcp-authoritative
# have your simple hosts expanded to domain
expand-hosts
# stops dnsmasq from getting DNS server addresses from /etc/resolv.conf
no-resolv
no-poll
# Let dnsmasq use the dns servers in the order you chose.
strict-order
# Let's try not giving the same IP to all, right?
dhcp-no-override
# Stop reverse lookups for private IP ranges not in /etc/hosts
bogus-priv
# All of your clients can have a real and unique IPv6 address.
# you can try slaac,ra-only | slaac,ra-names | slaac,ra-stateless | slaac,ra-advrouter in case you have trouble connecting
dhcp-range=tap_soft,2603:9001:3c8a:101:0000:0000:0000:0032,2603:9001:3c8a:101:0000:0000:0000:ffff,slaac,ra-only,64,4W
################################################################################## External DNS Servers
# Use this DNS servers for incoming DNS requests
server=1.1.1.1
server=1.0.0.1
server=208.67.222.222
# Use these IPv6 DNS Servers for lookups/ Cloudflare and OpenDNS
server=2606:4700:4700::1111
server=2606:4700:4700::1001
server=2620:0:ccd::2
#########################################
################################################################################## Client DNS Servers
# Let's send these DNS Servers to clients.
# The first IP is the IPv4 address that are already assigned to the tap_softether
# Set IPv4 DNS server for client machines
dhcp-option=option:dns-server,192.168.30.1,1.1.1.1
# Set IPv6 DNS server for clients
# You can change the first IP with the ipv6 address of your tap_softether if you
# want all dns queries to go through your server...
dhcp-option=option6:dns-server,[2603:9001:3C8A:101:110:110:110:110],[2606:4700:4700::1111]
#########################################
Code: Select all
#!/bin/sh
### BEGIN INIT INFO
# Provides: vpnserver
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: SoftEther VPN Server
### END INIT INFO
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=192.168.30.1
TAP_INTERFACE=tap_soft
IPV6_ADDR=2603:9001:3C8A:101:110:110:110:110
IPV6_SUBNET=2603:9001:3C8A:101::/64
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3
######################################################################################
# Rules for IPTables.
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
# End of IPTables Rules
#######################################################################################
sleep 3
service dnsmasq restart
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
######################################################################################
#
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
#
#######################################################################################
sleep 3
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0