SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
cmd wh0ami
Posts: 125
Joined: Sun Jul 16, 2017 6:58 pm

SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Post by cmd wh0ami » Sat Sep 22, 2018 4:00 pm

I've been trying to figure out how to Bridge to TAP_INTERFACE to tunnel Dual Stack... I am able to get IPv4 to work. But IPv6 seems not able to forward or is getting blocked somewhere. Im using CentOS 7 with firewalld removed. This set up is on a test server behind NAT. Testing for production VPS.

My ISP assigned me 2603:9001:3c8a:101::/56 IPv6 subnet.

/etc/sysctl.d/99-sysctl.conf

Code: Select all

# For binary values, 0 is disabled, 1 is enabled.
# To save changes run command  sysctl -p
# For more information, see sysctl.conf(5) and sysctl.d(5).

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls IPv6 packet forwarding
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.all.proxy_ndp = 1
softether.fw

Code: Select all

#######################################################################################
#               ip6tables Rules
#######################################################################################
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A FORWARD -j ACCEPT
ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT

ip6tables -t nat -A POSTROUTING -o tap_soft -j MASQUERADE
#######################################################################################
#               End
#######################################################################################

/etc/dnsmasq.conf

Code: Select all

##################################################################################
# SoftEther VPN server
################################################################################## Interface Settings

# Listen to interface
# In this case it is the Softether bridge
interface=tap_soft

# Don't ever listen to anything on eth0, you wouldn't want that.
except-interface=eth0

listen-address=192.168.30.1

bind-interfaces
################################################################################## Options

# Let's give the connecting clients an internal IP
dhcp-range=tap_softether,192.168.30.10,192.168.30.20,12h

# Default route and dns
dhcp-option=tap_soft,3,192.168.30.1

# enable dhcp
dhcp-authoritative

#  have your simple hosts expanded to domain
expand-hosts

# stops dnsmasq from getting DNS server addresses from /etc/resolv.conf
no-resolv
no-poll

# Let dnsmasq use the dns servers in the order you chose.
strict-order

# Let's try not giving the same IP to all, right?
dhcp-no-override

# Stop reverse lookups for private IP ranges not in /etc/hosts
bogus-priv

# All of your clients can have a real and unique IPv6 address.
# you can try slaac,ra-only | slaac,ra-names | slaac,ra-stateless | slaac,ra-advrouter  in case you have trouble connecting
dhcp-range=tap_soft,2603:9001:3c8a:101:0000:0000:0000:0032,2603:9001:3c8a:101:0000:0000:0000:ffff,slaac,ra-only,64,4W


################################################################################## External DNS Servers
# Use this DNS servers for incoming DNS requests
server=1.1.1.1
server=1.0.0.1
server=208.67.222.222

# Use these IPv6 DNS Servers for lookups/ Cloudflare and OpenDNS
server=2606:4700:4700::1111
server=2606:4700:4700::1001
server=2620:0:ccd::2
#########################################

################################################################################## Client DNS Servers
# Let's send these DNS Servers to clients.
# The first IP is the IPv4 address that are already assigned to the tap_softether

# Set IPv4 DNS server for client machines
dhcp-option=option:dns-server,192.168.30.1,1.1.1.1

# Set IPv6 DNS server for clients
# You can change the first IP with the ipv6 address of your tap_softether if you
# want all dns queries to go through your server...
dhcp-option=option6:dns-server,[2603:9001:3C8A:101:110:110:110:110],[2606:4700:4700::1111]
#########################################
/etc/init.d/vpnserver

Code: Select all

#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $network $remote_fs
# Required-Stop:     $network $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: SoftEther VPN Server
### END INIT INFO

DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=192.168.30.1
TAP_INTERFACE=tap_soft
IPV6_ADDR=2603:9001:3C8A:101:110:110:110:110
IPV6_SUBNET=2603:9001:3C8A:101::/64

test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3
######################################################################################
#       Rules for IPTables.
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
#       End of IPTables Rules
#######################################################################################
sleep 3
service dnsmasq restart
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
######################################################################################
#       
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
# 
#######################################################################################
sleep 3
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
Last edited by cmd wh0ami on Tue Oct 02, 2018 3:57 pm, edited 3 times in total.
VPN Discord invite: https://discord.gg/QByKXA9

cmd wh0ami
Posts: 125
Joined: Sun Jul 16, 2017 6:58 pm

Re: [SOLVED] SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Post by cmd wh0ami » Mon Oct 01, 2018 7:41 pm

I figured it out. I was using the IPv6 global unicast when I should have been using a link local for dhcp push to clients from dnsmasq. I only needed to enable IPv6 forwarding for all in sysctl

Code: Select all

# For binary values, 0 is disabled, 1 is enabled.
# To save changes run command  sysctl -p
# For more information, see sysctl.conf(5) and sysctl.d(5).

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls IPv6 packet forwarding
net.ipv6.conf.all.forwarding = 1
I had to make quite a few changes in dnsmasq.conf

Code: Select all

# I'm not feeling that generous ATM 
# since I got no help what so ever
I needed to change my t-nat iptables in softether.fw

Code: Select all

#######################################################################################
#               ip6tables Rules
#######################################################################################
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A FORWARD -j ACCEPT
ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT

# NAT using Local Bridge
# fc00:0000:2ac:7af1::/64 = Local Bridge & SoftEther VPN Clients Link Local (dnsmasq)
# 2603:9001:3c8a:101:596a:2ebc:472:7be6 = SoftEther VPN Server's network interface Global Unicast
ip6tables -t nat -A POSTROUTING -s fc00:0000:2ac:7af1::/64 -j SNAT --to-source 2603:9001:3c8a:101:596a:2ebc:472:7be6
#######################################################################################
#               End
#######################################################################################
And I had to change the IP in /etc/init.d/vpnserver

Code: Select all

#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $network $remote_fs
# Required-Stop:     $network $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: SoftEther VPN Server
### END INIT INFO

DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=192.168.30.1
TAP_INTERFACE=tap_soft
IPV6_ADDR=fc00:0000:2ac:7af1::1
IPV6_SUBNET=fc00:0000:2ac:7af1::/64

test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3
######################################################################################
#       Rules for IPTables.
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
#       End of IPTables Rules
#######################################################################################
sleep 3
service dnsmasq restart
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
######################################################################################
#       
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
# 
#######################################################################################
sleep 3
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
VPN Discord invite: https://discord.gg/QByKXA9

cmd wh0ami
Posts: 125
Joined: Sun Jul 16, 2017 6:58 pm

Re: SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Post by cmd wh0ami » Tue Oct 02, 2018 4:01 pm

Now I'm stuck agian...

I got it working on the test server... But the production server is running OpenVZ and the kernel doesnt support IPv6 nat. I can't update the kernel on a OpenVZ container because I don't have control over the host. Bridging interfaces is not a option with OpenVZ so FML....

Anyone have any suggestions?
VPN Discord invite: https://discord.gg/QByKXA9

qazesz
Posts: 9
Joined: Thu Mar 31, 2016 2:14 am

Re: SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Post by qazesz » Fri Dec 28, 2018 5:59 am

YOU ARE GREAT!
I tried you methods and successfully access IPv6 on the client.
Plenty of thanks!

cmd wh0ami
Posts: 125
Joined: Sun Jul 16, 2017 6:58 pm

Re: SoftEther Bridge to TAP Dual Stack IPv6 dnsmasq sysctl HELP PLEASE!!!

Post by cmd wh0ami » Sun Dec 30, 2018 2:40 pm

Here is the dnsmasq.conf I ended up using...

Code: Select all

##################################################################################
# SoftEther VPN server dnsmasq.conf
################################################################################## Interface Settings

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=tap_soft

# If you want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
bind-interfaces

################################################################################## Options

# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=192.168.30.10,192.168.30.255,12h

# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
dhcp-option=3,192.168.30.1

# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
no-poll

# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
no-resolv

# Disable re-use of the DHCP servername and filename fields as
# extra option space. This makes extra space available in the
# DHCP packet for options but can, rarely, confuse old or broken
# clients. This flag forces "simple and safe" behavior to avoid
# problems in such a case.
dhcp-no-override

# Never forward addresses in the non-routed address spaces.
bogus-priv

# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overridden by ra-stateless, ra-names, et al, the router
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the
# clients don't use SLAAC addresses.
enable-ra

# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
dhcp-range=::100,::1ff,constructor:tap_soft, 64, 12h

################################################################################## External DNS Servers

# Use this DNS servers for incoming DNS requests = Cloudflare
server=1.1.1.1
server=1.0.0.1

# Use these IPv6 DNS Servers for lookups = Cloudflare
server=2606:4700:4700::1111
server=2606:4700:4700::1001

#########################################

################################################################################## Client DNS Servers

# Let's send these DNS Servers to clients.
# The first IP is the IPv4 address that are already assigned to the tap_soft

# Set IPv4 DNS server for client machines
dhcp-option=option:dns-server,192.168.30.1,1.1.1.1

# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
dhcp-option=option6:dns-server,[fc00:0000:2ac:7af1::1],[2606:4700:4700::1111]

#########################################
VPN Discord invite: https://discord.gg/QByKXA9

Post Reply