-
enable NDP proxy at ocserv server host:
sysctl -w net.ipv6.conf.all.proxy_ndp=1. -
assign a sub network of ocserv server host IPv6 network for clients, for example:
if the IPv6 address of ocserv server host inteface eth0 is 2608:8207:7888:a450::1/64, then add the fellowing lines into ocserv.conf:
ipv6-network = 2608:8207:7888:a450:cafe::/80 ipv6-subnet-prefix = 96 -
start proxy NDP for a client by connect-script. create an executable script file /path/to/on-connect.sh with the fellowing content, add
connect-script = /path/to/on-connect.shinto ocserv.conf.#!/bin/bash IFACE=eth0 ip -6 neigh add proxy ${IPV6_REMOTE} dev ${IFACE} -
stop proxy NDP for a client by disconnect-script. create an executable script file /path/to/on-disconnect.sh with the fellowing content, add
disconnect-script = /path/to/on-disconnect.shinto ocserv.conf.#!/bin/bash IFACE=eth0 ip -6 neigh del proxy ${IPV6_REMOTE} dev ${IFACE}
Created
June 6, 2021 05:40
-
-
Save whiler/4ea1f1f532ba7443fe474c6d2558ae60 to your computer and use it in GitHub Desktop.
create a workable IPv6 network for ocserv clients
This made my day. I was pulling my hairs out seeing VPN clients not able to talk to IPv6 hosts on the LAN.
I changed the routing table and firewall configuration but it never worked.
I uncommented the connect-script and disconnect-script lines in /etc/ocserv/ocserv.conf.template.
I also changed the IPv6 subnet to a different smaller one by modifying /etc/init.d/ocserv.
Here is a different script that gets the interface programmatically instead. Useful if the OpenWRT machine has multiple NICs.
#!/bin/sh /etc/rc.common
. $IPKG_INSTROOT/lib/functions/network.sh
if network_get_device ifname lan; then
ip -6 neigh add proxy ${IPV6_REMOTE} dev ${ifname}
fi
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
since the IPv6 prefix of ocserv server host will change or the IPv6 network of ocserv server host is only /128, the NAT6 is better.