create a workable IPv6 network for ocserv clients

create-a-workable-IPv6-network-for-ocserv-clients.md

create a workable IPv6 network for ocserv clients

1. enable NDP proxy at ocserv server host: sysctl -w net.ipv6.conf.all.proxy_ndp=1 .

2. assign a sub network of ocserv server host IPv6 network for clients, for example:

   if the IPv6 address of ocserv server host inteface eth0 is 2608:8207:7888:a450::1/64, then add the fellowing lines into ocserv.conf:

   ipv6-network = 2608:8207:7888:a450:cafe::/80
   ipv6-subnet-prefix = 96
   

3. start proxy NDP for a client by connect-script. create an executable script file /path/to/on-connect.sh with the fellowing content, add connect-script = /path/to/on-connect.sh into ocserv.conf.

   #!/bin/bash
   IFACE=eth0
   ip -6 neigh add proxy ${IPV6_REMOTE} dev ${IFACE}
   

4. stop proxy NDP for a client by disconnect-script. create an executable script file /path/to/on-disconnect.sh with the fellowing content, add disconnect-script = /path/to/on-disconnect.sh into ocserv.conf.

   #!/bin/bash
   IFACE=eth0
   ip -6 neigh del proxy ${IPV6_REMOTE} dev ${IFACE}
   

Ref. IPv6 NDP proxying with ocserv

This made my day. I was pulling my hairs out seeing VPN clients not able to talk to IPv6 hosts on the LAN.
I changed the routing table and firewall configuration but it never worked.
I uncommented the connect-script and disconnect-script lines in /etc/ocserv/ocserv.conf.template.
I also changed the IPv6 subnet to a different smaller one by modifying /etc/init.d/ocserv.

Here is a different script that gets the interface programmatically instead. Useful if the OpenWRT machine has multiple NICs.

#!/bin/sh /etc/rc.common

. $IPKG_INSTROOT/lib/functions/network.sh

if network_get_device ifname lan; then
ip -6 neigh add proxy ${IPV6_REMOTE} dev ${ifname}
fi