The cjdns daemon connects to peers and creates an ipv6 overlay network which is accessible via a tun device (tun0). I know this is working because I'm able to use ping6 to contact a host elsewhere in the overlay network... almost.
By using tcpdump on tun0, I can verify that pings are going out and responses are being successfully received:
13:48:21.225299 IP6 (flowlabel 0x3bd7f, hlim 64, next-header ICMPv6 (58) payload length: 64) work > fc10:a664:d429:edec:b105:8fcc:a742:b713: [icmp6 sum ok] ICMP6, echo request, seq 15
13:48:21.288088 IP6 (hlim 42, next-header ICMPv6 (58) payload length: 64) fc10:a664:d429:edec:b105:8fcc:a742:b713 > work: [icmp6 sum ok] ICMP6, echo reply, seq 15
13:48:22.249223 IP6 (flowlabel 0x3bd7f, hlim 64, next-header ICMPv6 (58) payload length: 64) work > fc10:a664:d429:edec:b105:8fcc:a742:b713: [icmp6 sum ok] ICMP6, echo request, seq 16
13:48:22.305391 IP6 (hlim 42, next-header ICMPv6 (58) payload length: 64) fc10:a664:d429:edec:b105:8fcc:a742:b713 > work: [icmp6 sum ok] ICMP6, echo reply, seq 16
13:48:23.273320 IP6 (flowlabel 0x3bd7f, hlim 64, next-header ICMPv6 (58) payload length: 64) work > fc10:a664:d429:edec:b105:8fcc:a742:b713: [icmp6 sum ok] ICMP6, echo request, seq 17
13:48:23.351557 IP6 (hlim 42, next-header ICMPv6 (58) payload length: 64) fc10:a664:d429:edec:b105:8fcc:a742:b713 > work: [icmp6 sum ok] ICMP6, echo reply, seq 17
"work" is the appVM and fc10:a664:d429:edec:b105:8fcc:a742:b713 is the remote host.
I wouldn't be receiving those echo reply packets unless cjdns was working, so there's nothing wrong there.
However, the ping6 command never receives the replies:
PING seed.cjdns.stashcrypto.net(fc10:a664:d429:edec:b105:8fcc:a742:b713 (fc10:a664:d429:edec:b105:8fcc:a742:b713)) 56 data bytes
^C
--- seed.cjdns.stashcrypto.net ping statistics ---
17 packets transmitted, 0 received, 100% packet loss, time 16386ms
What would cause those reply packets to get lost between the tun0 device and the ping6 process?
Thanks.
I ended up solving the problem with an ExecStartPost line in cjdns.service.
For the benefit of anyone who searches this thread, this is the cjdns.service I use to make sure you can have a persistent config:
[Unit]
Description=cjdns: routing engine designed for security, scalability, speed and ease of use
Wants=network.target
After=network.target cjdns-loadmodules.service
Requires=cjdns-loadmodules.service
[Service]
ProtectHome=true
ProtectSystem=true
SyslogIdentifier=cjdroute
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL
ExecStartPre=/bin/sh -ec "if ! test -s /rw/config/cjdroute.conf; \
then umask 077; \
/usr/sbin/cjdroute --genconf | cat > /rw/config/cjdroute.conf; \
echo 'WARNING: A new /rw/config/cjdroute.conf file has been generated.'; \
fi"
ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /rw/config/cjdroute.conf"
ExecStartPost=/usr/sbin/ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Restart=always
[Install]
WantedBy=multi-user.target
Also=cjdns-resume.service