Tunnelblick Troubles with TAP and IPv6
319 views
Skip to first unread message
Pete
Oct 21, 2010, 11:43:21 PM10/21/10
to tunnelblick-discuss
(I posted a slightly different version of this to the OpenVPN users
list too, so I'm sorry if you're reading this twice. This issue seems
to sit on the line between a few possible groups.)
I'm trying to get my MBP running Tunnelblick (3.0 and 3.1b14-18) to
connect to my TAP-based OpenVPN server and I'm having a devil of a
time. The client will connect to our TUN-based OpenVPN server just
fine. It even seems to connect to the TAP-based server without
problems if you're looking to do just IPv4. The trouble comes in when
you try to do IPv6 over the connection. (IPv6 support is why we're
trying to get the TAP-based option working.) I verified that I can do
IPv4 and IPv6 with the TAP-based VPN server using Linux and Windows
clients, so I'm guessing the issue is with the Mac and probably not
the server. (Although, it's possible that the other OSes make
assumptions about v6 service that works with the current config that
OS X does not.)
This is what I do:
1. Bring up the client. Here's my config:
client
dev tap
proto udp
remote Q.R.S.T 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user.crt
key user.key
comp-lzo
verb 3
script-security 2
2. Enable IPv6 on the just-created tap0 interface:
$ sudo ip6 -u eth0
3. Make sure the kernel is accepting RA so that tap0 will auto-
configure.
$ sudo sysctl -w net.inet6.ip6.accept_rtadv=1
After I tell the kernel to accept RAs, I wait. Eventually, the
interface will see an RA and auto-configure itself and set the
appropriate default route for v6 traffic.
Things look good for 3 seconds to just over a minute, then the default
route disappears (I believe the auto-config address on tap0 does too,
but I can't test right now). I have no idea why this is. If I wait
anywhere from a few seconds to up to a minute or two, the default IPv6
route will reappear. This continues on until I disconnect the client
connection from within TB.
If I statically assign a global IPv6 address and create a static
default route, the address will stay, but the default route will turn
out to be no-so-static and disappear.
Any ideas? There doesn't seem to be anything related to this behavior
in the TB logs, so I don't think it's TB. If I were betting, I'd say
it has something to do with the OS X system configuration framework,
but I don't know enough about the system to narrow it down further or
even test my theory.
Am I maybe setting up the client wrong? Enabling things the wrong way
or forgetting to enable something else? Does anyone here have a TAP-
based VPN that they run native IPv6 over and have Tunnelblick clients?
I'm really stuck here and quite frustrated. Any help would be
appreciated, even if it's less an answer and more a nudge in the right
direction.
Thanks,
Pete
(BTW, I found a neat trick: after IPv6 has been enabled on the tap0
interface, remove the v6 -- ip6 -d tap0 -- then add it back in.
Instant Gray Screen of Death.)
list too, so I'm sorry if you're reading this twice. This issue seems
to sit on the line between a few possible groups.)
I'm trying to get my MBP running Tunnelblick (3.0 and 3.1b14-18) to
connect to my TAP-based OpenVPN server and I'm having a devil of a
time. The client will connect to our TUN-based OpenVPN server just
fine. It even seems to connect to the TAP-based server without
problems if you're looking to do just IPv4. The trouble comes in when
you try to do IPv6 over the connection. (IPv6 support is why we're
trying to get the TAP-based option working.) I verified that I can do
IPv4 and IPv6 with the TAP-based VPN server using Linux and Windows
clients, so I'm guessing the issue is with the Mac and probably not
the server. (Although, it's possible that the other OSes make
assumptions about v6 service that works with the current config that
OS X does not.)
This is what I do:
1. Bring up the client. Here's my config:
client
dev tap
proto udp
remote Q.R.S.T 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user.crt
key user.key
comp-lzo
verb 3
script-security 2
2. Enable IPv6 on the just-created tap0 interface:
$ sudo ip6 -u eth0
3. Make sure the kernel is accepting RA so that tap0 will auto-
configure.
$ sudo sysctl -w net.inet6.ip6.accept_rtadv=1
After I tell the kernel to accept RAs, I wait. Eventually, the
interface will see an RA and auto-configure itself and set the
appropriate default route for v6 traffic.
Things look good for 3 seconds to just over a minute, then the default
route disappears (I believe the auto-config address on tap0 does too,
but I can't test right now). I have no idea why this is. If I wait
anywhere from a few seconds to up to a minute or two, the default IPv6
route will reappear. This continues on until I disconnect the client
connection from within TB.
If I statically assign a global IPv6 address and create a static
default route, the address will stay, but the default route will turn
out to be no-so-static and disappear.
Any ideas? There doesn't seem to be anything related to this behavior
in the TB logs, so I don't think it's TB. If I were betting, I'd say
it has something to do with the OS X system configuration framework,
but I don't know enough about the system to narrow it down further or
even test my theory.
Am I maybe setting up the client wrong? Enabling things the wrong way
or forgetting to enable something else? Does anyone here have a TAP-
based VPN that they run native IPv6 over and have Tunnelblick clients?
I'm really stuck here and quite frustrated. Any help would be
appreciated, even if it's less an answer and more a nudge in the right
direction.
Thanks,
Pete
(BTW, I found a neat trick: after IPv6 has been enabled on the tap0
interface, remove the v6 -- ip6 -d tap0 -- then add it back in.
Instant Gray Screen of Death.)
Pete
Oct 22, 2010, 1:43:41 PM10/22/10
to tunnelblick-discuss
FWIW, it seems that whenever the v6 default route goes away, it'll
come back the next time the client hears an RA.
Doing an radump on the client shows these RA options:
interface tap0
{
AdvSendAdvert on;
# Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag off;
AdvOtherConfigFlag off;
AdvReachableTime 0;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvDefaultLifetime 1800;
AdvHomeAgentFlag off;
AdvDefaultPreference high;
AdvSourceLLAddress on;
prefix 2001:x:y:z::/64
{
AdvValidLifetime 2592000;
AdvPreferredLifetime 604800;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition
}; # End of interface definition
Thanks,
Pete
come back the next time the client hears an RA.
Doing an radump on the client shows these RA options:
interface tap0
{
AdvSendAdvert on;
# Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag off;
AdvOtherConfigFlag off;
AdvReachableTime 0;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvDefaultLifetime 1800;
AdvHomeAgentFlag off;
AdvDefaultPreference high;
AdvSourceLLAddress on;
prefix 2001:x:y:z::/64
{
AdvValidLifetime 2592000;
AdvPreferredLifetime 604800;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition
}; # End of interface definition
Thanks,
Pete
Reply all
Reply to author
Forward
0 new messages