routing of ipv6 addresses is no longer working on the host
Closed this issue · 5 comments
janvda commented
When starting the VPN server container, I noticed that the host is no longer able to route ipv6 addresses.
Even after I have restarted systemd-resolved.
Routing of ipv4 addresses is still working as you can see below.
root@nuc1:~# ping pi3one.lan
PING pi3one.lan(pi3one.lan (fdb3:fd0d:e21::31)) 56 data bytes
^C
--- pi3one.lan ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2043ms
...
root@nuc1:~# ping pi3three.lan
PING pi3three.lan (192.168.2.33) 56(84) bytes of data.
64 bytes from pi3three.lan (192.168.2.33): icmp_seq=1 ttl=64 time=12.6 ms
64 bytes from pi3three.lan (192.168.2.33): icmp_seq=2 ttl=64 time=7.84 ms
janvda commented
FYI this is what is logged in my VPN docker container:
Identity added: /Users/jan/.ssh/id_rsa (jan@Jans-MBP.lan)
2024-01-29 22:35:54 TUN/TAP device tap0 opened
2024-01-29 22:35:54 Persist state set to: ON
Setting up bridge
setting tap device to promiscous mode
setting eth device to promiscous mode
setting IP, subnet and broadcast address for bridge
setting mac address for bridge
checking if default gateway needs to be added for bridge
setting up IPTABLES
Checking IPv6 Forwarding
Sysctl error for default forwarding, please run docker with '--sysctl net.ipv6.conf.default.forwarding=1'
Sysctl error for all forwarding, please run docker with '--sysctl net.ipv6.conf.all.forwarding=1'
Running 'openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --crl-verify /etc/openvpn/crl.pem '
2024-01-29 22:35:54 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-01-29 22:35:54 OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-01-29 22:35:54 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-01-29 22:35:54 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
2024-01-29 22:35:54 Diffie-Hellman initialized with 2048 bit key
2024-01-29 22:35:54 CRL: loaded 1 CRLs from file /etc/openvpn/crl.pem
2024-01-29 22:35:54 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 IFACE=br0 HWADDR=94:c6:91:a2:ad:53
2024-01-29 22:35:54 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
2024-01-29 22:35:54 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.254.0
2024-01-29 22:35:54 TUN/TAP device tap0 opened
2024-01-29 22:35:54 Could not determine IPv4/IPv6 protocol. Using AF_INET
2024-01-29 22:35:54 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-01-29 22:35:54 UDPv4 link local (bound): [AF_INET][undef]:1196
2024-01-29 22:35:54 UDPv4 link remote: [AF_UNSPEC]
2024-01-29 22:35:54 GID set to nogroup
2024-01-29 22:35:54 UID set to nobody
2024-01-29 22:35:54 MULTI: multi_init called, r=256 v=256
2024-01-29 22:35:54 IFCONFIG POOL IPv4: base=192.168.2.200 size=21
2024-01-29 22:35:54 Initialization Sequence Completed
janvda commented
my ipv4 and ipv6 configuration before the VPN container is started:
root@nuc1:/proc/sys/net/ipv4/conf# grep '' */forwarding
all/forwarding:1
br-4fd482291b4b/forwarding:1
br-91ce6ebfb546/forwarding:1
default/forwarding:1
docker0/forwarding:1
enp3s0/forwarding:1
lo/forwarding:1
veth02afbff/forwarding:1
...
vethf4bc947/forwarding:1
wlp2s0/forwarding:1
root@nuc1:/proc/sys/net/ipv4/conf#
root@nuc1:/proc/sys/net/ipv6/conf# grep '' */forwarding
all/forwarding:0
br-4fd482291b4b/forwarding:0
br-91ce6ebfb546/forwarding:0
default/forwarding:0
docker0/forwarding:0
enp3s0/forwarding:0
lo/forwarding:0
veth02afbff/forwarding:0
...
vethf4bc947/forwarding:0
wlp2s0/forwarding:0
root@nuc1:/proc/sys/net/ipv6/conf#
janvda commented
To fix this I have updated /etc/sysctl.conf :
Change the line
#net.ipv6.conf.all.forwarding=1into
net.ipv6.conf.all.forwarding=1but then when starting the VPN server
- I am still getting a
Temporary failure in name resolution(see #3 ) which automatically resolves after a couple of minutes (about 5 minutes)
root@nuc1:~# ping pi3one.lan
ping: pi3one.lan: Temporary failure in name resolution
root@nuc1:~# ping pi3one.lan
ping: pi3one.lan: Temporary failure in name resolution
root@nuc1:~# ping pi3one.lan
ping: pi3one.lan: Temporary failure in name resolution
root@nuc1:~# ping pi3one.lan
PING pi3one.lan (192.168.2.31) 56(84) bytes of data.
64 bytes from pi3one.lan (192.168.2.31): icmp_seq=1 ttl=64 time=3.50 ms
64 bytes from pi3one.lan (192.168.2.31): icmp_seq=2 ttl=64 time=3.81 ms
64 bytes from pi3one.lan (192.168.2.31): icmp_seq=3 ttl=64 time=17.4 ms
^C
--- pi3one.lan ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 3.496/8.250/17.444/6.502 ms
root@nuc1:~#
- Note also that before this change it was sometimes resolving to ipv6 address for some of my local servers, after this change of
/etc/sysctl.confit is always resolving to an ipv4 address. (For me this is not an issue but just an observation that this also changed DNS behaviour).
Salvoxia commented
When starting the container, it logged
Checking IPv6 Forwarding
Sysctl error for default forwarding, please run docker with '--sysctl net.ipv6.conf.default.forwarding=1'
Sysctl error for all forwarding, please run docker with '--sysctl net.ipv6.conf.all.forwarding=1'
If you do that, is the manual change to /etc/sysctl.conf still necessary?
janvda commented
Sorry, I also tried those options but they are not allowed in host network space.
mac-jan:my-openvpn-tap jan$ docker run --sysctl net.ipv6.conf.default.forwarding=1 --sysctl net.ipv6.conf.all.forwarding=1 -v ovpn-data:/etc/openvpn -d --network host --cap-add=NET_ADMIN my
-openvpn-dev-ovpn-server
e52a4774ca904e5615dbc0eb8b5eaa7d7c79ec6e32b490287f35efcc4e7b3c5f
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: sysctl "net.ipv6.conf.all.forwarding" not allowed in host network namespace: unknown.
mac-jan:my-openvpn-tap jan$