fix nat, simplify

Fix ipv6 nat to use pooled ip with good ip reputation.  Stop using
mail-route as it is unneded complexity.  However, now that dns is
getting routed through the vpn, dns on bk is broke since its using the
one from the local network. So, next up is to setup unbound.

diff --git a/distro-end b/distro-end
index 90c3d26dd032d43a8bd884109e29965c95c3075c..1c6af3bc784a63948bbead7ea7a67b21d3df3313 100755 (executable)
--- a/distro-end
+++ b/distro-end
@@ -475,6 +475,8 @@ case $HOSTNAME in
     ;;
   li)
 
+
+
     m /a/h/setup.sh iankelling.org
 
     # start mumble only when im going to use it, since i dont use it much
@@ -507,16 +509,25 @@ EOF
     # via slightly wrong information from
     # https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh
     # https://community.openvpn.net/openvpn/wiki/IPv6
-    # and man openvpn
-
-    m vpn-server-setup -n mail -rd -6 2600:3c00:e000:280::/64 2600:3c00:e000:280::1/64
+    # and man openvpn.
+    #
+    # This uses a public /64, but afaik, that is not needed for my
+    # current use case, since I'm doing ipv6 nat, they could be private
+    # and nat to a public address. I'm doing ipv6 nat in order to have 2
+    # vpn clients that externally share the same ip when sending so they
+    # share ip reputation.  Note, the eth0 and tunx needed to be
+    # different subnets. On the same, I saw some neighbor packet go
+    # unanswered, tcpdump showed packets getting lost. I tried splitting the
+    # /64, it didn't work but I didn't investigate closely.
+
+    m vpn-server-setup -n mail -d -6 2600:3c00:e002:3800::/64 2600:3c00:e002:3800::1/64
     sudo tee /etc/openvpn/client-config-mail/mailclient <<'EOF'
 ifconfig-push 10.8.0.4 255.255.255.0
-ifconfig-ipv6-push 2600:3c00:e000:280::2/64
+ifconfig-ipv6-push 2600:3c00:e002:3800::4/64
 EOF
     sudo tee /etc/openvpn/client-config-mail/expertpath <<'EOF'
 ifconfig-push 10.8.0.5 255.255.255.0
-ifconfig-ipv6-push 2600:3c00:e000:280::3/64
+ifconfig-ipv6-push 2600:3c00:e002:3800::5/64
 EOF
 
     sudo dd of=/etc/systemd/system/vpn-mail-forward.service <<'EOF'
@@ -526,6 +537,7 @@ BindsTo=openvpn-server@mail.service
 
 [Service]
 Type=oneshot
+RemainAfterExit=yes
 ExecStart=/a/bin/distro-setup/vpn-mail-forward start
 ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
 

diff --git a/mail-route b/mail-route
index 9520060947e1d9933a1718f48b5e33c7dc0de484..5316b795564b83eb04d310c6a17bbc732d827707 100755 (executable)
--- a/mail-route
+++ b/mail-route
@@ -29,6 +29,14 @@ tun_dev, and action is from $script_type env variable, openvpn sets this.
 
 Is idempotent.
 
+The problem with this approach is that if we dont have a non-vpn global
+ipv6 address and route, we need to send all ipv6 traffic through the
+vpn. Using a network namespace for the vpn fixes that, so I've switched
+over to that. We could still use this script inside the network
+namespace, and I have tested it, but it is just unneeded
+complexity. Simpler to just have a default route to the vpn. This script
+does separate out lan ip ranges for ipv4, but we could also do that with
+a simple route.
 
 EOF
   exit $1
@@ -127,12 +135,10 @@ modify() {
 
   if [[ $HOSTNAME == bk ]]; then
     ports=25
-    ip4suf=5
-    ip6suf=3
+    ipsuf=5
   else
     ports=25,143,587
-    ip4suf=4
-    ip6suf=2
+    ipsuf=4
   fi
   iptcommon="OUTPUT -m tcp -p tcp -m multiport --ports $ports -j MARK --set-mark"
   iptmod iptables -t mangle $iptables_op $iptcommon 0x1
@@ -143,8 +149,8 @@ modify() {
 
   if [[ $tun_dev ]]; then
     # when $tun_dev goes away, so does this rule.
-    iptmod iptables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 10.8.0.$ip4suf
-    iptmod ip6tables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 2600:3c00:e000:280::$ip6suf
+    iptmod iptables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 10.8.0.$ipsuf
+    iptmod ip6tables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 2600:3c00:e002:3800::$ipsuf
   fi
 
 

diff --git a/mail-setup b/mail-setup
index b8377ed3f27258591b43fcb472944a241c29d13b..bca15a065395fa908609c81e9622fad1aeef266c 100755 (executable)
--- a/mail-setup
+++ b/mail-setup
@@ -568,8 +568,8 @@ if [[ -e /p/c/filesystem ]]; then
   # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
   # after my internet was down for a bit:
   # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
-  m /a/exe/vpn-mk-client-cert -b mailclient -n mail -s /b/ds/mail-route li.iankelling.org
-  m /a/exe/vpn-mk-client-cert -c bk.b8.nz -b expertpath -n mail -s /b/ds/mail-route li.iankelling.org
+  m /a/exe/vpn-mk-client-cert -b mailclient -n mail li.iankelling.org
+  m /a/exe/vpn-mk-client-cert -c bk.b8.nz -b expertpath -n mail li.iankelling.org
 fi
 case $HOSTNAME in
   bk)

diff --git a/vpn-mail-forward b/vpn-mail-forward
index 54e01396822126d7d16bd05c5011ec350c0a437b..e311078a51f0b0722280b2a0d7a5b19f6821e825 100755 (executable)
--- a/vpn-mail-forward
+++ b/vpn-mail-forward
@@ -19,7 +19,8 @@ fi
 do-forward() {
   cmd=$1; shift
   for port; do
-    m /sbin/iptables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 10.8.0.4:$port
+    m /sbin/iptables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 10.8.0.4
+    m /sbin/ip6tables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 2600:3c00:e002:3800::4
   done
   # we could leave these on all the time but its convenient to do it here
   m /sbin/iptables $cmd FORWARD -i tun+ -o $gw -j ACCEPT