From 15b3b7d6f5329c7cbbc9d21451ae21352ba2188e Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Sat, 7 Nov 2020 15:55:19 -0500 Subject: [PATCH] fix nat, simplify Fix ipv6 nat to use pooled ip with good ip reputation. Stop using mail-route as it is unneded complexity. However, now that dns is getting routed through the vpn, dns on bk is broke since its using the one from the local network. So, next up is to setup unbound. --- distro-end | 22 +++++++++++++++++----- mail-route | 18 ++++++++++++------ mail-setup | 4 ++-- vpn-mail-forward | 3 ++- 4 files changed, 33 insertions(+), 14 deletions(-) diff --git a/distro-end b/distro-end index 90c3d26..1c6af3b 100755 --- a/distro-end +++ b/distro-end @@ -475,6 +475,8 @@ case $HOSTNAME in ;; li) + + m /a/h/setup.sh iankelling.org # start mumble only when im going to use it, since i dont use it much @@ -507,16 +509,25 @@ EOF # via slightly wrong information from # https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh # https://community.openvpn.net/openvpn/wiki/IPv6 - # and man openvpn - - m vpn-server-setup -n mail -rd -6 2600:3c00:e000:280::/64 2600:3c00:e000:280::1/64 + # and man openvpn. + # + # This uses a public /64, but afaik, that is not needed for my + # current use case, since I'm doing ipv6 nat, they could be private + # and nat to a public address. I'm doing ipv6 nat in order to have 2 + # vpn clients that externally share the same ip when sending so they + # share ip reputation. Note, the eth0 and tunx needed to be + # different subnets. On the same, I saw some neighbor packet go + # unanswered, tcpdump showed packets getting lost. I tried splitting the + # /64, it didn't work but I didn't investigate closely. + + m vpn-server-setup -n mail -d -6 2600:3c00:e002:3800::/64 2600:3c00:e002:3800::1/64 sudo tee /etc/openvpn/client-config-mail/mailclient <<'EOF' ifconfig-push 10.8.0.4 255.255.255.0 -ifconfig-ipv6-push 2600:3c00:e000:280::2/64 +ifconfig-ipv6-push 2600:3c00:e002:3800::4/64 EOF sudo tee /etc/openvpn/client-config-mail/expertpath <<'EOF' ifconfig-push 10.8.0.5 255.255.255.0 -ifconfig-ipv6-push 2600:3c00:e000:280::3/64 +ifconfig-ipv6-push 2600:3c00:e002:3800::5/64 EOF sudo dd of=/etc/systemd/system/vpn-mail-forward.service <<'EOF' @@ -526,6 +537,7 @@ BindsTo=openvpn-server@mail.service [Service] Type=oneshot +RemainAfterExit=yes ExecStart=/a/bin/distro-setup/vpn-mail-forward start ExecStop=/a/bin/distro-setup/vpn-mail-forward stop diff --git a/mail-route b/mail-route index 9520060..5316b79 100755 --- a/mail-route +++ b/mail-route @@ -29,6 +29,14 @@ tun_dev, and action is from $script_type env variable, openvpn sets this. Is idempotent. +The problem with this approach is that if we dont have a non-vpn global +ipv6 address and route, we need to send all ipv6 traffic through the +vpn. Using a network namespace for the vpn fixes that, so I've switched +over to that. We could still use this script inside the network +namespace, and I have tested it, but it is just unneeded +complexity. Simpler to just have a default route to the vpn. This script +does separate out lan ip ranges for ipv4, but we could also do that with +a simple route. EOF exit $1 @@ -127,12 +135,10 @@ modify() { if [[ $HOSTNAME == bk ]]; then ports=25 - ip4suf=5 - ip6suf=3 + ipsuf=5 else ports=25,143,587 - ip4suf=4 - ip6suf=2 + ipsuf=4 fi iptcommon="OUTPUT -m tcp -p tcp -m multiport --ports $ports -j MARK --set-mark" iptmod iptables -t mangle $iptables_op $iptcommon 0x1 @@ -143,8 +149,8 @@ modify() { if [[ $tun_dev ]]; then # when $tun_dev goes away, so does this rule. - iptmod iptables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 10.8.0.$ip4suf - iptmod ip6tables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 2600:3c00:e000:280::$ip6suf + iptmod iptables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 10.8.0.$ipsuf + iptmod ip6tables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 2600:3c00:e002:3800::$ipsuf fi diff --git a/mail-setup b/mail-setup index b8377ed..bca15a0 100755 --- a/mail-setup +++ b/mail-setup @@ -568,8 +568,8 @@ if [[ -e /p/c/filesystem ]]; then # systemd, buuut it can remake the tun device unexpectedly, i got this in the log # after my internet was down for a bit: # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. - m /a/exe/vpn-mk-client-cert -b mailclient -n mail -s /b/ds/mail-route li.iankelling.org - m /a/exe/vpn-mk-client-cert -c bk.b8.nz -b expertpath -n mail -s /b/ds/mail-route li.iankelling.org + m /a/exe/vpn-mk-client-cert -b mailclient -n mail li.iankelling.org + m /a/exe/vpn-mk-client-cert -c bk.b8.nz -b expertpath -n mail li.iankelling.org fi case $HOSTNAME in bk) diff --git a/vpn-mail-forward b/vpn-mail-forward index 54e0139..e311078 100755 --- a/vpn-mail-forward +++ b/vpn-mail-forward @@ -19,7 +19,8 @@ fi do-forward() { cmd=$1; shift for port; do - m /sbin/iptables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 10.8.0.4:$port + m /sbin/iptables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 10.8.0.4 + m /sbin/ip6tables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 2600:3c00:e002:3800::4 done # we could leave these on all the time but its convenient to do it here m /sbin/iptables $cmd FORWARD -i tun+ -o $gw -j ACCEPT -- 2.30.2