id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 354,"push ""route-ipv6 ..."" doesn't behave properly like push ""route ..."" on the client which owns that subnet",rajkosto,Gert Döring,"Basic part of server config: {{{ proto udp dev tun server 172.16.0.0 255.255.255.0 topology subnet route-gateway 172.16.0.1 client-to-client }}} This makes 172.16.0.1/24 the subnet where the tunnel virtual ips are Now let's say we have 2 clients 172.16.2.101 and 172.16.2.102 so we have the following ccd configs: {{{ ifconfig-push 172.16.0.101 255.255.255.0 iroute 172.16.1.0 255.255.255.0 }}} {{{ ifconfig-push 172.16.0.102 255.255.255.0 iroute 172.16.2.0 255.255.255.0 }}} now everyone can talk to each other using their tunnel ips (1,101,102) Let's say both clients are actually edge routers, each with a /24 behind it (101 has 172.16.1.0/24 behind it, 102 has 172.16.2.0/24 behind it), so we add the following to the main server config (not ccd specific): {{{ #behind 172.16.0.101 route 172.16.1.0 255.255.255.0 push ""route 172.16.1.0 255.255.255.0"" #behind 172.16.0.102 route 172.16.2.0 255.255.255.0 push ""route 172.16.2.0 255.255.255.0"" }}} This works correctly, on .101 ONLY the 172.16.2.0/24 route is added to ip route, and on .102 ONLY the 172.16.1.0/24 route is added to ip route, so now the subnets behind the edge routers are accessible properly from all sides. So now let's add equivalent IPv6 addresses to all of this Main server config: {{{ server-ipv6 2001:470:d76b:b055::/64 #behind 2001:470:d76b:b055::1001:1 route-ipv6 2001:470:d76b:bee2::/64 push ""route-ipv6 2001:470:d76b:bee2::/64"" #behind 2001:470:d76b:b055::1002:1 route-ipv6 2001:470:d76b:da7a::/64 push ""route-ipv6 2001:470:d76b:da7a::/64"" }}} ccds: {{{ ifconfig-ipv6-push 2001:470:d76b:b055::1001:1 iroute-ipv6 2001:470:d76b:bee2::/64 }}} {{{ ifconfig-ipv6-push 2001:470:d76b:b055::1002:1 iroute-ipv6 2001:470:d76b:da7a::/64 }}} Now, this worked correctly under 2.1.x with the IPv6 payload patch (same behaviour as ipv4 versions), however, since upgrading the client to 2.3.x push ""route-ipv6 ..."" adds BOTH routes to ip -6 route show, which means they have one with eth0 and one with tun0, and the tun0 one is preferred, so it can no longer talk to the ipv6 clients wired to that router. To repeat, earlier behaviour was correct and it only added the route that was behind the OTHER router, not the one the edge router was directly connected to. This behaviour is still correct for ipv4, but not for ipv6 since 2.3.x. Of course, this can be worked around by only pushing routes inside the ccd files (all of them except the one that edge router actually owns) but this involves more copy-paste work than just keeping them in the main server config file, AND it was a feature that worked before with the IPv6 patch, and still works with pushing IPv4 routes properly. ",Feature Wish,closed,major,release 2.6,IPv6,OpenVPN git master branch (Community Ed),"Not set (select this one, unless your'e a OpenVPN developer)",fixed,,tct