IPv6 Proxy NDP not working?

[twobithacker]

I'm running FreeBSD 10.3-RELEASE-p5 on a VPS with DigitalOcean. They give out a range of IPv6 addresses per host, 16 addresses total, with only one of them configured by default, and all in the same /64 network.

I'd like to configure this VPS to run OpenVPN with IPv6, and I'd like to be able to have it hand out some of the other v6 addresses out to clients without having to do NATv6, which I think means I'll need to proxy NDP requests for those IPs.

Following the documentation in ndp(8) I've added an NDP entry for one of the IPs with the proxy options: ndp -s 2604:a880:800:10::5a5:b002 04:01:55:4e:cf:01 proxy

And I see it in my NDP table:

$ ndp -an
Neighbor                             Linklayer Address  Netif Expire    S Flags
fe80::601:55ff:fe4e:cf02%vtnet1      04:01:55:4e:cf:02 vtnet1 permanent R
fe80::1%vtnet0                       00:00:5e:00:02:63 vtnet0 23h52m24s S R
2604:a880:800:10::1                  00:00:5e:00:02:63 vtnet0 18s       R R
2604:a880:800:10::5a5:b001           04:01:55:4e:cf:01 vtnet0 permanent R
2604:a880:800:10::5a5:b002           04:01:55:4e:cf:01 vtnet0 permanent R p
2604:a880:800:10::14:2001            04:01:35:08:cc:01 vtnet0 23h46m17s S
2604:a880:800:10::5c8:d001           04:01:42:26:fa:01 vtnet0 22h29m14s S
fe80::601:55ff:fe4e:cf01%vtnet0      04:01:55:4e:cf:01 vtnet0 permanent R

And with tcpdump I see the incoming neighbor solicitation:

22:33:26.823247 IP6 fe80::1 > ff02::1:ffa5:b002: ICMP6, neighbor solicitation, who has 2604:a880:800:10::5a5:b002, length 32

But no matching neighbor advertisement is sent. I've also tried adding the address in question to a loopback interface (lo1) but that made no difference.

Am I missing something obvious here, or does this not work for some reason?

 

[MATPOCKuH]

Hello from Great Necroposter!
Any news about working ndp proxy?
I have similar problem - my freebsd13 node does not respond to NS packets for proxied addresses.

 

[SirDice]

Don't expect an answer any time soon:

twobithacker
New Member
Joined: Jun 12, 2013
Last seen: Jul 24, 2017

 

[mumu]

Abit late but I manage to get ndproxy working on FreeBSD 13.2-RELEASE with Wireguard on a Vultr VPS. You have to add a new Reserved IP(/64) and attach it to your instance first. I haven't had success getting ndproxy to work with my existing /64 assigned by Vultr.

1. Load the module: kldload ndproxy
2. Add the module to /boot/loader.conf (ndproxy_load="YES")
3. Add the following to /etc/rc.conf:-

ndproxy_enable="YES"
ndproxy_uplink_interface="vtnet0"
ndproxy_downlink_mac_address="vtnet0:Mac:Address"
ndproxy_uplink_ipv6_addresses="fe80::xx:xx:xx:xx" # uplink router's mac address(ndp -na)

4. Start ndproxy: service ndproxy start
5. Setup Wireguard and assign to a peer an /128 GUA address from the new Reserved IP /64 block.
6. Start Wireguard and setup the client peer to use the new /128 GUA address

Hope this helps someone out there. Cheers.

 

[fff2024g]

Abit late but I manage to get ndproxy working on FreeBSD 13.2-RELEASE with Wireguard on a Vultr VPS. You have to add a new Reserved IP(/64) and attach it to your instance first. I haven't had success getting ndproxy to work with my existing /64 assigned by Vultr.

1. Load the module: kldload ndproxy
2. Add the module to /boot/loader.conf (ndproxy_load="YES")
3. Add the following to /etc/rc.conf:-

ndproxy_enable="YES"
ndproxy_uplink_interface="vtnet0"
ndproxy_downlink_mac_address="vtnet0:Mac:Address"
ndproxy_uplink_ipv6_addresses="fe80::xx:xx:xx:xx" # uplink router's mac address(ndp -na)

4. Start ndproxy: service ndproxy start
5. Setup Wireguard and assign to a peer an /128 GUA address from the new Reserved IP /64 block.
6. Start Wireguard and setup the client peer to use the new /128 GUA address

Hope this helps someone out there. Cheers.

Dear mumu :
i have home pc with ipv6 , and one vps with ipv6 in usa , home pc can't access gogle.com. github..etc. blocking by GOVement, vps can go anywhere . can you show me how to share vps internet with my home pc ? thanks.

 

[tomstorey]

I dont know if it is the same issue, but I was recently experiencing some issues with IPv6 ND, and after disabling TCP Segment Offloading on my NIC all of the problems went away. My NIC is an Intel X710, and this is apparently a bit of a known issue with the ixl device driver.

This was achieved by adding -tso to the ifconfig for that interface.

 

[fff2024g]

I dont know if it is the same issue, but I was recently experiencing some issues with IPv6 ND, and after disabling TCP Segment Offloading on my NIC all of the problems went away. My NIC is an Intel X710, and this is apparently a bit of a known issue with the ixl device driver.

This was achieved by adding -tso to the ifconfig for that interface.

DEAR tomstorey:
can you show me how to build a NDP proxy with ipv6 ?
my home pc with ipv6 , can go china internet ,not google
my vps with ipv6 can go internet anywhere
home pc ------can ssh ------vps..
how to install ndp proxy in vps and share the internet to my home pc ?
thanks.

 

[tomstorey]

Sorry, but this is not something I am familiar with.

 

[mumu]

If you can get a routed /64 that would be better. You can then split the /64 into 2 /72's and assign one on the host interface, and the other for Wireguard.

 

[armik]

Hello. I have the latest version of the system and ndp proxy does not work in my opinion. Or I am not setting something up correctly. I run openvpn with a subnet /64 and the client gets an address. But the ipv6 internet does not work on the client. ipv4 works without problems.

 

[CeXP1917]

Hello. I have the latest version of the system and ndp proxy does not work in my opinion. Or I am not setting something up correctly. I run openvpn with a subnet /64 and the client gets an address. But the ipv6 internet does not work on the client. ipv4 works without problems.

I'm using ndproxy on 14.2-p1 and it works without issues.

 

[fff2024g]

I'm using ndproxy on 14.2-p1 and it works without issues.

Dear cexp1917:
please show me how to configure it in freebsd14.2 ? thanks.

 

[CeXP1917]

please show me how to configure it in freebsd14.2 ? thanks.

In my conf on VPS ndproxy configured same way as shown before by mumu.

ndproxy_enable="YES"
ndproxy_uplink_interface="vtnet0"
ndproxy_downlink_mac_address="vtnet0:Mac:Address"
ndproxy_uplink_ipv6_addresses="fe80::xx:xx:xx:xx" # uplink router's mac address(ndp -na) <-- Link-Local address of vtnet0

This works in conf: [ vtnet0 --- [ internal bridge0 - epairs - jails ] ] with on-link ipv6 address on provider side and given /64 subnet.

 

[armik]

In my conf on VPS ndproxy configured same way as shown before by mumu.

ndproxy_enable="YES"
ndproxy_uplink_interface="vtnet0"
ndproxy_downlink_mac_address="vtnet0:Mac:Address"
ndproxy_uplink_ipv6_addresses="fe80::xx:xx:xx:xx" # uplink router's mac address(ndp -na) <-- Link-Local address of vtnet0

This works in conf: [ vtnet0 --- [ internal bridge0 - epairs - jails ] ] with on-link ipv6 address on provider side and given /64 subnet.

Does it only work by creating a bridge interface? But I don't need a bridge on the server. I just run openvpn and the nat rule in ipfw sends traffic through vpn.

 

[CeXP1917]

Does it only work by creating a bridge interface? But I don't need a bridge on the server.

No, but without your detailed configuration its impossible to say where is problem.

 

[armik]

No, but without your detailed configuration its impossible to say where is problem.

Here are my main config files. I have doubts about the address in the line "ndproxy_uplink_ipv6_addresses". I substitute the address that openvpn gives to the client. I tried different addresses for the sake of experiment, but it didn't work.

Spoiler

rc.conf:

sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
zfs_enable="YES"
qemu_guest_agent_enable=YES
hostname="freebsd"
dumpdev="AUTO"
ntpd_enable="YES"
ntpdate_enable="YES"
ntpdate_flags="-u"
fsck_y_enable="YES"
background_fsck="NO"
tor_setuid="YES"
tor_enable="YES"
gateway_enable="YES"
ipv6_gateway_enable="YES"
wireguard_enable="NO"
wireguard_interfaces="wg0"
openvpn_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
ndproxy_enable="YES"
ndproxy_uplink_interface="vtnet0"
ndproxy_downlink_mac_address="52:xx:xx:xx:xx:76"
#ndproxy_exception_ipv6_addresses=""
ndproxy_uplink_ipv6_addresses="2a01:xxxx:xxxx:xxxx::1000"

ipfw:

#!/bin/sh -

fwcmd="/sbin/ipfw -q"

if_ext="vtnet0"

ext_ip="77.xxx.xxx.xxx"

vpn_net="10.8.1.0/24"

${fwcmd} -f flush

${fwcmd} add allow all from any to any via lo0

${fwcmd} add allow tcp from any to me "port" via ${if_ext}

${fwcmd} add allow tcp from any to me "port" via ${if_ext}

${fwcmd} add allow udp from any to me "port" via ${if_ext}

${fwcmd} add allow udp from any to me "port" via ${if_ext}

${fwcmd} add allow icmp from any to any

${fwcmd} add allow ipv6-icmp from any to any

${fwcmd} add allow all from me to any out keep-state

${fwcmd} nat 1 config if ${if_ext} reset deny_in same_ports unreg_only
${fwcmd} add nat 1 all from ${vpn_net} to any via ${if_ext}
${fwcmd} add nat 1 all from any to ${ext_ip} via ${if_ext}

${fwcmd} add allow all from any to any via wg0

${fwcmd} add allow all from any to any via tun0

openvpn:

local 77.xxx.xxx.xxx
port 1194
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
crl-verify /usr/local/etc/openvpn/crl.pem
topology subnet
server 10.8.1.0 255.255.255.0
server-ipv6 2a01:xxxx:xxxx:xxxx::/64
push "redirect-gateway def1 ipv6 bypass-dhcp"
ifconfig-pool-persist ipp.txt
#push "dhcp-option DNS 1.1.1.1"
#push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS6 2606:4700:4700::1111"
push "dhcp-option DNS6 2606:4700:4700::1001"
#push "block-outside-dns"
keepalive 10 120
auth SHA512
cipher AES-256-GCM
persist-key
persist-tun
verb 3
explicit-exit-notify

 

[CeXP1917]

server-ipv6 2a01:xxxx:xxxx:xxxx::/64

Looks like you got only one /64 from provider. If so, you must divide it into smaller subnets, /72 for example:

# in rc.conf
ifconfig_vtnet0_inet6="inet6 2a01:xxxx:xxxx:xxxx::1000 prefixlen 72"

# openvpn
server-ipv6 2a01:xxxx:xxxx:xxxx:0100::/72

 

[armik]

Looks like you got only one /64 from provider.

As far as I can judge by the vtnet0 interface, the /48 subnet is issued. I just divided it into /64.

ifconfig_vtnet0_inet6="inet6 2a01:xxxx:xxxx:xxxx::1000 prefixlen 72"

And I don't understand why I need to add this line to the config? I already have a /48 subnet on the interface.

 

[CeXP1917]

As far as I can judge by the vtnet0 interface, the /48 subnet is issued. I just divided it into /64.

In this case you dont need ndproxy. One /64 subnet for vtnet0, other /64 subnet for openvpn, check firewall (no nat for ipv6) and routes (ovpn, afaik, push route).

 

[armik]

Here is the connection log. Maybe I need to add rules for ipv6 in ipfw? But I don't know which ones.

Spoiler

2025-03-15 13:40:51 Note: ovpn-dco-win driver is missing, disabling data channel offload.
2025-03-15 13:40:51 OpenVPN 2.6.13 [git:v2.6.13/5662b3a8eb9e5744] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Feb 17 2025
2025-03-15 13:40:51 Windows version 10.0 (Windows 10 or greater), amd64 executable
2025-03-15 13:40:51 library versions: OpenSSL 3.4.1 11 Feb 2025, LZO 2.10
2025-03-15 13:40:51 DCO version: N/A
2025-03-15 13:40:51 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2025-03-15 13:40:51 Need hold release from management interface, waiting...
2025-03-15 13:40:51 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:51847
2025-03-15 13:40:51 MANAGEMENT: CMD 'state on'
2025-03-15 13:40:51 MANAGEMENT: CMD 'log on all'
2025-03-15 13:40:52 MANAGEMENT: CMD 'echo on all'
2025-03-15 13:40:52 MANAGEMENT: CMD 'bytecount 5'
2025-03-15 13:40:52 MANAGEMENT: CMD 'state'
2025-03-15 13:40:52 MANAGEMENT: CMD 'hold off'
2025-03-15 13:40:52 MANAGEMENT: CMD 'hold release'
2025-03-15 13:40:52 TCP/UDP: Preserving recently used remote address: [AF_INET]77.xxx.xxx.154:1194
2025-03-15 13:40:52 Socket Buffers: R=[65536->65536] S=[65536->65536]
2025-03-15 13:40:52 UDPv4 link local: (not bound)
2025-03-15 13:40:52 UDPv4 link remote: [AF_INET]77.xxx.xxx.154:1194
2025-03-15 13:40:52 MANAGEMENT: >STATE:1742035252,WAIT,,,,,,
2025-03-15 13:40:52 MANAGEMENT: >STATE:1742035252,AUTH,,,,,,
2025-03-15 13:40:52 TLS: Initial packet from [AF_INET]77.xxx.xxx.154:1194, sid=5b3d1f69 e08603de
2025-03-15 13:40:52 VERIFY OK: depth=1, CN=Easy-RSA CA
2025-03-15 13:40:52 VERIFY KU OK
2025-03-15 13:40:52 Validating certificate extended key usage
2025-03-15 13:40:52 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2025-03-15 13:40:52 VERIFY EKU OK
2025-03-15 13:40:52 VERIFY OK: depth=0, CN=server
2025-03-15 13:40:52 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2025-03-15 13:40:52 [server] Peer Connection Initiated with [AF_INET]77.xxx.xxx.154:1194
2025-03-15 13:40:52 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2025-03-15 13:40:52 TLS: tls_multi_process: initial untrusted session promoted to trusted
2025-03-15 13:40:52 PUSH: Received control message: 'PUSH_REPLY,route-ipv6 2a01:xxxx:xxxx:1f4::/64,redirect-gateway def1 ipv6 bypass-dhcp,tun-ipv6,route-gateway 10.8.1.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 2a01:xxxx:xxxx:1f4::1000/64 2a01:xxxx:xxxx:1f4::1,ifconfig 10.8.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
2025-03-15 13:40:52 OPTIONS IMPORT: --ifconfig/up options modified
2025-03-15 13:40:52 OPTIONS IMPORT: route options modified
2025-03-15 13:40:52 OPTIONS IMPORT: route-related options modified
2025-03-15 13:40:52 OPTIONS IMPORT: tun-mtu set to 1500
2025-03-15 13:40:52 interactive service msg_channel=788
2025-03-15 13:40:52 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=11 HWADDR=70:xx:xx:xx:xx:18
2025-03-15 13:40:52 GDG6: remote_host_ipv6=n/a
2025-03-15 13:40:52 GetBestInterfaceEx() returned if=11
2025-03-15 13:40:52 GDG6: II=11 DP=::/0 NH=fe80::xxxx:xxxx:fe50:fd0d
2025-03-15 13:40:52 GDG6: Metric=256, Loopback=0, AA=1, I=0
2025-03-15 13:40:52 ROUTE6_GATEWAY fe80::xxx:xxxx:fe50:fd0d I=11
2025-03-15 13:40:52 open_tun
2025-03-15 13:40:52 tap-windows6 device [OpenVPN TAP-Windows6] opened
2025-03-15 13:40:52 TAP-Windows Driver Version 9.27
2025-03-15 13:40:52 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.1.0/10.8.1.2/255.255.255.0 [SUCCEEDED]
2025-03-15 13:40:52 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.1.2/255.255.255.0 on interface {D2ADAF5C-xxxx-xxxx-xxxx-0979FB8EDAC2} [DHCP-serv: 10.8.1.0, lease-time: 31536000]
2025-03-15 13:40:52 Successful ARP Flush on interface [18] {D2ADAF5C-xxxx-xxxx-xxxx-0979FB8EDAC2}
2025-03-15 13:40:52 MANAGEMENT: >STATE:1742035252,ASSIGN_IP,,10.8.1.2,,,,,2a01:xxxx:xxxx:1f4::1000
2025-03-15 13:40:52 IPv4 MTU set to 1500 on interface 18 using service
2025-03-15 13:40:52 INET6 address service: add 2a01:xxxx:xxxx:1f4::1000/128
2025-03-15 13:40:52 add_route_ipv6(2a01:xxxx:xxxx:1f4::/64 -> 2a01:xxxx:xxxx:1f4::1000 metric 0) IF 18
2025-03-15 13:40:52 IPv6 route addition via service succeeded
2025-03-15 13:40:52 IPv6 MTU set to 1500 on interface 18 using service
2025-03-15 13:40:52 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2025-03-15 13:40:52 Timers: ping 10, ping-restart 120
2025-03-15 13:40:52 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
2025-03-15 13:40:57 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
2025-03-15 13:40:57 C:\WINDOWS\system32\route.exe ADD 77.xxx.xxx.154 MASK 255.255.255.255 192.168.1.1
2025-03-15 13:40:57 Route addition via service succeeded
2025-03-15 13:40:57 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.1.1
2025-03-15 13:40:57 Route addition via service succeeded
2025-03-15 13:40:57 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.1.1
2025-03-15 13:40:57 Route addition via service succeeded
2025-03-15 13:40:57 add_route_ipv6(2a01:xxxx:xxxx:1f4::/64 -> 2a01:xxxx:xxxx:1f4::1 metric -1) IF 18
2025-03-15 13:40:57 IPv6 route addition via service failed because route exists
2025-03-15 13:40:57 add_route_ipv6(::/3 -> 2a01:xxxx:xxxx:1f4::1 metric -1) IF 18
2025-03-15 13:40:57 IPv6 route addition via service succeeded
2025-03-15 13:40:57 add_route_ipv6(2000::/4 -> 2a01:xxxx:xxxx:1f4::1 metric -1) IF 18
2025-03-15 13:40:57 IPv6 route addition via service succeeded
2025-03-15 13:40:57 add_route_ipv6(3000::/4 -> 2a01:xxxx:xxxx:1f4::1 metric -1) IF 18
2025-03-15 13:40:57 IPv6 route addition via service succeeded
2025-03-15 13:40:57 add_route_ipv6(fc00::/7 -> 2a01:xxxx:xxxx:1f4::1 metric -1) IF 18
2025-03-15 13:40:57 IPv6 route addition via service succeeded
2025-03-15 13:40:57 Initialization Sequence Completed
2025-03-15 13:40:57 MANAGEMENT: >STATE:1742035257,CONNECTED,SUCCESS,10.8.1.2,77.xxx.xxx.124,1194,,,2a01:xxxx:xxxx:1f4::1000
2025-03-15 13:41:10 SIGTERM received, sending exit notification to peer
2025-03-15 13:41:10 SENT CONTROL [server]: 'EXIT' (status=1)
2025-03-15 13:41:11 C:\WINDOWS\system32\route.exe DELETE 77.xxx.xxx.154 MASK 255.255.255.255 192.168.1.1
2025-03-15 13:41:11 Route deletion via service succeeded
2025-03-15 13:41:11 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.8.1.1
2025-03-15 13:41:11 Route deletion via service succeeded
2025-03-15 13:41:11 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.8.1.1
2025-03-15 13:41:11 Route deletion via service succeeded

 

[CeXP1917]

2025-03-15 13:40:52 INET6 address service: add 2a01:xxxx:xxxx:1f4::1000/128
2025-03-15 13:40:52 add_route_ipv6(2a01:xxxx:xxxx:1f4::/64 -> 2a01:xxxx:xxxx:1f4::1000 metric 0) IF 18
...
2025-03-15 13:40:57 add_route_ipv6(2a01:xxxx:xxxx:1f4::/64 -> 2a01:xxxx:xxxx:1f4::1 metric -1) IF 18
2025-03-15 13:40:57 IPv6 route addition via service failed because route exists

Incorrect routes, maybe server-ipv6 and pushed route is from same /64 ?

https://community.openvpn.net/openvpn/wiki/IPv6#PushingIPv6routes

 

[armik]

push "route-ipv6 2a01:xxxx:xxxx:1f4::/64"

During the experiments I forgot to comment out a line in the config. All routes are now coming, but there is still no Internet. Or maybe not all of them?)
Still, ndproxy is probably needed. Because it doesn't work on Ubuntu without it.

 

[armik]

Why did my post get deleted? Was it not informative enough? Ok. Here is a longer post. I replaced the ipv6 connection with a hurricane electric tunnel broker. They have a routed /48 subnet which I also split into /64 and added to openvpn. Aaaand....It DOESN'T WORK!!! I don't understand what is missing for ipv6 to work. And as I wrote above, it works on Ubuntu. It doesn't on FreeBSD.