1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
known issues for IPv6 payload support in OpenVPN
-----------------------------------------------
1.) "--topology subnet" doesn't work together with IPv6 payload
(verified for FreeBSD server, Linux/ifconfig client, problems
with ICMP6 neighbor solicitations from BSD not being answered by Linux)
2.) NetBSD IPv6 support doesn't work
("connected" route is not auto-created, "route-ipv6" adding fails)
* fixed, 3.1.10 *
3.) route deletion for IPv6 routes is not yet done
* fixed for configured routes, 3.1.10 *
* missing for manual-ifconfig-connected (NetBSD, Darwin)
4.) do "ifconfig tun0 inet6 unplumb" or "ifconfig tun0 destroy" for
Solaris, *BSD, ... at program termination time, to clean up leftovers
(unless tunnel persistance is desired).
For Solaris, only the "ipv6 tun0" is affected, for the *BSDs all tun0
stay around.
4a.) deconfigure IPv6 on tun interface on session termination, otherwise
one could end up with something like this (on NetBSD):
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.9.0.18 -> 10.9.0.17 netmask 0xffffffff
inet6 fe80::a00:20ff:fece:d299%tun0 -> prefixlen 64 scopeid 0x3
inet6 2001:608:4:eff::2000:3 -> prefixlen 64
inet6 2001:608:4:eff::1:3 -> prefixlen 64
(pool was changed, previous address still active on tun0, breakage)
5.) add new option "ifconfig-ipv6-push"
(per-client static IPv6 assignment, -> radiusplugin, etc)
6.) add new option "route-ipv6-gateway"
7.) add "full" gateway handling for IPv6 in route.c
(right now, the routes are just sent down the tun interface, if the
operating system in questions supports that, without care for the
gateway address - which does not work for gateways that are supposed
to point elsewhere. Also, it doesn't work for TAP interfaces.
8.) full IPv6 support for TAP interfaces
(main issue should be routes+gateway - and testing :-) )
9.) verify that iroute-ipv6 and route-ipv6 interact in the same way as
documented for iroute/route:
A's subnet, OpenVPN must push this route to all clients
EXCEPT for A, since the subnet is already owned by A.
OpenVPN accomplishes this by not
not pushing a route to a client
if it matches one of the client's iroutes.
10.) extend "ifconfig-ipv6" to handle specification of /netbits, pushing
of /netbits, and correctly ifconfig'ing this
(default, if not specified: /64)
11.) do not add ipv6-routes if tun-ipv6 is not set - complain instead
* done * 12.1.10
12.) handle incoming [::] and [fe80:...] packets in tun-p2mp MULTI mode
(most likely those are DAD packets)
silently ignore DAD?
Or accept-and-forward iff (multicast && client2client)?
handle NS/NA
|
