IPv6支持使得openconnect服务器vpn连接太慢。
IPv6支持使得openconnect服务器vpn连接太慢。
提问于 2021-02-20 04:42:36
我已经在OpenConnect 8上设置了一个OpenConnect服务器(ocserv),速度相当快。然而,当我通过取消对下面一行的注释来启用IPv6时,它会变得非常慢,并且上传几乎为零。
#ipv6 6-网络=fda9 9:4 4efe:7e3b:03ea::/48
我试着启用ipv6转发和ipv6伪装,但没有帮助。
值得一提的是,客户端意识到服务器支持IPv6,因为它们显示服务器给他们的IPv6地址。例如,当使用openconnect连接到服务器时,日志上写着:
Connected as 10.10.10.15 + fda9:4efe:7e3b:6b40:f973:5a56:56a0:b1a8/64, using SSL + LZ4, with DTLS + LZ4 in progress尝试禁用带有--no-dtls标志的dtls,但没有帮助。
我需要IPv6支持,因为有些网站需要IPv6,如果您的IPv6支持,但您的IPv6服务器不支持它,那么您正在向服务器公开您的真实IP地址,使VPN连接变得无用。
有谁知道我应该如何在不影响连接速度的情况下启用Ipv6服务器?
PS。以下是连接VPN时的test-ipv6.com的连接详细信息:
Test with IPv4 DNS record
ok (2.008s) using ipv4
http://ipv4.vm3.test-ipv6.com/ip/?callback=?
Fetches an object that has just an A record in DNS. This is expected to use IPv4. IPv6-only users might still reach this, if their provider has employed a NAT64/DNS64 or proxy solution.
Test with IPv6 DNS record
bad (2.011s)
http://ipv6.vm3.test-ipv6.com/ip/?callback=?
Fetches an object that has just an AAAA record in DNS. This is expected to use IPv6. Users not yet on the IPv6 Internet are likely to see this fail. As long as it fails quickly, it will be OK - for now.
Test with Dual Stack DNS record
ok (2.004s) using ipv4
http://ds.vm3.test-ipv6.com/ip/?callback=?
This is the most important test. This verifies your browser can connect to a site that has both IPv4 and IPv6 records published. IPv4 only hosts should connect fine (using IPv4).
If this test fails or times out, you can expect major problems as publishers start offering their sites on IPv6.
Test for Dual Stack DNS and large packet
ok (2.026s) using ipv4
http://ds.vm3.test-ipv6.com/ip/?callback=?&size=1600&fill=xxx...xxx
Validates that you can connect to a dual-stack server (like the ds test); and that you can send/receive large packets on that connection. If this test times out for any reason, it indicates trouble for World IPv6 Day.
Test IPv4 without DNS
ok (1.583s) using ipv4
http://216.218.228.115/ip/?callback=?
This will try connecting with a literal IPv4 numeric address. This should work for most people, unless they are running IPv6-only. If the first test worked, but this fails, it likely confirms your provider is using NAT64/DNS64; you'll need to only try connecting using hostnames instead of numeric IP addresses.
Test IPv6 without DNS
bad (3.007s)
http://[2001:470:1:18::115]:80/ip/?callback=?
This will try connecting with a literal IPv6 hexadecimal address. The primary purpose of this test is to separate out your connectivity on IPv6 from your ability to fetch DNS for it. A secondary purpose is to see if you have Teredo enabled; some systems may only use Teredo when an IPv6 address is in the URL.
Test IPv6 large packet
timeout (6.014s)
http://mtu1280.vm3.test-ipv6.com/ip/?callback=?&size=1600&fill=xxx...xxx
Validates that IPv6 requests with large packets work. If this test times out, but other IPv6 tests work, it suggests that there may be PMTUD issues; possibly involving IP tunnels. Double check to make sure that ICMPv6 Type 2 ("Packet Too Big") messages are not filtered by your firewall.
Test if your ISP's DNS server uses IPv6
ok (2.013s) using ipv4
http://ds.v6ns.vm3.test-ipv6.com/ip/?callback=?
(This is bonus credit)
This is a test of your ISP's resolver (instead of a test of your host). If this test passes, your DNS server (often run by your ISP) is capable of reaching IPV6-only DNS authoritative servers on the Internet. This is not critical (at this time) for you to reach sites via IPv6.
Find IPv4 Service Provider
ok (1.695s) using ipv4 ASN 51167
http://ipv4.lookup.test-ipv6.com/ip/?callback=?&asn=1
Attempts to identify what Internet Service Provider you use for IPv4. This may be different from the marketing name you see in your local market; or may reflect a previous company name. The name shown reflects how it is known in the network operator community.
Find IPv6 Service Provider
timeout (12.962s)
http://ipv6.lookup.test-ipv6.com/ip/?callback=?&asn=1
Attempts to identify what Internet Service Provider you use for IPv6. When the IPv4 name and the IPv6 name don't match, it may suggest that you're using a tunnel; or some form of third party provider for IPv6. 没有VPN连接的相同测试:
Test with IPv4 DNS record
ok (0.311s) using ipv4
http://ipv4.vm3.test-ipv6.com/ip/?callback=?
Fetches an object that has just an A record in DNS. This is expected to use IPv4. IPv6-only users might still reach this, if their provider has employed a NAT64/DNS64 or proxy solution.
Test with IPv6 DNS record
ok (0.349s) using ipv6
http://ipv6.vm3.test-ipv6.com/ip/?callback=?
Fetches an object that has just an AAAA record in DNS. This is expected to use IPv6. Users not yet on the IPv6 Internet are likely to see this fail. As long as it fails quickly, it will be OK - for now.
Test with Dual Stack DNS record
ok (0.971s) using ipv6
http://ds.vm3.test-ipv6.com/ip/?callback=?
This is the most important test. This verifies your browser can connect to a site that has both IPv4 and IPv6 records published. IPv4 only hosts should connect fine (using IPv4).
If this test fails or times out, you can expect major problems as publishers start offering their sites on IPv6.
Test for Dual Stack DNS and large packet
ok (1.999s) using ipv6
http://ds.vm3.test-ipv6.com/ip/?callback=?&size=1600&fill=xxx...xxx
Validates that you can connect to a dual-stack server (like the ds test); and that you can send/receive large packets on that connection. If this test times out for any reason, it indicates trouble for World IPv6 Day.
Test IPv4 without DNS
ok (1.428s) using ipv4
http://216.218.228.115/ip/?callback=?
This will try connecting with a literal IPv4 numeric address. This should work for most people, unless they are running IPv6-only. If the first test worked, but this fails, it likely confirms your provider is using NAT64/DNS64; you'll need to only try connecting using hostnames instead of numeric IP addresses.
Test IPv6 without DNS
ok (2.009s) using ipv6
http://[2001:470:1:18::115]:80/ip/?callback=?
This will try connecting with a literal IPv6 hexadecimal address. The primary purpose of this test is to separate out your connectivity on IPv6 from your ability to fetch DNS for it. A secondary purpose is to see if you have Teredo enabled; some systems may only use Teredo when an IPv6 address is in the URL.
Test IPv6 large packet
timeout (16.053s)
http://mtu1280.vm3.test-ipv6.com/ip/?callback=?&size=1600&fill=xxx...xxx
Validates that IPv6 requests with large packets work. If this test times out, but other IPv6 tests work, it suggests that there may be PMTUD issues; possibly involving IP tunnels. Double check to make sure that ICMPv6 Type 2 ("Packet Too Big") messages are not filtered by your firewall.
Test if your ISP's DNS server uses IPv6
ok (3.017s) using ipv6
http://ds.v6ns.vm3.test-ipv6.com/ip/?callback=?
(This is bonus credit)
This is a test of your ISP's resolver (instead of a test of your host). If this test passes, your DNS server (often run by your ISP) is capable of reaching IPV6-only DNS authoritative servers on the Internet. This is not critical (at this time) for you to reach sites via IPv6.
Find IPv4 Service Provider
ok (0.247s) using ipv4 ASN 44244
http://ipv4.lookup.test-ipv6.com/ip/?callback=?&asn=1
Attempts to identify what Internet Service Provider you use for IPv4. This may be different from the marketing name you see in your local market; or may reflect a previous company name. The name shown reflects how it is known in the network operator community.
Find IPv6 Service Provider
ok (0.204s) using ipv6 ASN 44244
http://ipv6.lookup.test-ipv6.com/ip/?callback=?&asn=1
Attempts to identify what Internet Service Provider you use for IPv6. When the IPv4 name and the IPv6 name don't match, it may suggest that you're using a tunnel; or some form of third party provider for IPv6. ICMP情况:
为了检查PMTUD的情况,我使用这些命令检查了服务器上的icmptype,并且“包太大”icmptype似乎没有被阻塞。
firewall-cmd --get-icmptypes
#firewall-cmd --info-icmptype=packet-too-big
packet-too-big
destination: ipv6
#firewall-cmd --query-icmp-block=packet-too-big
no此外,按照注释中提到的这篇文章,我在客户端和服务器上运行tcpdump,但没有看到任何数据包太大的跟踪。另一方面,当我没有-no-dtls选项连接到服务器时,只有在客户机上才会看到类似数据包太大的错误。如下所示:
Failed to read from SSL socket: The transmitted packet is too large (EMSGSIZE).
Failed to recv DPD request (-5)回答 1
Server Fault用户
发布于 2021-02-20 16:42:03
ULA不适合路由到互联网。在离开网络之前,它将被丢弃,导致用户体验不良。
从ocserv配置中删除ULA,并从您的地址计划中用一个或多个/64替换它。这些子网只用于VPN。例如:
ipv6-network = 2001:db8:3025:1407::/64在使用web浏览器的VPN客户端上,使用双堆栈测试(如http://test-ipv6.com/ )进行验证。
对于实现IPv6,您有正确的想法。IPv6意识是保护网络安全所必需的。有些网络需要IPv6。没有NAT的IPv6堆栈是一个更简单的设计。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/1054361
复制相关文章
相似问题
腾讯云开发者
