Develop Reference

No IPV6 internet connectivity on client side of OpenVPN AWS EC2 server

I have an OpenVPN server I've set up on an AWS EC2 instance that is pulling an IPV6 address, and can traceroute6 and ping6 ipv6.google.com. The client can do neither and does not return an address when using online tests like ipleak, or testipv6. The server and client can ping6 and traceroute6 each other.
The client appears to pull the correct address locally, and via ip -6 route. IPV4 has always worked fine without issue. Everything appears good on the AWS side per their instructions here so the instance does have ipv6 enabled with the proper routing on the aws/vpc side. Security groups are pretty wide open for ipv6 as well.
I am assuming it's my routing, but I'm not really sure at this point as I'm no ipv6 or routing expert. Please help!
Relevant config info:
ipv6 addr of AWS instance:
aaaa:bbbb:cccc:dddd::/64
server.conf
local 172.31.44.1
port 443
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
server-ipv6 aaaa:bbbb:cccc:dddd:80::/112
push "redirect-gateway-ipv6 def1 bypass-dhcp-ipv6"
push "route-ipv6 aaaa:bbbb:cccc:dddd::/64"
push "route-ipv6 2000::/3"
push "route 172.31.44.1 255.255.255.255 net_gateway"
push "dhcp-option DNS6 2001:4860:4860::8888"
push "dhcp-option DNS6 2001:4860:4860::8844"
/etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1
ip6tables:
-A INPUT -p udp --dport 443 -j ACCEPT
-A FORWARD -m state --state NEW -i tun0 -o eth0 -s aaaa:bbbb:cccc:dddd::/64 -j ACCEPT
-A FORWARD -m state --state NEW -i eth0 -o tun0 -d aaaa:bbbb:cccc:dddd::/64 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Don't use proxy NDP. It's a mess.
What you need is to delegate (=route) a prefix to the EC2 instance, then configure this prefix in the OpenVPN config (server-ipv6 keyword with the assigned prefix and mask, e.g. 2001:db8:dead:beef:1::/80), then assign connected users addresses from the prefix.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/work-with-prefixes.html
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

Heroku Domain - my own domain is added as suffix to end of the heroku domain

I'm having a weird issue whereby after I added the CNAME record with my domain registrar, and I run the "host" command in terminal, my domain lighttree.co.za, is added as a suffix at the end of the heroku domain, which I know (and according to heroku docs) should not be there.
$ host ispprov.lighttree.co.za
ispprov.lighttree.co.za is an alias for classical-apple-
j39juha3sy7h7wnzhso39572.herokudns.com.lighttree.co.za.
classical-apple-j39juha3sy7h7wnzhso39572.herokudns.com.lighttree.co.za
has address 197.242.146.244
What have I done wrong?

The way DNS work, the CNAME value will append your domain name by default.
You can resolve this by adding a dot (.) at the end of your CNAME value.
In your DNS provider configuration, replace the CNAME value to be:
classical-apple-j39juha3sy7h7wnzhso39572.herokudns.com.
Don't forget the dot at the end :-)

Setup HTTPs Forward Proxy with HAProxy

In HAProxy, I've used option http-proxy to make it work like forward proxy. This seems to be working fine, but for HTTPS traffic that's not possible.
So, is there any option in the HAProxy configuration that allows to proxy the HTTPS traffic just like Squid does ?
I think the problem is that the option https_proxy isn't available.
This configuration works perfectly for HTTP protocol:
frontend http_proxy
bind :3128
option http_proxy
default_backend proxy_server
backend proxy_server
option http_proxy
Note - I've used the certificate with "ssl crt" along with the bind option but that didn't seem to proxy over HTTPS protocol

This is my Haproxy file configuration, it works well for HTTP and HTTPS protocol.
Here's the code :
#-----------------------------------------------------------------------------
# global
#-----------------------------------------------------------------------------
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
# Tuning if required/needed
# tune.ssl.default-dh-param 2048
#-----------------------------------------------------------------------------
# defaults
#-----------------------------------------------------------------------------
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#-----------------------------------------------------------------------------
# http frontend
#-----------------------------------------------------------------------------
frontend http-in
bind *:80
# Domain redirect, force the 'www' prefix
redirect prefix https://www.domain1.net code 301 if { hdr_beg(host) -i domain1.net }
redirect prefix https://www.domain2.net code 301 if { hdr_beg(host) -i domain2.net }
# Define hosts
acl is-domain1-site hdr(host) -i www.domain1.net
acl is-domain1-blog hdr(host) -i blog.domain1.net
acl is-domain1-wiki hdr(host) -i wiki.domain1.net
acl is-domain2-site hdr(host) -i www.domain2.net
acl is-domain2-blog hdr(host) -i blog.domain2.net
acl is-domain2-wiki hdr(host) -i wiki.domain2.net
# Force https for domain1
redirect scheme https if is-domain1-site !{ ssl_fc }
redirect scheme https if is-domain1-blog !{ ssl_fc }
redirect scheme https if is-domain1-wiki !{ ssl_fc }
# Force https for domain2
redirect scheme https if is-domain2-site !{ ssl_fc }
redirect scheme https if is-domain2-blog !{ ssl_fc }
redirect scheme https if is-domain2-wiki !{ ssl_fc }
# Default backend (parking)
default_backend bk-ct100
#-----------------------------------------------------------------------------
# https frontend
#-----------------------------------------------------------------------------
frontend https-in
bind *:443 ssl crt /etc/ssl/private/
# Domain redirect force www
redirect prefix https://www.domain1.net code 301 if { hdr_beg(host) -i domain1.net }
redirect prefix https://www.domain2.net code 301 if { hdr_beg(host) -i domain2.net }
# Define hosts for domain1
acl is-domain1-site hdr(host) -i www.domain1.net
acl is-domain1-blog hdr(host) -i blog.domain1.net
acl is-domain1-wiki hdr(host) -i wiki.domain1.net
# Define hosts for domain2
acl is-domain2-site hdr(host) -i www.domain2.net
acl is-domain2-blog hdr(host) -i blog.domain2.net
acl is-domain2-wiki hdr(host) -i wiki.domain2.net
# Figure out which backend to use for domain1
use_backend bk-ct101 if is-domain1-site
use_backend bk-ct101 if is-domain1-blog
use_backend bk-ct101 if is-domain1-wiki
# Figure out which backend to use for domain2
use_backend bk-ct102 if is-domain2-site
use_backend bk-ct102 if is-domain2-blog
use_backend bk-ct102 if is-domain2-wiki
# Default backend (parking)
default_backend bk-ct100
#-----------------------------------------------------------------------------
# ct100 backend - parking
#-----------------------------------------------------------------------------
backend bk-ct100
mode http
option forwardfor
server ct100 192.168.100.100:80 check
#-----------------------------------------------------------------------------
# ct101 backend - domain1
#-----------------------------------------------------------------------------
backend bk-ct101
mode http
option forwardfor
server ct101 192.168.100.101:80 check
#-----------------------------------------------------------------------------
# ct102 backend - domain2
#-----------------------------------------------------------------------------
backend bk-ct102
mode http
option forwardfor
server ct102 192.168.100.102:80 check
#-----------------------------------------------------------------------------
# End-Of-File
#-----------------------------------------------------------------------------
In this configuration, I chose to redirect all traffic from HTTP to HTTPS. All of my certificates are stored inside /etc/ssl/private directory. I generated them using CertBot.
You can adapt this file for your needs but it should work :)

How to redirect only select subdomains in HAProxy?

I have several domains such as abc.blah.com, xyz.blah.com, 2a.blah.com, 3b.blah.com and many more. In my haproxy.cfg file I would like to handle only a few of the domains and leave the rest to go their intended destination.
For example:
Redirect abc and xyz to different destinations
abc.blah.com == 10.1.1.11
xyz.blah.com == 10.1.1.12
But not 2a.blah.com or 3b.blah.com or *.blah.com. Let them be directed to the actual destination.
That means 2a.blah.com should go to 2a.blah.com
here is the haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
contimeout 5000
clitimeout 50000
srvtimeout 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
bind 0.0.0.0:80
acl xyz hdr(host) -i xyz.blah.com
acl abc hdr(host) -i abc.blah.com
acl default hdr_end(host) -i .blah.com
## figure out which one to use
use_backend xyz_cluster if xyz
use_backend abc_cluster if abc
use_backend direct_forward if default
# send it to xyz.blah.com
backend xyz_cluster
option forwardfor
server node1 10.1.1.12:8080
# send it to "abc.blah.com"
backend abc_cluster
option forwardfor
server node1 10.1.1.11:8080
# handle 2a.blah.com
# handle 3b.blah.com
# handle *.blah.com
# basically forwarding to the source itself
backend direct_forward
option httpclose
option http_proxy
listen stats :9000
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /stats
stats auth test:test123
With this configuration, the requests to xyz and abc are routed correctly.
curl -x 10.148.240.78:80 http://xyz.blah.com
Works fine
But requests to 2a.blah.com are throwing 503
curl -x 10.148.240.78:80 http://2a.blah.com
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
The haproxy log shows the following,
Mar 30 16:48:17 ubuntu-ha-proxy-3289 haproxy[9105]: 10.254.184.246:54533 [30/Mar/2017:16:48:17.793] http-in direct_forward/<NOSRV> 2/-1/-1/-1/2 503 213 - - SC-- 0/0/0/0/0 0/0 "GET http://2a.blah.com HTTP/1.1"
Basically the direct_forward backend needs to be configured to pass the requests to the source domains itself. But it is unclear how it is achieved in haproxy.

Use default_backend <backend> when no "use_backend" rule has been matched.
When doing content-switching between frontend and backends using the
"use_backend" keyword, it is often useful to indicate which backend will be
used when no rule has matched. It generally is the dynamic backend which
will catch all undetermined requests.
frontend http-in
bind 0.0.0.0:80
acl xyz hdr(host) -i xyz.blah.com
acl abc hdr(host) -i abc.blah.com
## figure out which one to use
use_backend xyz_cluster if xyz
use_backend abc_cluster if abc
default_backend direct_forward
Source: https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#default_backend

Gandi.net and Heroku Domain Routing

My .io domain works for www.domain.io, but not for the domain.io version. Below are each of the versions and revisions I have tried with ample time between each. I al
# 10800 IN A 174.129.212.2
# 10800 IN A 75.101.145.87
# 10800 IN A 75.101.163.44
blog 10800 IN CNAME blogs.vip.gandi.net.
imap 10800 IN CNAME access.mail.gandi.net.
pop 10800 IN CNAME access.mail.gandi.net.
smtp 10800 IN CNAME relay.mail.gandi.net.
webmail 10800 IN CNAME webmail.gandi.net.
www 10800 IN CNAME domain.herokuapp.com
# 10800 IN MX 50 fb.mail.gandi.net.
# 10800 IN MX 10 spool.mail.gandi.net.
# 10800 IN A 174.129.212.2
# 10800 IN A 75.101.145.87
# 10800 IN A 75.101.163.44
www 10800 IN CNAME domain.herokuapp.com
# 10800 IN A 174.129.212.2
# 10800 IN A 75.101.145.87
# 10800 IN A 75.101.163.44
www 10800 IN CNAME domain.herokuapp.com.
removed # lines because of Gandi and Heroku set up issue
www 10800 IN CNAME domain.herokuapp.com.
From reading other answers like How to setup DNS for an apex domain (no www) pointing to a Heroku app?, it seems that it best to redirect from the root domain to the one with www. Any other way?
Also are the lines for gandi.net are necessary?

it seems that it best to redirect from the root domain to the one with
www. Any other way?
As of right now, no. Unfortunately, ALIAS records are not used by Gandi, and A records are not available for use with Heroku because Heroku does not use fixed IP addresses.
The record type that both Heroku and Gandi recognize is the CNAME record, which can not be used for bare domains. Or, at least, shouldn't be used for bare domains. See https://superuser.com/questions/264913/cant-set-example-com-as-a-cname-record.
And for anyone lost, looking for how the heck to implement this, here's my cheat sheet for the work-around.
Step 1: In Gandi, set DNS zone file.
Name Type Value
# A 217.70.184.38 # Gandi's server
* CNAME my-app.herokuapp.com. # trailing . is required
www CNAME my-app.herokuapp.com. # trailing . is required
Step 2: In Gandi, set web forwarding for the domain.
The type of forwarding will be 'direct (permanent)', leave the subdomain blank, and set the forwarding address as www.my-custom-domain.com.
Step 3: In Heroku, set Heroku custom domains.
Domain Name DNS Target
*.my-custom-domain.com my-app.herokuapp.com
my-custom-domain.com my-app.herokuapp.com
www.my-custom-domain.com my-app.herokuapp.com

it seems that it best to redirect from the root domain to the one with www. Any other way?
Some DNS providers have an ALIAS record type which synthesizes the A records on the naked domain at request time. That and the URL record are the only options, since Heroku has essentially removed the use of fixed IP addresses with their current stack.
Also are the lines for gandi.net are necessary?
If you do not use Gandi for email or your blog, then you can remove all of the gandi lines. The MX records tell SMTP servers to use Gandi's mail exchanges to try to deliver mail, and the CNAME records are simply ways to access those Gandi services with your custom domain.

As someone already mentioned, gandi.net now supports ALIAS so it could be done simpler, like this:
# 10800 IN ALIAS stormy-squirrel-xe57il0fhyuauzta3noapg1h.herokudns.com.
And in the heroku, you must add only the bare domain and use the given dns
(such as:
stormy-squirrel-xe57il0fhyuauzta3noapg1h.herokudns.com.)