networking/ipv6vpn
Note: see newer instructions at http://wiki.rooter.is/vpntunnel
Note to self: when remote VPS reboots, run code in “VPS Host-side” section.
TODO: try ifconfig-ipv6 to simplify server setup?
Warning: the method described below is almost certainly massive overkill; OpenVPN can probably be configured to tunnel IPv6 bi-directionally in other ways.
Instructions for properly configuring OpenVPN credentials
VPS Host-side
(based off linode library instructions, but heavily modified)
First off, make sure you have IPv6 correctly configured on the VPS. I added the following to /etc/network/interfaces:
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
up /sbin/ip -6 addr add $VPN_IPV6_ADDR/64 dev eth0
up /sbin/ip -6 route add default via fe80::1 dev eth0
down /sbin/ip -6 addr del $VPN_IPV6_ADDR/64 dev eth0
On the remote host (runing debian wheezy), as root:
apt-get install openvpn udev
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0/
# edit vars file, set COUNTRY PROVINCE CITY ORG EMAIL defaults
. vars
. clean-all
. build-ca # override any defaults if you want
. build-key-server $YOURSERVERNAME
. build-key $YOURSITENAME
. build-dh
cd keys
cp ca.crt $YOURSITENAME.crt $YOURSITENAME.key $XFER_TO_SITE
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
Then copy the following to /etc/openvpn/server.conf
:
# simple machine-machine OpenVPN config file
port 1194
proto udp
dev tun
tun-ipv6
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
;ifconfig fec0::1 fec0::2 # IPv6 addrs not supported...
;route 2600:3c03:e001:1301::/64 fec0::2
script-security 2
up-restart
up-delay
up /usr/local/bin/ipv6_tunnel_up.sh
Create /usr/local/bin/ipv6_tunnel_up.sh
:
#!/usr/bin/env sh
ip link set tun0 up
ip addr add fec0::1/96 dev tun0
ip route add 2600:3c03:e001:1301::/64 via fec0::2 dev tun0
Then make it executable:
chmod +x /usr/local/bin/ipv6_tunnel_up.sh
Uncomment (or add) the following line in /etc/sysctl.conf (also
execute this with `sysctl -w
the first time around):
net.ipv6.conf.all.forwarding=1
Add openvpn to the default service group and bring up the daemon:
update-rc.d openvpn defaults
/etc/init.d/openvpn stop
/etc/init.d/openvpn start
On-site OpenWRT router
You’ll need to have the certificates generated above available locally. Parts of this are much easier to accomplish through the command line…
Configure any radios or other network interfaces first so those firewall rules are set up.
On an OpenWRT router, first install all required IPv6 packages (luci-app-radvd, ip, ip6tables), as well as OpenVPN (luci-app-openvpn):
opkg update
opkg install luci-app-radvd ip ip6tables luci-app-openvpn
Configure radvd with the site’s /64 prefix, and enable on the LAN interface.
Configure OpenVPN; easiest to copy-paste the following to
/etc/config/openvpn
and scp
credentials to
/etc/openvpn
:
package openvpn
config openvpn site_client
option enable 1
option client 0
option dev tun
option tun_ipv6 1
option proto udp
list remote "$VPSHOST 1194"
option resolv_retry infinite
option nobind 1
option persist_key 1
option persist_tun 1
option tls_client 1
option ca /etc/openvpn/ca.crt
option cert /etc/openvpn/woods.crt
option key /etc/openvpn/woods.key
option verb 3
option mute 20
option comp_lzo 1
option ping 10
option ping-restart 120
Select “start” in the web interface; for whatever reason this always results in a new configuration being generated, just ignore it. If the status doesn’t change to running, check the system logs (front page, “System Log” sub-tab).
Go to “Network” tab of web interface and create new “wan6” interface with the “tun0” OpenVPN adapter selected. Set the IPv6 address to fec0::2 and the IPv6 gateway to fec0::1. Go to “Firewall Settings” and create a new wan6 firewall zone.
On the radvd tab, set the prefix to the site-specific prefix; enable and keep the lan interface. Enable the lan interface on the top level radvd page also.
To allow unrestricted IPv6 inbound traffic and block outbound IPv4 (but allow IPv4 connections to the router… imporant!), go to the “Firewall” subtab, edit the “lan” zone, and allow forwarding to wan6 only as both source and destination.
For IPv6 web ui access, add a static IPv6 address to the LAN
interface: $SITEPREFIX::1/64
makes sense. (TODO: does this
work?)
Restart the whole kit-and-kaboodle, re-enable openvpn, and see if things work!
If it doesn’t, try watching syslog on both ends while attempting
pings, and inspect the addresses and routing tables with
ip -6 route
and ifconfig
.
TCP Follow Up
With the above configuration (based on UDP), I would eventually
(after a few days) get
TLS Error: local/remote TLS keys are out of sync
errors and
need to restart both ends.
I’m now testing with TCP (“option proto tcp-client” on the client and “proto tcp-server” on the VPS server).
Lazy plaintext no-config Method (raw, for historical reference)
http://serverfault.com/questions/231950/openvpn-ipv6-tunnel-radvd
http://wiki.openwrt.org/doc/howto/ipv6.essentials
On $VPSHOST
:
sysctl -w net.ipv6.conf.all.forwarding=1
# not sure why this is required...
ip -6 route add default via fe80::1 dev eth0
openvpn --dev tun --tun-ipv6 --daemon
# wait...
ip link set tun0 up
ip addr add fec0::1/96 dev tun0
ip route add $SITEPREFIX::/64 via fec0::2 dev tun0
On router:
# install all required packages
sysctl -w net.ipv6.conf.all.forwarding=1
openvpn --remote $VPSHOST --dev tun --tun-ipv6 --daemon
# wait...
ip link set tun0 up
ip addr add fec0::2/96 dev tun0
ip route add default via fec0::1 dev tun0
# edit /etc/config/radvd
ip addr add $SITEPREFIX::/64 dev br-lan
The lazy trick was to just use the OpenWRT LuCi interface and set up
a wan6 firewall interface (enclosing tun0) instead of trying to do
everything with the ip
command.
Reference
After writing this, I found https://www.zagbot.com/openvpn_ipv6_tunnel.html