From af6b57370f37d6bf2cff0164569fe1d88e4ae70b Mon Sep 17 00:00:00 2001 From: bnewbold Date: Tue, 5 Jun 2012 21:07:10 -0400 Subject: crude ipv6 tunnel via openvpn --- networking/ipv6vpn.page | 150 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100644 networking/ipv6vpn.page (limited to 'networking') diff --git a/networking/ipv6vpn.page b/networking/ipv6vpn.page new file mode 100644 index 0000000..4aef252 --- /dev/null +++ b/networking/ipv6vpn.page @@ -0,0 +1,150 @@ + +Warning: the method described below is almost certainly massive overkill; +OpenVPN can probably be configured to tunnel IPv6 bi-directionally in other +ways. + + +# Instructions for properly configuring OpenVPN credentials + +## VPS Host-side + +(based off +[http://library.linode.com/networking/openvpn/debian-6-squeeze](linode library) +instructions, but heavily modified) + +On the remote host (runing debian wheezy), as root: + + apt-get install openvpn udev + cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn + cd /etc/openvpn/easy-rsa/2.0/keys/ + # edit vars file, set COUNTRY PROVINCE CITY ORG EMAIL defaults + . vars + . clean-all + . build-ca # override any defaults if you want + . build-key-server $YOURSERVERNAME + . build-key $YOURSITENAME + . build-dh + cd keys + cp ca.crt $YOURSITENAME.crt $YOURSITENAME.key $XFER_TO_SITE + cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn + +Then copy the following to /etc/openvpn/server.conf: + + # simple machine-machine OpenVPN config file + port 1194 + proto udp + dev tun + tun-ipv6 + +Add openvpn to the default service group and bring up the daemon: + + update-rc.d openvpn defaults + /etc/init.d/openvpn stop + /etc/init.d/openvpn start + +The tun0 interface comes up "bare" and not active by default; the following +should be added to a post-init script, but for now just run it by hand: + + ip link set tun0 up + ip addr add fec0::1/96 dev tun0 + ip route add $SITE_PREFIX::/64 via fec0::2 dev tun0 + +## On-site OpenWRT router + +You'll need to have the certificates generated above available locally. +Parts of this are much easier to accomplish through the command line... + +Configure any radios or other network interfaces first so those firewall rules +are set up. + +On an OpenWRT router, first install all required IPv6 packages (luci-app-radvd, +ip, ip6tables), as well as OpenVPN (luci-app-openvpn): + + opkg update + opkg install luci-app-radvd ip ip6tables luci-app-openvpn + +Configure radvd with the site's /64 prefix, and enable on the LAN interface. + +Configure OpenVPN; easiest to copy-paste the following to /etc/config/openvpn +and scp credentials to /etc/openvpn: + + package openvpn + + config openvpn site_client + option enable 1 + option client 0 + option dev tun + option tun_ipv6 1 + option proto udp + list remote "$VPSHOST 1194" + option resolv_retry infinite + option nobind 1 + option persist_key 1 + option persist_tun 1 + option tls_client 1 + option ca /etc/openvpn/ca.crt + option cert /etc/openvpn/woods.crt + option key /etc/openvpn/woods.key + option verb 3 + option mute 20 + option comp_lzo 1 + +Select "start" in the web interface; for whatever reason this always results in +a new configuration being generated, just ignore it. If the status doesn't +change to running, check the system logs (front page, "System Log" sub-tab). + +Go to "Network" tab of web interface and create new "wan6" interface with the +"tun0" OpenVPN adapter selected. Set the IPv6 address to fec0::2 and the IPv6 +gateway to fec0:;1. Go to "Firewall Settings" and create a new wan6 firewall +zone. + +On the radvd tab, set the prefix to the site-specific prefix; enable and keep +the lan interface. Enable the lan interface on the top level radvd page also. + +To allow unrestricted IPv6 inbound traffic and block outbound IPv4 (but allow +IPv4 connections to the router... imporant!), go to the "Firewall" subtab, edit +the "lan" zone, and allow forwarding to wan6 only as both source and +destination. + +For IPv6 web ui access, add a static IPv6 address to the LAN interface: +$SITEPREFIX::1/64 makes sense. (TODO: does this work?) + +Restart the whole kit-and-kaboodle, re-enable openvpn, and see if things work! + +If it doesn't, try watching syslog on both ends while attempting pings, and +inspect the addresses and routing tables with ``ip -6 route`` and ``ifconfig``. + +# Lazy plaintext no-config Method (raw, for historical reference) + +http://serverfault.com/questions/231950/openvpn-ipv6-tunnel-radvd + +http://wiki.openwrt.org/doc/howto/ipv6.essentials + +On $VPSHOST: + + sysctl -w net.ipv6.conf.all.forwarding=1 + # not sure why this is required... + ip -6 route add default via fe80::1 dev eth0 + openvpn --dev tun --tun-ipv6 --daemon + # wait... + ip link set tun0 up + ip addr add fec0::1/96 dev tun0 + ip route add $SITEPREFIX::/64 via fec0::2 dev tun0 + +On router: + + # install all required packages + sysctl -w net.ipv6.conf.all.forwarding=1 + openvpn --remote $VPSHOST --dev tun --tun-ipv6 --daemon + # wait... + ip link set tun0 up + ip addr add fec0::2/96 dev tun0 + ip route add default via fec0::1 dev tun0 + + # edit /etc/config/radvd + ip addr add $SITEPREFIX::/64 dev br-lan + +The lazy trick was to just use the OpenWRT LuCi interface and set up a wan6 +firewall interface (enclosing tun0) instead of trying to do everything with the +``ip`` command. + -- cgit v1.2.3