summaryrefslogtreecommitdiffstats
path: root/vpntunnel.page
blob: f24a0124936faa3ed46dc128a825ca3ac7cbf9be (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

On the server side, install openvpn 2.3 (beta):

    http://repos.openvpn.net/repos/apt/squeeze-snapshots/

On the router, install openvpn-devel ipkg.

## Server Configuration

/etc/openvpn/server.conf:

    script-security 2
    ;local a.b.c.d
    port 1194

    dev tun0
    tun-ipv6
    tls-server
    mode server
    proto tcp-server
    up-restart
    ifconfig-ipv6 fec0::1/64 fec0::1
    route-ipv6 2600:3c03:e001:1300::/56 fec0::1
    ;server-ipv6 2600:3c03:e001:1300::1/64
    server 10.4.0.0 255.255.0.0

    ;ifconfig-pool-persist ipp.txt 0
    ccd-exclusive
    client-config-dir /etc/openvpn/clients

    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    log-append  openvpn.log

mkdir /etc/openvpn/clients and add files specifying routed ipv6 prefixes, like
/etc/openvpn/ttt:

    iroute-ipv6 2600:3c03:e001:1302::/64 fec0::1

if you must have ipv4 routing with NAT:

    iroute 10.4.0.10 10.4.0.1
    iroute-ipv6 2600:3c03:e001:1303::/64 fec0::1

## rooter Configuration

/etc/openvpn/client.conf:

    verb 3
    mute 20

    client
    pull
    dev tun0
    tun-ipv6 1
    proto tcp-client
    tls-client

    remote sniffles.rooter.is 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /etc/openvpn/rooter_ca.crt
    cert /etc/openvpn/ttt.crt
    key /etc/openvpn/ttt.key

    comp-lzo yes
    ping 10
    ping-restart 120

Go to "Network" tab of web interface and create new "wan6" interface with the
"tun0" OpenVPN adapter selected. Set the IPv6 address to fec0::2/64 and the IPv6
gateway to fec0::1 (also, if not already specified, use static address config
and disable router advertisements (RA)). go to the firewall tab of "wan6"
settings and add the wan6 interface to the "wan" firewall zone. edit the "lan"
interface and add the ::1 address for the delegated /64 as the IPv6 address
(you don't need to set a gateway).

to *allow* inbound ipv6, create a new "wan6" zone, move the wan6 interface into
it, and create an allow firewall rule from wan6 -> lan. 

## Devices

Linux machines will want to ensure that:

    net.ipv6.conf.all.use_tempaddr = 2
    net.ipv6.conf.default.use_tempaddr = 2

## References

- http://www.greenie.net/ipv6/openvpn.html
- https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage