blob: f24a0124936faa3ed46dc128a825ca3ac7cbf9be (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
On the server side, install openvpn 2.3 (beta):
http://repos.openvpn.net/repos/apt/squeeze-snapshots/
On the router, install openvpn-devel ipkg.
## Server Configuration
/etc/openvpn/server.conf:
script-security 2
;local a.b.c.d
port 1194
dev tun0
tun-ipv6
tls-server
mode server
proto tcp-server
up-restart
ifconfig-ipv6 fec0::1/64 fec0::1
route-ipv6 2600:3c03:e001:1300::/56 fec0::1
;server-ipv6 2600:3c03:e001:1300::1/64
server 10.4.0.0 255.255.0.0
;ifconfig-pool-persist ipp.txt 0
ccd-exclusive
client-config-dir /etc/openvpn/clients
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
mkdir /etc/openvpn/clients and add files specifying routed ipv6 prefixes, like
/etc/openvpn/ttt:
iroute-ipv6 2600:3c03:e001:1302::/64 fec0::1
if you must have ipv4 routing with NAT:
iroute 10.4.0.10 10.4.0.1
iroute-ipv6 2600:3c03:e001:1303::/64 fec0::1
## rooter Configuration
/etc/openvpn/client.conf:
verb 3
mute 20
client
pull
dev tun0
tun-ipv6 1
proto tcp-client
tls-client
remote sniffles.rooter.is 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/rooter_ca.crt
cert /etc/openvpn/ttt.crt
key /etc/openvpn/ttt.key
comp-lzo yes
ping 10
ping-restart 120
Go to "Network" tab of web interface and create new "wan6" interface with the
"tun0" OpenVPN adapter selected. Set the IPv6 address to fec0::2/64 and the IPv6
gateway to fec0::1 (also, if not already specified, use static address config
and disable router advertisements (RA)). go to the firewall tab of "wan6"
settings and add the wan6 interface to the "wan" firewall zone. edit the "lan"
interface and add the ::1 address for the delegated /64 as the IPv6 address
(you don't need to set a gateway).
to *allow* inbound ipv6, create a new "wan6" zone, move the wan6 interface into
it, and create an allow firewall rule from wan6 -> lan.
## Devices
Linux machines will want to ensure that:
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
## References
- http://www.greenie.net/ipv6/openvpn.html
- https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
|