summaryrefslogtreecommitdiffstats
path: root/networking
diff options
context:
space:
mode:
Diffstat (limited to 'networking')
-rw-r--r--networking/ipv6vpn.page150
1 files changed, 150 insertions, 0 deletions
diff --git a/networking/ipv6vpn.page b/networking/ipv6vpn.page
new file mode 100644
index 0000000..4aef252
--- /dev/null
+++ b/networking/ipv6vpn.page
@@ -0,0 +1,150 @@
+
+Warning: the method described below is almost certainly massive overkill;
+OpenVPN can probably be configured to tunnel IPv6 bi-directionally in other
+ways.
+
+
+# Instructions for properly configuring OpenVPN credentials
+
+## VPS Host-side
+
+(based off
+[http://library.linode.com/networking/openvpn/debian-6-squeeze](linode library)
+instructions, but heavily modified)
+
+On the remote host (runing debian wheezy), as root:
+
+ apt-get install openvpn udev
+ cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
+ cd /etc/openvpn/easy-rsa/2.0/keys/
+ # edit vars file, set COUNTRY PROVINCE CITY ORG EMAIL defaults
+ . vars
+ . clean-all
+ . build-ca # override any defaults if you want
+ . build-key-server $YOURSERVERNAME
+ . build-key $YOURSITENAME
+ . build-dh
+ cd keys
+ cp ca.crt $YOURSITENAME.crt $YOURSITENAME.key $XFER_TO_SITE
+ cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
+
+Then copy the following to /etc/openvpn/server.conf:
+
+ # simple machine-machine OpenVPN config file
+ port 1194
+ proto udp
+ dev tun
+ tun-ipv6
+
+Add openvpn to the default service group and bring up the daemon:
+
+ update-rc.d openvpn defaults
+ /etc/init.d/openvpn stop
+ /etc/init.d/openvpn start
+
+The tun0 interface comes up "bare" and not active by default; the following
+should be added to a post-init script, but for now just run it by hand:
+
+ ip link set tun0 up
+ ip addr add fec0::1/96 dev tun0
+ ip route add $SITE_PREFIX::/64 via fec0::2 dev tun0
+
+## On-site OpenWRT router
+
+You'll need to have the certificates generated above available locally.
+Parts of this are much easier to accomplish through the command line...
+
+Configure any radios or other network interfaces first so those firewall rules
+are set up.
+
+On an OpenWRT router, first install all required IPv6 packages (luci-app-radvd,
+ip, ip6tables), as well as OpenVPN (luci-app-openvpn):
+
+ opkg update
+ opkg install luci-app-radvd ip ip6tables luci-app-openvpn
+
+Configure radvd with the site's /64 prefix, and enable on the LAN interface.
+
+Configure OpenVPN; easiest to copy-paste the following to /etc/config/openvpn
+and scp credentials to /etc/openvpn:
+
+ package openvpn
+
+ config openvpn site_client
+ option enable 1
+ option client 0
+ option dev tun
+ option tun_ipv6 1
+ option proto udp
+ list remote "$VPSHOST 1194"
+ option resolv_retry infinite
+ option nobind 1
+ option persist_key 1
+ option persist_tun 1
+ option tls_client 1
+ option ca /etc/openvpn/ca.crt
+ option cert /etc/openvpn/woods.crt
+ option key /etc/openvpn/woods.key
+ option verb 3
+ option mute 20
+ option comp_lzo 1
+
+Select "start" in the web interface; for whatever reason this always results in
+a new configuration being generated, just ignore it. If the status doesn't
+change to running, check the system logs (front page, "System Log" sub-tab).
+
+Go to "Network" tab of web interface and create new "wan6" interface with the
+"tun0" OpenVPN adapter selected. Set the IPv6 address to fec0::2 and the IPv6
+gateway to fec0:;1. Go to "Firewall Settings" and create a new wan6 firewall
+zone.
+
+On the radvd tab, set the prefix to the site-specific prefix; enable and keep
+the lan interface. Enable the lan interface on the top level radvd page also.
+
+To allow unrestricted IPv6 inbound traffic and block outbound IPv4 (but allow
+IPv4 connections to the router... imporant!), go to the "Firewall" subtab, edit
+the "lan" zone, and allow forwarding to wan6 only as both source and
+destination.
+
+For IPv6 web ui access, add a static IPv6 address to the LAN interface:
+$SITEPREFIX::1/64 makes sense. (TODO: does this work?)
+
+Restart the whole kit-and-kaboodle, re-enable openvpn, and see if things work!
+
+If it doesn't, try watching syslog on both ends while attempting pings, and
+inspect the addresses and routing tables with ``ip -6 route`` and ``ifconfig``.
+
+# Lazy plaintext no-config Method (raw, for historical reference)
+
+http://serverfault.com/questions/231950/openvpn-ipv6-tunnel-radvd
+
+http://wiki.openwrt.org/doc/howto/ipv6.essentials
+
+On $VPSHOST:
+
+ sysctl -w net.ipv6.conf.all.forwarding=1
+ # not sure why this is required...
+ ip -6 route add default via fe80::1 dev eth0
+ openvpn --dev tun --tun-ipv6 --daemon
+ # wait...
+ ip link set tun0 up
+ ip addr add fec0::1/96 dev tun0
+ ip route add $SITEPREFIX::/64 via fec0::2 dev tun0
+
+On router:
+
+ # install all required packages
+ sysctl -w net.ipv6.conf.all.forwarding=1
+ openvpn --remote $VPSHOST --dev tun --tun-ipv6 --daemon
+ # wait...
+ ip link set tun0 up
+ ip addr add fec0::2/96 dev tun0
+ ip route add default via fec0::1 dev tun0
+
+ # edit /etc/config/radvd
+ ip addr add $SITEPREFIX::/64 dev br-lan
+
+The lazy trick was to just use the OpenWRT LuCi interface and set up a wan6
+firewall interface (enclosing tun0) instead of trying to do everything with the
+``ip`` command.
+