From 6d7cbbecc893ea725fdd6fc9c54c4f9ac16e647d Mon Sep 17 00:00:00 2001 From: bnewbold Date: Mon, 10 Sep 2012 23:36:17 +0200 Subject: robustness changes --- networking/ipv6vpn.page | 39 +++++++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 10 deletions(-) diff --git a/networking/ipv6vpn.page b/networking/ipv6vpn.page index de33f38..129f15d 100644 --- a/networking/ipv6vpn.page +++ b/networking/ipv6vpn.page @@ -14,6 +14,16 @@ ways. [http://library.linode.com/networking/openvpn/debian-6-squeeze](linode library) instructions, but heavily modified) +First off, make sure you have IPv6 correctly configured on the VPS. I added the +following to /etc/network/interfaces: + + # The primary network interface + allow-hotplug eth0 + iface eth0 inet dhcp + up /sbin/ip -6 addr add $VPN_IPV6_ADDR/64 dev eth0 + up /sbin/ip -6 route add default via fe80::1 dev eth0 + down /sbin/ip -6 addr del $VPN_IPV6_ADDR/64 dev eth0 + On the remote host (runing debian wheezy), as root: apt-get install openvpn udev @@ -47,8 +57,23 @@ Then copy the following to /etc/openvpn/server.conf: persist-tun status openvpn-status.log verb 3 - ;ifconfig fec0::1 fec0::2 + ;ifconfig fec0::1 fec0::2 # IPv6 addrs not supported... ;route 2600:3c03:e001:1301::/64 fec0::2 + script-security 2 + up-restart + up-delay + up /usr/local/bin/ipv6_tunnel_up.sh + +Create /usr/local/bin/ipv6_tunnel_up.sh: + +Then make it executable: + + chmod +x /usr/local/bin/ipv6_tunnel_up.sh + +Uncomment (or add) the following line in /etc/sysctl.conf (also execute this +with ```sysctl -w`` the first time around): + + net.ipv6.conf.all.forwarding=1 Add openvpn to the default service group and bring up the daemon: @@ -56,15 +81,6 @@ Add openvpn to the default service group and bring up the daemon: /etc/init.d/openvpn stop /etc/init.d/openvpn start -The tun0 interface comes up "bare" and not active by default; the following -should be added to a post-init script, but for now just run it by hand: - - sysctl -w net.ipv6.conf.all.forwarding=1 - ip -6 route add default via fe80::1 dev eth0 - ip link set tun0 up - ip addr add fec0::1/96 dev tun0 - ip route add $SITE_PREFIX::/64 via fec0::2 dev tun0 - ## On-site OpenWRT router You'll need to have the certificates generated above available locally. @@ -175,3 +191,6 @@ The lazy trick was to just use the OpenWRT LuCi interface and set up a wan6 firewall interface (enclosing tun0) instead of trying to do everything with the ``ip`` command. +# Reference + +After writing this, I found: https://www.zagbot.com/openvpn_ipv6_tunnel.html -- cgit v1.2.3