summaryrefslogtreecommitdiffstats
path: root/networking/ipv6vpn.page
blob: dcb90fb36c0ab94c4b6d6e415f81083c297bf4b4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206

*Note: see newer instructions at http://wiki.rooter.is/vpntunnel*

Note to self: when remote VPS reboots, run code in "VPS Host-side" section.

TODO: try ifconfig-ipv6 to simplify server setup?

Warning: the method described below is almost certainly massive overkill;
OpenVPN can probably be configured to tunnel IPv6 bi-directionally in other
ways.


# Instructions for properly configuring OpenVPN credentials

## VPS Host-side

(based off
[linode library](http://library.linode.com/networking/openvpn/debian-6-squeeze)
instructions, but heavily modified)

First off, make sure you have IPv6 correctly configured on the VPS. I added the
following to /etc/network/interfaces:

    # The primary network interface
    allow-hotplug eth0
    iface eth0 inet dhcp
        up /sbin/ip -6 addr add $VPN_IPV6_ADDR/64 dev eth0
        up /sbin/ip -6 route add default via fe80::1 dev eth0
        down /sbin/ip -6 addr del $VPN_IPV6_ADDR/64 dev eth0

On the remote host (runing debian wheezy), as root:

    apt-get install openvpn udev
    cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
    cd /etc/openvpn/easy-rsa/2.0/
    # edit vars file, set COUNTRY PROVINCE CITY ORG EMAIL defaults
    . vars
    . clean-all
    . build-ca # override any defaults if you want
    . build-key-server $YOURSERVERNAME
    . build-key $YOURSITENAME
    . build-dh
    cd keys
    cp ca.crt $YOURSITENAME.crt $YOURSITENAME.key $XFER_TO_SITE
    cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn

Then copy the following to `/etc/openvpn/server.conf`:

    # simple machine-machine OpenVPN config file
    port 1194
    proto udp
    dev tun
    tun-ipv6
    ca ca.crt
    cert server.crt
    key server.key
    dh dh1024.pem
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    ;ifconfig fec0::1 fec0::2 # IPv6 addrs not supported...
    ;route 2600:3c03:e001:1301::/64 fec0::2
    script-security 2
    up-restart
    up-delay
    up /usr/local/bin/ipv6_tunnel_up.sh

Create `/usr/local/bin/ipv6_tunnel_up.sh`:
    
    #!/usr/bin/env sh
    ip link set tun0 up
    ip addr add fec0::1/96 dev tun0
    ip route add 2600:3c03:e001:1301::/64 via fec0::2 dev tun0

Then make it executable:

    chmod +x /usr/local/bin/ipv6_tunnel_up.sh

Uncomment (or add) the following line in /etc/sysctl.conf (also execute this
with ```sysctl -w`` the first time around):

    net.ipv6.conf.all.forwarding=1

Add openvpn to the default service group and bring up the daemon:

    update-rc.d openvpn defaults
    /etc/init.d/openvpn stop
    /etc/init.d/openvpn start

## On-site OpenWRT router

You'll need to have the certificates generated above available locally.
Parts of this are much easier to accomplish through the command line...

Configure any radios or other network interfaces first so those firewall rules
are set up.

On an OpenWRT router, first install all required IPv6 packages (luci-app-radvd,
ip, ip6tables), as well as OpenVPN (luci-app-openvpn):

    opkg update
    opkg install luci-app-radvd ip ip6tables luci-app-openvpn

Configure radvd with the site's /64 prefix, and enable on the LAN interface.

Configure OpenVPN; easiest to copy-paste the following to `/etc/config/openvpn`
and `scp` credentials to `/etc/openvpn`:

    package openvpn

    config openvpn site_client
            option enable 1
            option client 0
            option dev tun
            option tun_ipv6 1
            option proto udp
            list remote "$VPSHOST 1194"
            option resolv_retry infinite
            option nobind 1
            option persist_key 1
            option persist_tun 1
            option tls_client 1
            option ca /etc/openvpn/ca.crt
            option cert /etc/openvpn/woods.crt
            option key /etc/openvpn/woods.key
            option verb 3
            option mute 20
            option comp_lzo 1
            option ping 10
            option ping-restart 120
 
Select "start" in the web interface; for whatever reason this always results in
a new configuration being generated, just ignore it. If the status doesn't
change to running, check the system logs (front page, "System Log" sub-tab).

Go to "Network" tab of web interface and create new "wan6" interface with the
"tun0" OpenVPN adapter selected. Set the IPv6 address to fec0::2 and the IPv6
gateway to fec0::1. Go to "Firewall Settings" and create a new wan6 firewall
zone.

On the radvd tab, set the prefix to the site-specific prefix; enable and keep
the lan interface. Enable the lan interface on the top level radvd page also.

To allow unrestricted IPv6 inbound traffic and block outbound IPv4 (but allow
IPv4 connections to the router... imporant!), go to the "Firewall" subtab, edit
the "lan" zone, and allow forwarding to wan6 only as both source and
destination.

For IPv6 web ui access, add a static IPv6 address to the LAN interface:
`$SITEPREFIX::1/64` makes sense. (TODO: does this work?)

Restart the whole kit-and-kaboodle, re-enable openvpn, and see if things work!

If it doesn't, try watching syslog on both ends while attempting pings, and
inspect the addresses and routing tables with ``ip -6 route`` and ``ifconfig``.

## TCP Follow Up

With the above configuration (based on UDP), I would eventually (after a few
days) get ``TLS Error: local/remote TLS keys are out of sync`` errors and need
to restart both ends. 

I'm now testing with TCP ("option proto tcp-client" on the client and "proto
tcp-server" on the VPS server).

# Lazy plaintext no-config Method (raw, for historical reference)

<http://serverfault.com/questions/231950/openvpn-ipv6-tunnel-radvd>

<http://wiki.openwrt.org/doc/howto/ipv6.essentials>

On `$VPSHOST`:

    sysctl -w net.ipv6.conf.all.forwarding=1
    # not sure why this is required...
    ip -6 route add default via fe80::1 dev eth0
    openvpn --dev tun --tun-ipv6 --daemon
    # wait...
    ip link set tun0 up
    ip addr add fec0::1/96 dev tun0
    ip route add $SITEPREFIX::/64 via fec0::2 dev tun0

On router:

    # install all required packages
    sysctl -w net.ipv6.conf.all.forwarding=1
    openvpn --remote $VPSHOST --dev tun --tun-ipv6 --daemon
    # wait...
    ip link set tun0 up
    ip addr add fec0::2/96 dev tun0
    ip route add default via fec0::1 dev tun0

    # edit /etc/config/radvd
    ip addr add $SITEPREFIX::/64 dev br-lan

The lazy trick was to just use the OpenWRT LuCi interface and set up a wan6
firewall interface (enclosing tun0) instead of trying to do everything with the
``ip`` command.

# Reference

After writing this, I found <https://www.zagbot.com/openvpn_ipv6_tunnel.html>