Apr 21
TomIPv6, Linux System Administration, Networking
Note: IPv6 is not supported using OpenVPN on Debian Squeeze (stable). The version used by Debian Wheezy (testing) supports IPv6.
Network setup:
- 192.168.1.0/24 - Local IPv4 network
- 2001:412:abcd::/48 - Local IPv6 network
- 192.168.2.0/24 - Tunnel IPv4 network
- 2001:412:abcd:2::/64 - Tunnel IPv6 network
I have included only the sections of config files which need ammending to enable IPv6 over OpenVPN.
Client Config
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun
# enable ipv6
tun-ipv6
Server Config
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun0
# Enable TUN IPv6 module
tun-ipv6
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 192.168.2.0 255.255.255.0
server-ipv6 2001:412:abcd:2::/64
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.1.0 255.255.255.0"
push "route-ipv6 2001:412:abcd::/48
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
# Enable to make openvpn the default route for ipv6 connectivity?
;push "route-ipv6 2000::/3"
Feb 20
TomIPv6, Linux System Administration, Networking
DNS client configuration can be handled by the standard Router Advertisement Daemon (radvd) – apt-get install radvd
Edit /etc/radvd.conf on your Linux Router and insert the following at the end of the file to use Google’s DNS Caching server:
RDNS 2001:4860:4860::8888
{
};
On your Linux clients install rdnssd. To automatically add the advertised IPv6 DNS servers to your /etc/resolv.conf
The /etc/resolv.conf now contains both IPv4 and IPv6 entries. Typically a DHCP client is adding the IPv4 DNS server entries, this can be prevented by removing ‘domain-name-servers’ from the ‘request’ line in dhclient.conf
Mar 15
TomIPv6, Linux System Administration, Networking
Using ‘ifconfig’ on Debian Lenny, multiple IPv6 addresses can be added using entries in ‘/etc/network/interfaces’ with the ‘up’ and ‘down’ options. For example:
iface eth0 inet6 static
address 2001:41c8:1:5568::100
netmask 64
gateway fe80::1
pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/autoconf
up /sbin/ifconfig eth0 inet6 add 2001:41c8:1:5568::1:100/64
up /sbin/ifconfig eth0 inet6 add 2001:41c8:1:5568::2:100/64
down /sbin/ifconfig eth0 inet6 del 2001:41c8:1:5568::1:100/64
down /sbin/ifconfig eth0 inet6 del 2001:41c8:1:5568::2:100/64
Feb 27
TomIPv6, Linux System Administration, Networking
When a site is reachable using both IPv4 and IPv6, Linux by default has a preference which is roughly:
- Native IPv6
- Native IPv4
- 6to4 tunnels
To change this preference, edit ‘/etc/gai.conf’
uncomment most of the labels:
label ::1/128 0
label ::/0 1
#label 2002::/16 2
label ::ffff:0:0/96 2
label fec0::/10 3
label fc00::/7 4
label 2001:0::/32 5
label ::/96 6
(note that 2002::/16 [6to4] is left commented out)
and have the precendence configured as:
precedence ::1/128 50
precedence ::/0 40
precedence 2002::/16 30
precedence ::/96 20
precedence ::ffff:0:0/96 10
#
# For sites which prefer IPv4 connections change the last line to
#
#precedence ::ffff:0:0/96 100
For these changes to have effect, restart the appropriate applications eg. Firefox.
Feb 13
TomIPv6, Linux System Administration, Networking
6to4 is a tunneling protocol for using IPv6 over an IPv4 connection, and it’s configuration on Linux is well described.
Note: this can only apply to interfaces which have a public IPv4 address
A 6to4 tunnel can be configured using the following shell script
#/bin/bash
# set the interface name
if=wlan0
# calculate the IPv6 address
ipv4=`/sbin/ifconfig $if | grep "inet addr" | sed -e 's/^. *inet addr://' | sed
-e 's/ .*$//'`
ipv4s=`echo $ipv4 | tr "." " "`
ipv6=`printf "2002:%02x%02x:%02x%02x::1" $ipv4s `
case "$1" in
start)
/sbin/ip tunnel add tun6to4 mode sit ttl 128 remote any local $ipv4
/sbin/ip link set dev tun6to4 up
/sbin/ip -6 addr add $ipv6/16 dev tun6to4
/sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1
# configure firewall
/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -j DROP
;;
stop)
/sbin/ip -6 route flush dev tun6to4
/sbin/ip link set dev tun6to4 down
/sbin/ip tunnel del tun6to4
# clear firewall
/sbin/ip6tables -F INPUT
;;
*)
echo "usage: ipv6 {start|stop}"
exit 1
esac
exit 0
This will create a new interface ‘tun6to4′ which will be used for IPv6.
See here for link preference.
RSS