Category Archives: IPv6

Posts relating to IPv6

Implementing IPv6 Privacy Extensions (RFC4941)

IPv6 auto configuration on Linux will normally assign the same address every time when connecting to a specific network. This address would normally be formed from the network prefix and local interface MAC address.

When using IPv4 your identity is slightly masqued by NAT. Although your single public IP address may be tracked, it is hard to track individual devices that exist on the local network. This is not the case with IPv6 where there is no NAT. Every device has a visible unique public IP address that rarely changes.

RFC4941 (obsoletes 3041) defines privacy extensions to IPv6 which will randomly assign an additional Global IPv6 address to the interface. This additional random address will have the same network prefix and be used for outgoing internet connections.

To enable the privacy extensions under Linux (using Debian Wheezy):
echo 2 > /proc/sys/net/ipv6/conf/${ifname}/use_tempaddr
replace ${ifname} with the name of your interface, eg wlan0

Possible values for this setting:
(0=off, 1=assign, 2=prefer)

Now at least you will be anonymized amongst the other nodes of your local network.

OpenVPN – IPv6 with tun device

Note: IPv6 is not supported using OpenVPN on Debian Squeeze (stable). The version used by Debian Wheezy (testing) supports IPv6.

Network setup:
- 192.168.1.0/24 - Local IPv4 network
- 2001:412:abcd::/48 - Local IPv6 network
- 192.168.2.0/24 - Tunnel IPv4 network
- 2001:412:abcd:2::/64 - Tunnel IPv6 network

I have included only the sections of config files which need ammending to enable IPv6 over OpenVPN.

Client Config
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun
# enable ipv6
tun-ipv6

Server Config
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun0
# Enable TUN IPv6 module
tun-ipv6

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 192.168.2.0 255.255.255.0
server-ipv6 2001:412:abcd:2::/64

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.1.0 255.255.255.0"
push "route-ipv6 2001:412:abcd::/48

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# Enable to make openvpn the default route for ipv6 connectivity?
;push "route-ipv6 2000::/3"

IPv6 DNS Advertisements

DNS client configuration can be handled by the standard Router Advertisement Daemon (radvd) – apt-get install radvd

Edit /etc/radvd.conf on your Linux Router and insert the following at the end of the file to use Google’s DNS Caching server:

RDNS 2001:4860:4860::8888
{
};

On your Linux clients install rdnssd. To automatically add the advertised IPv6 DNS servers to your /etc/resolv.conf

The /etc/resolv.conf now contains both IPv4 and IPv6 entries. Typically a DHCP client is adding the IPv4 DNS server entries, this can be prevented by removing ‘domain-name-servers’ from the ‘request’ line in dhclient.conf

Multiple IPv6 Addresses per Interface

Using ‘ifconfig’ on Debian Lenny, multiple IPv6 addresses can be added using entries in ‘/etc/network/interfaces’ with the ‘up’ and ‘down’ options. For example:

iface eth0 inet6 static
        address 2001:41c8:1:5568::100
        netmask 64
        gateway fe80::1
        pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/autoconf
        up /sbin/ifconfig eth0 inet6 add 2001:41c8:1:5568::1:100/64
        up /sbin/ifconfig eth0 inet6 add 2001:41c8:1:5568::2:100/64
        down /sbin/ifconfig eth0 inet6 del 2001:41c8:1:5568::1:100/64
        down /sbin/ifconfig eth0 inet6 del 2001:41c8:1:5568::2:100/64

IPv6 and IPv4 Preference

When a site is reachable using both IPv4 and IPv6, Linux by default has a preference which is roughly:

  1. Native IPv6
  2. Native IPv4
  3. 6to4 tunnels

To change this preference, edit ‘/etc/gai.conf’
uncomment most of the labels:

label ::1/128       0
label ::/0          1
#label 2002::/16     2
label ::ffff:0:0/96 2
label fec0::/10     3
label fc00::/7      4
label 2001:0::/32   5
label ::/96         6

(note that 2002::/16 [6to4] is left commented out)

and have the precendence configured as:

precedence  ::1/128       50
precedence  ::/0          40
precedence  2002::/16     30
precedence ::/96          20
precedence ::ffff:0:0/96  10
#
#    For sites which prefer IPv4 connections change the last line to
#
#precedence ::ffff:0:0/96  100

For these changes to have effect, restart the appropriate applications eg. Firefox.