Category Archives: IPv6

Posts relating to IPv6

ISC-DHCP-Server – disable dhcpv6 (Debian 9)

The isc-dhcp-server included in Debian 9 will attempt to start a DHCPv6 instance on servers which have a dual-stack (IPv4 & IPv6) config.

If DHCPv6 is unconfigured because for example, Router Advertisements are used for configuring IPv6 hosts, then the service will fail to start. The DHCP(v4) is running but Systemd reports the service as failed.

One work-around is to force isc-dhcp-server to only start the v4 instance, add the following line to /etc/default/isc-dhcp-server:

INTERFACESv4=eth0

where eth0 is the interface on which DHCP requests should be serviced.

After restarting the service, the DHCP server shall now only run on v4 and as long as the v4 config is correct, Systemd will report the service as successfully started.

Implementing IPv6 Privacy Extensions (RFC4941)

IPv6 auto configuration on Linux will normally assign the same address every time when connecting to a specific network. This address would normally be formed from the network prefix and local interface MAC address.

When using IPv4 your identity is slightly masqued by NAT. Although your single public IP address may be tracked, it is hard to track individual devices that exist on the local network. This is not the case with IPv6 where there is no NAT. Every device has a visible unique public IP address that rarely changes.

RFC4941 (obsoletes 3041) defines privacy extensions to IPv6 which will randomly assign an additional Global IPv6 address to the interface. This additional random address will have the same network prefix and be used for outgoing internet connections.

To enable the privacy extensions under Linux (using Debian Wheezy):
echo 2 > /proc/sys/net/ipv6/conf/${ifname}/use_tempaddr
replace ${ifname} with the name of your interface, eg wlan0

Possible values for this setting:
(0=off, 1=assign, 2=prefer)

Now at least you will be anonymized amongst the other nodes of your local network.

OpenVPN – IPv6 with tun device

Note: IPv6 is not supported using OpenVPN on Debian Squeeze (stable). The version used by Debian Wheezy (testing) supports IPv6.

Network setup:
- 192.168.1.0/24 - Local IPv4 network
- 2001:412:abcd::/48 - Local IPv6 network
- 192.168.2.0/24 - Tunnel IPv4 network
- 2001:412:abcd:2::/64 - Tunnel IPv6 network

I have included only the sections of config files which need ammending to enable IPv6 over OpenVPN.

Client Config
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun
# enable ipv6
tun-ipv6

Server Config
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun0
# Enable TUN IPv6 module
tun-ipv6

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 192.168.2.0 255.255.255.0
server-ipv6 2001:412:abcd:2::/64

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.1.0 255.255.255.0"
push "route-ipv6 2001:412:abcd::/48

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# Enable to make openvpn the default route for ipv6 connectivity?
;push "route-ipv6 2000::/3"

IPv6 DNS Advertisements

DNS client configuration can be handled by the standard Router Advertisement Daemon (radvd) – apt-get install radvd

Edit /etc/radvd.conf on your Linux Router and insert the following at the end of the file to use Google’s DNS Caching server:

RDNS 2001:4860:4860::8888
{
};

On your Linux clients install rdnssd. To automatically add the advertised IPv6 DNS servers to your /etc/resolv.conf

The /etc/resolv.conf now contains both IPv4 and IPv6 entries. Typically a DHCP client is adding the IPv4 DNS server entries, this can be prevented by removing ‘domain-name-servers’ from the ‘request’ line in dhclient.conf

Multiple IPv6 Addresses per Interface

Using ‘ifconfig’ on Debian Lenny, multiple IPv6 addresses can be added using entries in ‘/etc/network/interfaces’ with the ‘up’ and ‘down’ options. For example:

iface eth0 inet6 static
        address 2001:41c8:1:5568::100
        netmask 64
        gateway fe80::1
        pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/autoconf
        up /sbin/ifconfig eth0 inet6 add 2001:41c8:1:5568::1:100/64
        up /sbin/ifconfig eth0 inet6 add 2001:41c8:1:5568::2:100/64
        down /sbin/ifconfig eth0 inet6 del 2001:41c8:1:5568::1:100/64
        down /sbin/ifconfig eth0 inet6 del 2001:41c8:1:5568::2:100/64