4

Trying to learn how IPv6 works with OpenVPN, so I wanted to setup following scheme.

I have a VPS server (Ubuntu), which have been allocated a /48 subnet.

ISP ipv6 gateway is XXXX:XXXX:XXXX::1
Server ipv6 address is XXXX:XXXX:XXXX:39::1

The idea is that any clients connecting to server gets an ip address on the XXXX:XXXX:XXXX:39:2::/64 subnet.

Server configuration file is based on the sample configuration from OpenVPN with the following additions:

dev tun
tun-ipv6
server-ipv6 XXXX:XXXX:XXXX:39:2::/64
push "route-ipv6 XXXX:XXXX:XXXX:39::/48"

Restarting OpenVPN server gave no problems.

Server is assigned following ip addresses:

eth0: XXXX:XXXX:XXXX:39::1/48
tun0: XXXX:XXXX:XXXX:39::2/64

Client is assigned:

OpenVPN tap: XXXX:XXXX:XXXX:39:2:0:1:0, and I can ping XXXX:XXXX:XXXX:39::1 just fine. However pinging ISP gateway from client makes connection time out.

I can ping ISP ipv6 gateway from server.

I have allowed traffic from XXXX:XXXX:XXXX:39:2::/64 in Ubuntu Firewall.

What am I missing?

I should mention server is running OpenVPN version 2.2.1 - is that the reason for the complaining?

Lasse Michael Mølgaard
  • 947
  • 10
  • 27
  • is the subnet from your VPS provider on-link or routed? if it isn't routed, you will need to proxy NDP for your ISP's side. – Olipro Jun 02 '13 at 16:56
  • 1
    Noooo. Different interfaces belong in different subnets! Fix that first. – Michael Hampton Jun 02 '13 at 17:50
  • Yes I was suspecting different subnet was needed for tun0 interface. Ideal situation would be VPN connected clients is sitting behind the equivalent of NAT for ipv6, but is there an equivalent of 10.x.x.x/8, 172.16.0.x/16 and 192.168.x.x/32 for ipv6? – Lasse Michael Mølgaard Jun 03 '13 at 22:24

1 Answers1

0

Turns out it is was not quite so easy to use my hosted server as an IPv6 gateway. It is doable though it is a multi step process.

I ended up asking bit in here, so the following is a summary of what I have learned during the process.

To get a routable subnet I went to Hurricane Electric and got myself a routed /48 subnet from Hurricane Electric. Visit https://tunnelbroker.net for more information about how to obtain your own subnet.

They will provide a IPv6 routed over IPv4 tunnel and also tell you what you should add to you /etc/interfaces.

My IPv6 addresses on the tunnel link is on the form: 2001:470:xxxx:xxx::/64. Therefore the following lines should be added to /etc/interfaces:

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
    address 2001:470:xxxx:xxx::2
    netmask 64
    endpoint <ipv4 address Tunnelbroker side> 
    local <public ipv4 address your side>
    ttl 255
    gateway 2001:470:xxxx:xxx::1

But due to my server already have a public IPv6 address, it will cause some issues that we will have to mitigate before I can ping anything from the Tunnelbroker subnet.

#Enter policy based routing.

The idea is that the server decides which outbound link it should for IPv6 traffic depending on source IPv6 address.

The rules are pretty simple.

  • If traffic originates from the server itself then use the default gateway.
  • If traffic originates from my /48 subnet then use the IPv6 over IPv4 link.

This means you need two routing tables. The default routing table (called: main) and your own table (I called mine mynet6).

First add an entry for custom routing table:

echo 100     mynet6 > /etc/iproute2/rt_tables

For agument sake lets say I am assigned the subnet 2001:db8:cafe::/48.

I made a script that is called by OpenVPN when VPN link is up, since my /48 subnet resides only on my VPN link. The script goes a bit like this:

# Reset IPv6 routing table.
ip -6 rule flush

# Add default IPv6 rules again - since they gets deleted by the initial rule 
# flush command.
ip -6 rule add priority 32766 from all table main

# Reset Tunnelbroker routing table (table name: "mynet6").
ip -6 route flush table mynet6

# All traffic from my /48 subnet should be added to Tunnelbroker routing table
ip -6 rule add priority 32000 from 2001:DB8:CAFE::/48 table mynet6

# Add routeable VPN subnets to Tunnelbroker routing table
ip -6 rule add from 2001:DB8:CAFE::/48 table he-ipv6

# Remember to add a rule that if no machine does not respond to a 
# packet address in my /48, then we should return unreachable. 
# Else the package will be forwarded by default out through the 
# Hurricane Electric connection.

#(From the Internet)
ip -6 route add unreachable 2001:DB8:CAFE::/48

#(From my /48 subnet)
ip -6 route add unreachable 2001:DB8:CAFE::/48 table mynet6

# Any traffic that originates from VPN has to be forwarded via Tunnelbroker 
# routing table using the tunnelbroker link (link name: he-ipv6).
ip -6 route add default via 2001:470:xxxx:xxx::1 dev he-ipv6 table mynet6

#Verification of configuration

You can verify your routing setup with the command:

ip -6 rule show

It should contain something like:

0:      from all lookup local
32000:  from 2001:db8:cafe::/48 lookup mynet6
32766:  from all lookup main

The routing table for Tunnelbroker link can be found with:

ip -6 route show table mynet6

And it should output something like:

unreachable 2001:db8:cafe::/48 dev lo  metric 1024  error -113 pref medium
default via 2001:470:xxxx:xxx::1 dev he-ipv6  metric 1024  pref medium

You default routing table is found here:

ip -6 route show table main

And it should have among others the lines:

unreachable 2001:db8:cafe::/48 dev lo  metric 1024  error -113 pref medium
default via XXXX:XXXX:XXXX::1 dev eth0  metric 1024  pref medium

That should take of what the server have todo when it recieve traffic from the /48 subnet. How you assign the /48 subnet your to own network is an entire different chapter, that I am not going cover here. :-)

Lasse Michael Mølgaard
  • 947
  • 10
  • 27