⬆️ ⬇️

Yourself IPv6 Tunnel Broker with openvpn and 6to4





Do you want your devices (Windows \ Linux \ Android \ iOS) to start using IPv6, but your provider doesn’t provide it yet? Do you have your own server \ VDS \ just a computer with Linux and a permanent direct IPv4 (NOT IPv6) address or even your openvpn server? Then maybe this article will help you.

She is not for the venerable network gurus, I just gathered in one place a set of guidelines in order to spread IPv6 among the masses. Although I will be grateful to all the venerable gurus, who will criticize me in the comments and point out errors. As I write the post almost immediately after the system has earned. Everything can be infinitely far from the ideal.





It prompted me to set up a similar system with my new tablet, which in the stock (no other ones yet) firmware does not want to receive IPv6 from a wifi router, not to mention the impossibility of using IPv6 while working via 3G.

')

We will need the following toolkit:

  1. Host with linux and direct, static IP address (any dedicated or virtual server will work). I have a VPS on Xen with gentoo and my own kernel. However, I believe that I do not use anything non-standard, so it should work on popular binary distributions as well.
  2. Installed on the server package iproute2. Check through "ip --version".
  3. openvpn server. The openvpn version should be> = 2.3, 2.3.2 or later is highly desirable.
  4. openvpn client. There are versions for linux, windows , os x , android ( 1 , 2 ) and iOS . Version requirements are the same as the server.




We configure IPv6 on the server through 6to4.


To facilitate the transition to IPv6 technology created 6to4: each IPv4 address in the corresponding subnet / 48 IPv6-addresses. Read more ...

Suppose your server IP is 208.64.121.161 (took IP test.com). Go to 6to4.version6.net/?lang=en_GB , drive in IP, for example, 208.64.121.161. We get the following settings:



Your IPv4 address is 208.64.121.161

Your 6to4 address is 2002: d040: 79a1 :: 2080: 6412: 1161

6to4 gateway address is 192.88.99.1




We need only a bold piece. This is our / 48 IPv6 subnet. You have two groups after 2002 in the address should be different! Your IPv4 is encoded in them.



We invent an address in this subnet. For simplicity, you can use :: 2 (for some reason, glitches are noticed when using :: 1, can anyone tell why, or maybe it seemed to me), that is, 2002: d040: 79a1 :: 2 .



Create a tunnel (replacing IPv4 with your address):

ip tunnel add tun6to4 mode sit remote any local 208.64.121.161 ttl 64

Raise the interface:

ip link set dev tun6to4 up

Set the IPv6 interface address, which was invented earlier:

ip -6 addr add 2002:d040:79a1::2/128 dev tun6to4

Set the default route (192.88.99.1 - common router for 6to4, do not change it!):

ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1

After that, our server should be able to work on IPv6. Checking:

ping6 2001:ad0::1



In the gente, I saved all this by adding the following lines to /etc/conf.d/net (creating the link net.lo-> net.tun6to4 and not forgetting to make rc-update add net.tun6to4 default):

iptunnel_tun6to4 = "sit sit remote any local 208.64.121.161 ttl 64"

config_tun6to4 = "2002: d040: 79a1 :: 2"

routes_tun6to4 = "2000 :: / 3 via :: 192.88.99.1 dev tun6to4 metric 1"

rc_net_tun6to4_need = "net.eth0"




If the pings go, then stage 1 is passed. If they don’t go, we think, we check everywhere we replaced what needs to be replaced with our data. If nothing helps in detail we tell what we did (with the server’s IP) in the comments, I’ll try to help. I do not help in a personal.



Configuring openvpn to work with IPv6


How to configure openvpn written to me more than once. Including here. Use search. Just in case, I quote my configs by cutting out private data.



Server
port censored

proto udp

dev tun

ca vpn1 / ca.crt

cert vpn1 / server.crt

key vpn1 / server.key

dh vpn1 / dh2048.pem

server 10.censored 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 60

comp-lzo adaptive

user nobody

group nobody

persist-key

persist tun

fast-io

status openvpn-status.log



max-clients 30

tls-auth vpn1 / ta.key 0

chroot / var / chroot / openvpn



cipher AES-256-CBC

auth SHA512

tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384: TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384: TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 : TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA: TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA: TLS-DHE-RSA-WITH-AES-256-CBC-SHA



local censored

client-to-client

ping-timer-rem

management localhost 7505

client-config-dir ccd



Customer
client

dev tun

proto udp



remote censored censored

resolv-retry infinite

nobind



persist-key

persist tun



comp-lzo adaptive

verb 3



key-direction 1



cipher AES-256-CBC

auth SHA512

tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384: TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384: TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 : TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA: TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA: TLS-DHE-RSA-WITH-AES-256-CBC-SHA



verify-x509-name 'C = RU, ST = RU, L = censored'



censored





<tls-auth>

censored

</ tls-auth>





To distribute IPv6 through openvpn, we come up with a number / 64 subnet. This is any number from 0 to FFFF. For example, 5. That is, in my case, the / 64 subnet will look entirely like this: 2002: d040: 79a1: 5 ::. Add a line to openvpn.conf on the server:

server-ipv6 2002:d040:79a1:5::/64

In principle, this line is the whole setup openvpn for IPv6. It remains only to indicate to the openvpn server that it inform clients of the default route for IPv6. You can do this either globally in the server openvpn.conf or in the ccd file for each client using the line:

push "route-ipv6 2000::/3"

You must also specify an IPv6 DNS server to clients. I use my, you can use Google. In server openvpn.conf or in ccd:

push "dhcp-option DNS 2001:4860:4860::8888"



(Re) start the server.

In the client's config, nothing needs to be changed. Connecting to the server and should get an IPv6 address. We look at the client:

ip -6 addr list

We see something like:

9: tun0: <POINTOPOINT, MULTICAST, NOARP, UP, LOWER_UP> mtu 1500 qlen 100

inet6 2002: d040: 79a1: 5 :: 1005/64 scope global





Similarly, we look at the IPv6 address of the tun-interface on the server, most likely it will end with :: 1 (2002: d040: 79a1: 5 :: 1).

We try to ping from the client to the server and back. If pinged, there are quite a few.



We try to ping from the client Google DNS:

ping6 2001:4860:4860::8888

does not ping, since IPv6 redirection must be enabled in the same way as IPv4. Allow:

sysctl -w net.ipv6.conf.all.forwarding=1

And save in /etc/sysctl.conf the line:

net.ipv6.conf.all.forwarding = 1



Pings should go from client to google and generally you can use IPv6 from client. For example, try opening ipv6.google.com in a browser.



Everything? In no case!



The beauty of IPv6 is that all addresses are direct. Therefore, all your openvpn clients will be fully accessible from a large, dangerous Internet. Therefore, do not forget to set up a firewall on the server (ip6tables is used for IPv6). At least I immediately wrote the following:

We cover the server itself:

ip6tables -A INPUT -i lo -j ACCEPT

ip6tables -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp! --tcp-flags FIN, SYN, RST, ACK SYN -j DROP

ip6tables -A INPUT -m conntrack -ctstate RELATED, ESTABLISHED -j ACCEPT

ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT

ip6tables -A INPUT -j DROP





Covering up openvpn clients (also prescribed on the server!)

ip6tables -A FORWARD -p tcp -m conntrack --ctstate NEW -m tcp! --tcp-flags FIN, SYN, RST, ACK SYN -j DROP

ip6tables -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT

ip6tables -A FORWARD -i tun0 -j ACCEPT

ip6tables -A FORWARD -m conntrack -ctstate RELATED, ESTABLISHED -j ACCEPT

ip6tables -A FORWARD -j DROP




Well, almost everything. My Galaxy Tab 3 10.1 has gained the ability to go IPv6. By the way, if anyone knows how to enable it to directly work with IPv6 via WiFi (my router distributes via radvd, everyone gets the phone from the cyanogenmod addresses, but I don’t have a tablet with stock firmware :() - please tell me very much thankful.



Send errors in private, all good friday and weekend.

Source: https://habr.com/ru/post/199040/



All Articles