Yourself IPv6 Tunnel Broker with openvpn and 6to4
Do you want your devices (Windows \ Linux \ Android \ iOS) to start using IPv6, but your provider doesn’t provide it yet? Do you have your own server \ VDS \ just a computer with Linux and a permanent direct IPv4 (NOT IPv6) address or even your openvpn server? Then maybe this article will help you.
She is not for the venerable network gurus, I just gathered in one place a set of guidelines in order to spread IPv6 among the masses. Although I will be grateful to all the venerable gurus, who will criticize me in the comments and point out errors. As I write the post almost immediately after the system has earned. Everything can be infinitely far from the ideal.
It prompted me to set up a similar system with my new tablet, which in the stock (no other ones yet) firmware does not want to receive IPv6 from a wifi router, not to mention the impossibility of using IPv6 while working via 3G.
')
We will need the following toolkit:
- Host with linux and direct, static IP address (any dedicated or virtual server will work). I have a VPS on Xen with gentoo and my own kernel. However, I believe that I do not use anything non-standard, so it should work on popular binary distributions as well.
- Installed on the server package iproute2. Check through "ip --version".
- openvpn server. The openvpn version should be> = 2.3, 2.3.2 or later is highly desirable.
- openvpn client. There are versions for linux, windows , os x , android ( 1 , 2 ) and iOS . Version requirements are the same as the server.
We configure IPv6 on the server through 6to4.
To facilitate the transition to IPv6 technology created 6to4: each IPv4 address in the corresponding subnet / 48 IPv6-addresses. Read more ...
Suppose your server IP is 208.64.121.161 (took IP test.com). Go to 6to4.version6.net/?lang=en_GB , drive in IP, for example, 208.64.121.161. We get the following settings:
Your IPv4 address is 208.64.121.161
Your 6to4 address is 2002: d040: 79a1 :: 2080: 6412: 1161
6to4 gateway address is 192.88.99.1
We need only a bold piece. This is our / 48 IPv6 subnet. You have two groups after 2002 in the address should be different! Your IPv4 is encoded in them.
We invent an address in this subnet. For simplicity, you can use :: 2 (for some reason, glitches are noticed when using :: 1, can anyone tell why, or maybe it seemed to me), that is, 2002: d040: 79a1 :: 2 .
Create a tunnel (replacing IPv4 with your address):
ip tunnel add tun6to4 mode sit remote any local 208.64.121.161 ttl 64
Raise the interface:
ip link set dev tun6to4 up
Set the IPv6 interface address, which was invented earlier:
ip -6 addr add 2002:d040:79a1::2/128 dev tun6to4
Set the default route (192.88.99.1 - common router for 6to4, do not change it!):
ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1
After that, our server should be able to work on IPv6. Checking:
ping6 2001:ad0::1
In the gente, I saved all this by adding the following lines to /etc/conf.d/net (creating the link net.lo-> net.tun6to4 and not forgetting to make rc-update add net.tun6to4 default):
iptunnel_tun6to4 = "sit sit remote any local 208.64.121.161 ttl 64"
config_tun6to4 = "2002: d040: 79a1 :: 2"
routes_tun6to4 = "2000 :: / 3 via :: 192.88.99.1 dev tun6to4 metric 1"
rc_net_tun6to4_need = "net.eth0"
If the pings go, then stage 1 is passed. If they don’t go, we think, we check everywhere we replaced what needs to be replaced with our data. If nothing helps in detail we tell what we did (with the server’s IP) in the comments, I’ll try to help. I do not help in a personal.
Configuring openvpn to work with IPv6
How to configure openvpn written to me more than once. Including here. Use search. Just in case, I quote my configs by cutting out private data.
Server
port censored
proto udp
dev tun
ca vpn1 / ca.crt
cert vpn1 / server.crt
key vpn1 / server.key
dh vpn1 / dh2048.pem
server 10.censored 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 60
comp-lzo adaptive
user nobody
group nobody
persist-key
persist tun
fast-io
status openvpn-status.log
max-clients 30
tls-auth vpn1 / ta.key 0
chroot / var / chroot / openvpn
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384: TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384: TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 : TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA: TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA: TLS-DHE-RSA-WITH-AES-256-CBC-SHA
local censored
client-to-client
ping-timer-rem
management localhost 7505
client-config-dir ccd
proto udp
dev tun
ca vpn1 / ca.crt
cert vpn1 / server.crt
key vpn1 / server.key
dh vpn1 / dh2048.pem
server 10.censored 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 60
comp-lzo adaptive
user nobody
group nobody
persist-key
persist tun
fast-io
status openvpn-status.log
max-clients 30
tls-auth vpn1 / ta.key 0
chroot / var / chroot / openvpn
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384: TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384: TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 : TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA: TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA: TLS-DHE-RSA-WITH-AES-256-CBC-SHA
local censored
client-to-client
ping-timer-rem
management localhost 7505
client-config-dir ccd
Customer
client
dev tun
proto udp
remote censored censored
resolv-retry infinite
nobind
persist-key
persist tun
comp-lzo adaptive
verb 3
key-direction 1
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384: TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384: TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 : TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA: TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA: TLS-DHE-RSA-WITH-AES-256-CBC-SHA
verify-x509-name 'C = RU, ST = RU, L = censored'
censored
<tls-auth>
censored
</ tls-auth>
dev tun
proto udp
remote censored censored
resolv-retry infinite
nobind
persist-key
persist tun
comp-lzo adaptive
verb 3
key-direction 1
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384: TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384: TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 : TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA: TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA: TLS-DHE-RSA-WITH-AES-256-CBC-SHA
verify-x509-name 'C = RU, ST = RU, L = censored'
censored
<tls-auth>
censored
</ tls-auth>
To distribute IPv6 through openvpn, we come up with a number / 64 subnet. This is any number from 0 to FFFF. For example, 5. That is, in my case, the / 64 subnet will look entirely like this: 2002: d040: 79a1: 5 ::. Add a line to openvpn.conf on the server:
server-ipv6 2002:d040:79a1:5::/64
In principle, this line is the whole setup openvpn for IPv6. It remains only to indicate to the openvpn server that it inform clients of the default route for IPv6. You can do this either globally in the server openvpn.conf or in the ccd file for each client using the line:
push "route-ipv6 2000::/3"
You must also specify an IPv6 DNS server to clients. I use my, you can use Google. In server openvpn.conf or in ccd:
push "dhcp-option DNS 2001:4860:4860::8888"
(Re) start the server.
In the client's config, nothing needs to be changed. Connecting to the server and should get an IPv6 address. We look at the client:
ip -6 addr list
We see something like:
9: tun0: <POINTOPOINT, MULTICAST, NOARP, UP, LOWER_UP> mtu 1500 qlen 100
inet6 2002: d040: 79a1: 5 :: 1005/64 scope global
Similarly, we look at the IPv6 address of the tun-interface on the server, most likely it will end with :: 1 (2002: d040: 79a1: 5 :: 1).
We try to ping from the client to the server and back. If pinged, there are quite a few.
We try to ping from the client Google DNS:
ping6 2001:4860:4860::8888
does not ping, since IPv6 redirection must be enabled in the same way as IPv4. Allow:
sysctl -w net.ipv6.conf.all.forwarding=1
And save in /etc/sysctl.conf the line:
net.ipv6.conf.all.forwarding = 1
Pings should go from client to google and generally you can use IPv6 from client. For example, try opening ipv6.google.com in a browser.
Everything? In no case!
The beauty of IPv6 is that all addresses are direct. Therefore, all your openvpn clients will be fully accessible from a large, dangerous Internet. Therefore, do not forget to set up a firewall on the server (ip6tables is used for IPv6). At least I immediately wrote the following:
We cover the server itself:
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp! --tcp-flags FIN, SYN, RST, ACK SYN -j DROP
ip6tables -A INPUT -m conntrack -ctstate RELATED, ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
ip6tables -A INPUT -j DROP
Covering up openvpn clients (also prescribed on the server!)
ip6tables -A FORWARD -p tcp -m conntrack --ctstate NEW -m tcp! --tcp-flags FIN, SYN, RST, ACK SYN -j DROP
ip6tables -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
ip6tables -A FORWARD -i tun0 -j ACCEPT
ip6tables -A FORWARD -m conntrack -ctstate RELATED, ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -j DROP
Well, almost everything. My Galaxy Tab 3 10.1 has gained the ability to go IPv6. By the way, if anyone knows how to enable it to directly work with IPv6 via WiFi (my router distributes via radvd, everyone gets the phone from the cyanogenmod addresses, but I don’t have a tablet with stock firmware :() - please tell me very much thankful.
Send errors in private, all good friday and weekend.
Source: https://habr.com/ru/post/199040/
All Articles