To myself a tunnel broker or native IPv6 on a computer using OpenVPN
I am a big supporter of using IPv6, I try to use it wherever possible. Having recently thought, I decided that on most of my virtual machines I will transfer ssh to ipv6-only, I will bind to the randomly selected configuration address, which I will then write in DNS for my convenience. But the question arose with access from my laptop to those who are in such a way. It is clear that you can always go through the server, where I have IPv6, of course, I usually do this, but the cases are different.
Having scratched my head a little, I realized that I can take some / 112 out of / 64 given by the hoster and distribute OpenVPN to my laptop and other personal machines, thereby receiving a real ipv6, and not an address from brokers.
Decided, then it must be done. I chose a virtual machine from vultr for this, on which I initially did not have anything and which was intended for tests and took up the configuration.
Vultr issues virtual network / 64 virtual network, in our example, let it be 2001: NNNN: NNNN: NNNN :: / 64 network; : NNNN: NNNN: 80 :: / 112. I will not describe the key generation procedure for OpenVPN, it is described in some detail in other manuals, I will only consider the config and scripts that will be used for our purposes.
')
In the / etc / openvpn / variables file we will prescribe the network and mask that we will use, from here we will take the scripts from us:
Config openvpn server:
In the config we have scripts that will be launched when the client is connected and disconnected:
server-clientconnect.sh
and server-clientdisconnect.sh
As it was possible to see in the server config, we will run it under the user vpn, and therefore we need to add a user
# useradd vpn
and allow this sudo user to add scripts to / etc / sudoers in our scripts (do not edit his hands opening the editor directly, call visudo, so that before saving, check the correctness of the file!):
Now we will enable ndp (Neighbor Discovery Protocol), which we need in order for our hosts to find each other over IPv6 and that they would be accessible from the Internet at their addresses, adding to /etc/sysctl.conf (or in a separate file in /etc/sysctl.d/, as you wish) lines:
and doing
# sysctl -p
Set up addresses for a separate machine by creating a file with the name of the host that will be connected (the name must match the name used when creating the certificate for the machine), let it be abyrvalg-laptop in / etc / openvpn / ccd
/ etc / openvpn / ccd / abyrvalg-laptop
The first of the IPv6 addresses is the address that will be issued to the host, the second address of its gate.
The server is ready, let's write a config for the client:
abyrvalg-laptop.conf
And we will try to manually start the server and the client for tests. I assume that the server config file and certificate files are in / etc / openvpn on the server and the config file for the client, along with the certificates are in / etc / openvpn on the client, and the server.conf server name is and ipv6.conf on the client
On the server we do:
on the client
If everything is done correctly, then on the client the command ip -6 as dev tap0 will show us something like
and ping6 -c 4 ipv6.google.com
will show:
Voila! We now have a normal IPv6 on our laptop or in-patient, without tunnel brokers.
To add an openvpn start when loading on your systems, use regular tools, depending on the distribution, they may vary.
This article is used in the configuration and writing, in the same place you can look at examples of key generation for OpenVPN, if you have not generated them before. Unlike the original article, I use udp, not tcp and tap, and not tun-devices.
Having scratched my head a little, I realized that I can take some / 112 out of / 64 given by the hoster and distribute OpenVPN to my laptop and other personal machines, thereby receiving a real ipv6, and not an address from brokers.
Decided, then it must be done. I chose a virtual machine from vultr for this, on which I initially did not have anything and which was intended for tests and took up the configuration.
Vultr issues virtual network / 64 virtual network, in our example, let it be 2001: NNNN: NNNN: NNNN :: / 64 network; : NNNN: NNNN: 80 :: / 112. I will not describe the key generation procedure for OpenVPN, it is described in some detail in other manuals, I will only consider the config and scripts that will be used for our purposes.
')
In the / etc / openvpn / variables file we will prescribe the network and mask that we will use, from here we will take the scripts from us:
# Subnet prefix=2001:NNNN:NNNN:NNNN:80:: # netmask prefixlen=112 Config openvpn server:
# Listen port port 8149 # Protocol proto udp # IP tunnel dev tap0 # Master certificate ca ca.crt # Server certificate cert server.crt # Server private key key server.key # Diffie-Hellman parameters dh dh2048.pem # Allow clients to communicate with each other client-to-client # Client config dir client-config-dir /etc/openvpn/ccd # Run client-specific script on connection and disconnection script-security 2 client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh" client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh" # Server mode and client subnets server 10.18.0.0 255.255.255.0 server-ipv6 2001:NNNN:NNNN:NNNN:80::/112 topology subnet # IPv6 routes push "route-ipv6 2001:NNNN:NNNN:NNNN::/64" push "route-ipv6 2000::/3" persist-key persist-tun # Ping every 10s. Timeout of 120s. keepalive 10 120 # Enable compression comp-lzo # User and group user vpn group vpn # Log a short status status openvpn-status.log verb 4 sndbuf 0 rcvbuf 0 In the config we have scripts that will be launched when the client is connected and disconnected:
server-clientconnect.sh
#!/bin/sh # Check client variables if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then echo "Missing environment variable." exit 1 fi # Load server variables . /etc/openvpn/variables ipv6="" # Find out if there is a specific config with fixed IPv6 for this client if [ -f "/etc/openvpn/ccd/$common_name" ]; then # Get fixed IPv6 from client config file ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ \t]+([0-9a-fA-F\\:]+).*$/\1/p' "/etc/openvpn/ccd/$common_name") fi # Get IPv6 from IPv4 if [ -z "$ipv6" ]; then ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4) if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then echo "Invalid IPv4 part." exit 1 fi hexipp=$(printf '%x' $ipp) ipv6="$prefix$hexipp" fi # Create proxy rule /sbin/ip -6 neigh add proxy $ipv6 dev eth0 and server-clientdisconnect.sh
#!/bin/sh # Check client variables if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then echo "Missing environment variable." exit 1 fi # Load server variables . /etc/openvpn/variables ipv6="" # Find out if there is a specific config with fixed IPv6 for this client if [ -f "/etc/openvpn/ccd/$common_name" ]; then # Get fixed IPv6 from client config file ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ \t]+([0-9a-fA-F\\:]+).*$/\1/p' "/etc/openvpn/ccd/$common_name") fi # Get IPv6 from IPv4 if [ -z "$ipv6" ]; then ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4) if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then echo "Invalid IPv4 part." exit 1 fi hexipp=$(printf '%x' $ipp) ipv6="$prefix$hexipp" fi # Delete proxy rule /sbin/ip -6 neigh del proxy $ipv6 dev eth0 As it was possible to see in the server config, we will run it under the user vpn, and therefore we need to add a user
# useradd vpn
and allow this sudo user to add scripts to / etc / sudoers in our scripts (do not edit his hands opening the editor directly, call visudo, so that before saving, check the correctness of the file!):
Defaults:vpn env_keep += "ifconfig_pool_remote_ip common_name" vpn ALL=NOPASSWD: /etc/openvpn/server-clientconnect.sh vpn ALL=NOPASSWD: /etc/openvpn/server-clientdisconnect.sh Now we will enable ndp (Neighbor Discovery Protocol), which we need in order for our hosts to find each other over IPv6 and that they would be accessible from the Internet at their addresses, adding to /etc/sysctl.conf (or in a separate file in /etc/sysctl.d/, as you wish) lines:
net.ipv6.conf.all.forwarding=1 net.ipv6.conf.all.proxy_ndp = 1 and doing
# sysctl -p
Set up addresses for a separate machine by creating a file with the name of the host that will be connected (the name must match the name used when creating the certificate for the machine), let it be abyrvalg-laptop in / etc / openvpn / ccd
/ etc / openvpn / ccd / abyrvalg-laptop
ifconfig-push 10.18.0.101 255.255.255.0 ifconfig-ipv6-push 2001:NNNN:NNNN:NNNN:80::1001/112 2001:NNNN:NNNN:NNNN:80::1 The first of the IPv6 addresses is the address that will be issued to the host, the second address of its gate.
The server is ready, let's write a config for the client:
abyrvalg-laptop.conf
# Client mode client # IPv6 tunnel dev tap # TCP protocol proto udp # Address/Port of VPN server remote SERVER_IP 8149 # Don't bind to local port/address nobind # Don't need to re-read keys and re-create tun at restart persist-key persist-tun # User/Group ;user nobody ;group nobody # Remote peer must have a signed certificate remote-cert-tls server ns-cert-type server # Enable compression comp-lzo ca ca.crt cert abyrvalg-laptop.crt key abyrvalg-laptop.key sndbuf 0 rcvbuf 0 And we will try to manually start the server and the client for tests. I assume that the server config file and certificate files are in / etc / openvpn on the server and the config file for the client, along with the certificates are in / etc / openvpn on the client, and the server.conf server name is and ipv6.conf on the client
On the server we do:
# cd /etc/openvpn # openvpn ./server.conf on the client
# cd /etc/openvpn # openvpn ./ipv6.conf If everything is done correctly, then on the client the command ip -6 as dev tap0 will show us something like
48: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100 inet6 2001:NNNN:NNNN:NNNN:80::1001/112 scope global and ping6 -c 4 ipv6.google.com
will show:
PING ipv6.google.com(lr-in-x8a.1e100.net) 56 data bytes 64 bytes from lr-in-x8a.1e100.net: icmp_seq=1 ttl=46 time=110 ms 64 bytes from lr-in-x8a.1e100.net: icmp_seq=2 ttl=46 time=113 ms 64 bytes from lr-in-x8a.1e100.net: icmp_seq=3 ttl=46 time=110 ms 64 bytes from lr-in-x8a.1e100.net: icmp_seq=4 ttl=46 time=110 ms --- ipv6.google.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3001ms rtt min/avg/max/mdev = 110.586/111.367/113.285/1.183 ms Voila! We now have a normal IPv6 on our laptop or in-patient, without tunnel brokers.
To add an openvpn start when loading on your systems, use regular tools, depending on the distribution, they may vary.
This article is used in the configuration and writing, in the same place you can look at examples of key generation for OpenVPN, if you have not generated them before. Unlike the original article, I use udp, not tcp and tap, and not tun-devices.
Source: https://habr.com/ru/post/321486/
All Articles