Difference between revisions of "OpenBSD OpenVPN IPv6 Tunneling"

From WTFwiki
Jump to navigation Jump to search
(IPv6 via OpenVPN via tap(4) on OpenBSD)
(No difference)

Revision as of 18:07, 20 January 2011

Assumptions

  • The "office" end has an external address of 1.2.3.4, an internal IPv4 subnet, 10.10.10.1/24, and an IPv6 subnet,2001:DB8::1/32.
  • Let's assume that the "home" end has an external address of 5.6.7.8, an internal IPv4 subnet, 10.20.20.1/24, and no existing IPv6 address prefixes.
  • There is an existing, valid, internet connection at both locations, and valid routing between the two.
  • OpenVPN is installed on both ends (the same version, we'll call it 2.1rc15 because I successfully tested the configuration below on this one).

If all of the above assumptions hold, then we can begin.. First: we'll need to setup an interface on
both ends of the link, lets use "tun0" as the example. We're going to be operating in Layer 2
tunneling mode, rather than the default for tun(4) devices, which is Layer 3 tunneling, or Point-to-Point
mode. This allows the tun(4) device to operate as though it was an ethernet card, for instance.
It isn't, but let's pretend.

Allocations

  • We'll allocate 10.30.30.0/30 as a peering subnet between the two endpoints.
  • We'll allocate 2001:DB8:FFFF:FFFF::/64 as a peering subnet between the two endpoints.
  • We'll allocate 2001:DB8:1:1::/64 as the routed subnet for "home".

Configuration Files

Office end '/etc/openvpn/openvpn.conf'

 dev tun0
 dev-type tap
 up /etc/openvpn/scripts/office-to-home.up
 secret /etc/openvpn/keys/office-to-home.key
 daemon
 port 1194
 user _openvpn
 group _openvpn
 comp-lzo
 ping 15
 verb 3
 persist-tun
 persist-key
 script-security 2
 log-append /var/log/openvpn-office-to-home.log

Office end '/etc/openvpn/scripts/office-to-home.up'

 #!/bin/sh

 ifconfig tun0 link0 up
 ifconfig tun0 inet 10.30.30.1 netmask 255.255.255.252
 ifconfig tun0 inet6 alias 2001:db8:ffff:ffff::1 prefixlen 64

Home end '/etc/openvpn/home-to-office.conf'

 dev tun0
 dev-type tap
 remote 1.2.3.4
 up /etc/openvpn/scripts/home-to-office.up
 secret /etc/openvpn/keys/home-to-office.key
 daemon
 port 1194
 user _openvpn
 group _openvpn
 comp-lzo
 ping 15
 ping-restart 45
 verb 3
 persist-tun
 persist-key
 script-security 2
 log-append /var/log/openvpn-home-to-office.log

Home '/etc/openvpn/scripts/home-to-office.up'

 #!/bin/sh

 ifconfig tun0 link0 up
 ifconfig tun0 inet 10.30.30.2 netmask 255.255.255.252
 ifconfig tun0 inet6 alias 2001:DB8:FFFF:FFFF::2 prefixlen 64

Other

I'll go ahead and assume that you can find another resource to teach you how to setup static keying
or valid certificates. Maybe I'll do another post on it someday, but probably not. That's well
documented elsewhere. So are the other unexplained options in the openvpn configs above. There is
also a shortcut variable passed to the openvpn 'up' script for the device name, but I can't remember
what it is, so if you care, go googlin'.

From the above, you should be able to fire up OpenVPN like this:

 office# /usr/local/sbin/openvpn --config /etc/openvpn/office-to-home.conf
 home# /usr/local/sbin/openvpn --config /etc/openvpn/home-to-office.conf

To troubleshoot, look at your /var/log/openvpn-....log files, check your firewall, etc etc. Once you
can ping the endpoints from eachother, you should be at a point to setup some static routes to make
this all work.

 office# route add 10.20.20.0/24 10.30.30.2
 office# route add -inet6 2001:db8:1:1:: -prefixlen 64 2001:db8:ffff:ffff::2
 home# route add 10.10.10.0/24 10.30.30.1
 home# route add -inet6 default 2001:db8:ffff:ffff::1

If you can confirm that the static routing works, then add it to the appropriate /etc/openvpn/scripts/*.up
file, and restart OpenVPN to check its validity. Rinse and repeat as necessary!