Difference between revisions of "OpenBSD OpenVPN IPv6 Tunneling"
(IPv6 via OpenVPN via tap(4) on OpenBSD) |
(No difference)
|
Revision as of 18:07, 20 January 2011
Assumptions
- The "office" end has an external address of 1.2.3.4, an internal IPv4 subnet, 10.10.10.1/24, and an IPv6 subnet,2001:DB8::1/32.
- Let's assume that the "home" end has an external address of 5.6.7.8, an internal IPv4 subnet, 10.20.20.1/24, and no existing IPv6 address prefixes.
- There is an existing, valid, internet connection at both locations, and valid routing between the two.
- OpenVPN is installed on both ends (the same version, we'll call it 2.1rc15 because I successfully tested the configuration below on this one).
If all of the above assumptions hold, then we can begin.. First: we'll need to setup an interface on
both ends of the link, lets use "tun0" as the example. We're going to be operating in Layer 2
tunneling mode, rather than the default for tun(4) devices, which is Layer 3 tunneling, or Point-to-Point
mode. This allows the tun(4) device to operate as though it was an ethernet card, for instance.
It isn't, but let's pretend.
Allocations
- We'll allocate 10.30.30.0/30 as a peering subnet between the two endpoints.
- We'll allocate 2001:DB8:FFFF:FFFF::/64 as a peering subnet between the two endpoints.
- We'll allocate 2001:DB8:1:1::/64 as the routed subnet for "home".
Configuration Files
Office end '/etc/openvpn/openvpn.conf'
dev tun0 dev-type tap up /etc/openvpn/scripts/office-to-home.up secret /etc/openvpn/keys/office-to-home.key daemon port 1194 user _openvpn group _openvpn comp-lzo ping 15 verb 3 persist-tun persist-key script-security 2 log-append /var/log/openvpn-office-to-home.log
Office end '/etc/openvpn/scripts/office-to-home.up'
#!/bin/sh ifconfig tun0 link0 up ifconfig tun0 inet 10.30.30.1 netmask 255.255.255.252 ifconfig tun0 inet6 alias 2001:db8:ffff:ffff::1 prefixlen 64
Home end '/etc/openvpn/home-to-office.conf'
dev tun0 dev-type tap remote 1.2.3.4 up /etc/openvpn/scripts/home-to-office.up secret /etc/openvpn/keys/home-to-office.key daemon port 1194 user _openvpn group _openvpn comp-lzo ping 15 ping-restart 45 verb 3 persist-tun persist-key script-security 2 log-append /var/log/openvpn-home-to-office.log
Home '/etc/openvpn/scripts/home-to-office.up'
#!/bin/sh ifconfig tun0 link0 up ifconfig tun0 inet 10.30.30.2 netmask 255.255.255.252 ifconfig tun0 inet6 alias 2001:DB8:FFFF:FFFF::2 prefixlen 64
Other
I'll go ahead and assume that you can find another resource to teach you how to setup static keying
or valid certificates. Maybe I'll do another post on it someday, but probably not. That's well
documented elsewhere. So are the other unexplained options in the openvpn configs above. There is
also a shortcut variable passed to the openvpn 'up' script for the device name, but I can't remember
what it is, so if you care, go googlin'.
From the above, you should be able to fire up OpenVPN like this:
office# /usr/local/sbin/openvpn --config /etc/openvpn/office-to-home.conf
home# /usr/local/sbin/openvpn --config /etc/openvpn/home-to-office.conf
To troubleshoot, look at your /var/log/openvpn-....log files, check your firewall, etc etc. Once you
can ping the endpoints from eachother, you should be at a point to setup some static routes to make
this all work.
office# route add 10.20.20.0/24 10.30.30.2 office# route add -inet6 2001:db8:1:1:: -prefixlen 64 2001:db8:ffff:ffff::2
home# route add 10.10.10.0/24 10.30.30.1 home# route add -inet6 default 2001:db8:ffff:ffff::1
If you can confirm that the static routing works, then add it to the appropriate /etc/openvpn/scripts/*.up
file, and restart OpenVPN to check its validity. Rinse and repeat as necessary!