http://wtf.hijacked.us/wiki/index.php?title=OpenBSD_OpenVPN_IPv6_Tunneling&feed=atom&action=historyOpenBSD OpenVPN IPv6 Tunneling - Revision history2024-03-29T08:46:05ZRevision history for this page on the wikiMediaWiki 1.35.0http://wtf.hijacked.us/wiki/index.php?title=OpenBSD_OpenVPN_IPv6_Tunneling&diff=1026&oldid=prevJontow: 2 revisions2013-01-05T02:52:41Z<p>2 revisions</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<tr class="diff-title" lang="en">
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 02:52, 5 January 2013</td>
</tr><tr><td colspan="2" class="diff-notice" lang="en"><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>Jontowhttp://wtf.hijacked.us/wiki/index.php?title=OpenBSD_OpenVPN_IPv6_Tunneling&diff=1024&oldid=prevJontow: add link to blog entry2011-01-20T23:15:15Z<p>add link to blog entry</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 23:15, 20 January 2011</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">== Elsewhere... ==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">'''See my corresponding blog entry about this topic at: [http://jontow.hijacked.us/article/332/tunneling-ipv6-with-openvpn-on-openbsd http://jontow.hijacked.us/article/332/tunneling-ipv6-with-openvpn-on-openbsd]'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Assumptions ==</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Assumptions ==</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
</table>Jontowhttp://wtf.hijacked.us/wiki/index.php?title=OpenBSD_OpenVPN_IPv6_Tunneling&diff=1025&oldid=prevJontow: IPv6 via OpenVPN via tap(4) on OpenBSD2011-01-20T23:07:46Z<p>IPv6 via OpenVPN via tap(4) on OpenBSD</p>
<p><b>New page</b></p><div>== Assumptions ==<br />
<br />
* The "office" end has an external address of 1.2.3.4, an internal IPv4 subnet, 10.10.10.1/24, and an IPv6 subnet,2001:DB8::1/32.<br />
* Let's assume that the "home" end has an external address of 5.6.7.8, an internal IPv4 subnet, 10.20.20.1/24, and no existing IPv6 address prefixes.<br />
* There is an existing, valid, internet connection at both locations, and valid routing between the two.<br />
* OpenVPN is installed on both ends (the same version, we'll call it 2.1rc15 because I successfully tested the configuration below on this one).<br />
<br />
If all of the above assumptions hold, then we can begin.. First: we'll need to setup an interface on<br/><br />
both ends of the link, lets use "tun0" as the example. We're going to be operating in Layer 2<br/> tunneling mode, rather than the default for tun(4) devices, which is Layer 3 tunneling, or Point-to-Point<br/><br />
mode. This allows the tun(4) device to operate as though it was an ethernet card, for instance.<br/><br />
It isn't, but let's pretend.<br/><br />
<br />
== Allocations ==<br />
<br />
* We'll allocate 10.30.30.0/30 as a peering subnet between the two endpoints.<br />
* We'll allocate 2001:DB8:FFFF:FFFF::/64 as a peering subnet between the two endpoints.<br />
* We'll allocate 2001:DB8:1:1::/64 as the routed subnet for "home".<br />
<br />
== Configuration Files ==<br />
<br />
=== Office end '/etc/openvpn/openvpn.conf' ===<br />
<br />
dev tun0<br />
dev-type tap<br />
up /etc/openvpn/scripts/office-to-home.up<br />
secret /etc/openvpn/keys/office-to-home.key<br />
daemon<br />
port 1194<br />
user _openvpn<br />
group _openvpn<br />
comp-lzo<br />
ping 15<br />
verb 3<br />
persist-tun<br />
persist-key<br />
script-security 2<br />
log-append /var/log/openvpn-office-to-home.log<br />
<br />
=== Office end '/etc/openvpn/scripts/office-to-home.up' ===<br />
<br />
#!/bin/sh<br />
<br />
ifconfig tun0 link0 up<br />
ifconfig tun0 inet 10.30.30.1 netmask 255.255.255.252<br />
ifconfig tun0 inet6 alias 2001:db8:ffff:ffff::1 prefixlen 64<br />
<br />
=== Home end '/etc/openvpn/home-to-office.conf' ===<br />
<br />
dev tun0<br />
dev-type tap<br />
remote 1.2.3.4<br />
up /etc/openvpn/scripts/home-to-office.up<br />
secret /etc/openvpn/keys/home-to-office.key<br />
daemon<br />
port 1194<br />
user _openvpn<br />
group _openvpn<br />
comp-lzo<br />
ping 15<br />
ping-restart 45<br />
verb 3<br />
persist-tun<br />
persist-key<br />
script-security 2<br />
log-append /var/log/openvpn-home-to-office.log<br />
<br />
=== Home '/etc/openvpn/scripts/home-to-office.up' ===<br />
<br />
#!/bin/sh<br />
<br />
ifconfig tun0 link0 up<br />
ifconfig tun0 inet 10.30.30.2 netmask 255.255.255.252<br />
ifconfig tun0 inet6 alias 2001:DB8:FFFF:FFFF::2 prefixlen 64<br />
<br />
== Other ==<br />
<br />
I'll go ahead and assume that you can find another resource to teach you how to setup static keying<br/><br />
or valid certificates. Maybe I'll do another post on it someday, but probably not. That's well<br/> documented elsewhere. So are the other unexplained options in the openvpn configs above. There is<br/><br />
also a shortcut variable passed to the openvpn 'up' script for the device name, but I can't remember<br/><br />
what it is, so if you care, go googlin'.<br/><br />
<br />
From the above, you should be able to fire up OpenVPN like this:<br/><br />
<br />
office# /usr/local/sbin/openvpn --config /etc/openvpn/office-to-home.conf<br />
<br />
home# /usr/local/sbin/openvpn --config /etc/openvpn/home-to-office.conf<br />
<br />
To troubleshoot, look at your /var/log/openvpn-....log files, check your firewall, etc etc. Once you<br/><br />
can ping the endpoints from eachother, you should be at a point to setup some static routes to make<br/><br />
this all work.<br/><br />
<br />
office# route add 10.20.20.0/24 10.30.30.2<br />
office# route add -inet6 2001:db8:1:1:: -prefixlen 64 2001:db8:ffff:ffff::2<br />
<br />
home# route add 10.10.10.0/24 10.30.30.1<br />
home# route add -inet6 default 2001:db8:ffff:ffff::1<br />
<br />
If you can confirm that the static routing works, then add it to the appropriate /etc/openvpn/scripts/*.up<br/><br />
file, and restart OpenVPN to check its validity. Rinse and repeat as necessary!</div>Jontow