• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Re-routing a Tunnelbroker IPv6 tunnel over an IPv4 OpenVPN link?

Started by pghe, August 18, 2015, 08:53:48 AM

Previous topic - Next topic

pghe

I have configured two machines

remote
eth0   11.22.33.44
       2600:3c01::...:XXX:1/64
dummy0 10.30.7.1
tun1   10.254.254.1

and

local
  eth0   55.66.77.88
  tun1   10.254.254.2
  eth1   172.30.11.100

I've established an IPv4 OpenVPN tunnel from local (client) to remote (server), and selectively route traffic to/from machines on the local LAN through it.

The remote has full, native IPv6 connectivity.

The local, and the LAN behind it, are fully IPv4 & IPv6 dual-stacked, but the ISP blocks all protocol 41 tunnel traffic.

I.e., I can't esablish an HE Tunnelbroker IPv6 tunnel through that ISP.

I want to circumvent the blocking ISP, and establish an HE Tunnelbroker tunnel from the 'local' machine, over the OpenVPN tunnel.

I can easily create a Tunnelbroker tunnel.  There a couple of approaches to setting it up ...

IIUC, the HE tunnel's 'sit' interface can be setup either on the 'remote' or the 'local', with either the remote's or the local's eth0's IPv4 address as the tunnel client endpoint.

My 1st inclination is to set up 'sit' on the remote, using the remote's eth0 IPv4 as client endpoint.  Whether and where to setup a radvd instance, or a DHCP-PD server, for local/LAN IPv6 configuration I'm not sure yet. Or do I need to setup a routing platform -- Quagga? -- to get this working?

In this case -- "forwarding" a Tunnelbroker tunnel over an OpenVPN link, what's the/a recommended setup?



scottlpz

I'm actually attempting to accomplish something very similar. Not unlike your situation, all of my IPv4 traffic is routed through an OpenVPN tunnel; I'm currently utilizing a packet filtering script to control what does and does not get routed through the VPN. However, there are several dfferences: I'm only working with one machine and I'm using one of HE's 6in4 tunnels. The problem I'm running into is that, because the remote OpenVPN server doesn't support IPv6, I am unable to utilize IPv6 at all.

Initially I looked into tinkering with iptables, specifically the NAT table, but I think I'm barking up the wrong tree. It looks like the solution to this issue is to create a tunnel between the OpenVPN connection and the 6in4 tunnel. I believe this is possible using PPTP or L2TP/IPSec, but honestly this is all way over my head.

Dpal

Openvpn server has a ipv4 white address. Clients can connect from any network.

0. Get from HE additional networks on your ipv6 tunnel:

IPv6 Tunnel Endpoints
Server IPv4 Address:     x.x.x.x
Server IPv6 Address:     xxxxx:xxx:xxxx:xxxx::xxx/64
Client IPv4 Address:       y.y.y.y
Client IPv6 Address:       xxxxx:xxxxx:xxxx:xxxx::xxx/64

Routed IPv6 Prefixes
Routed /64:            2222:aaaa:bbbb:cccc::/64
Routed /48:            1111:aaaa:bbbb::/48


network plan:
INTERNET<------OpenvpnServer[2222:aaaa:bbbb:cccc::1]<----openvpn-via-ipv4------[2222:aaaa:bbbb:cccc::101] client1 ------- LAN [1111:aaaa:bbbb:1::]
                                                                              <----openvpn-via-ipv4------[2222:aaaa:bbbb:cccc::102] client2 ------- LAN [1111:aaaa:bbbb:2::]



1. Setup openvpn server:

/etc/network/interfaces

lalalallaa
auto eth0
iface eth0
  address y.y.y.y
  netmask mmmmmm
  gateway mmmmmm

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
        address xxxxx:xxxxx:xxxx:xxxx::xxx
        netmask 64
        endpoint x.x.x.x
        local y.y.y.y
        ttl 255
        gateway xxxxx:xxx:xxxx:xxxx::xxx


/etc/openvpn/server.conf

port 1194
proto udp
dev tap0 # <------ STRONGLY USE TAP DEVICE (for ipv6 support)

ca keys/ca.crt
cert keys/server.crt
key keys/server.key 
crl-verify /etc/openvpn/keys/crl.pem

dh keys/dh1024.pem
server 192.168.200.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
keepalive 10 120
comp-lzo

user root
group root

persist-key
persist-tun

status openvpn-status.log

log         openvpn.log
verb 3

script-security 3 system
up      ./up-server.sh


/etc/openvpn/ccd/client1

ifconfig-push 192.168.200.101 255.255.255.0


/etc/openvpn/ccd/client2

ifconfig-push 192.168.200.102 255.255.255.0


/etc/openvpn/server.up

#!/bin/sh

# setting up ipv6 address for tap device
/sbin/ip -6 addr add 2222:aaaa:bbbb:cccc::1/64 dev tap0

# route to ipv6 network 1 via client1
/sbin/ip -6 route add 1111:aaaa:bbbb:1::/64 via 2222:aaaa:bbbb:cccc::101 dev tap0
# route to ipv6 network 2 via client2
/sbin/ip -6 route add 1111:aaaa:bbbb:2::/64 via 2222:aaaa:bbbb:cccc::102 dev tap0

##### add some ip6tables firewalling if needed #####
####################################################

#enable forwarding
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
exit 0



2. Setup client1

/etc/network/interfaces

blablablablabla

# this is a LAN part

allow-hotplug eth1
iface eth1 inet static
    address 10.0.1.1
    netmask 255.255.255.0
   
iface eth1 inet6 static
    address             1111:aaaa:bbbb:1::1
    netmask             64
    autoconf            0
    dad-attempts        0
    accept_ra           0
    post-up /sbin/sysctl -w net.ipv6.conf.all.forwarding=1


/etc/openvpn/client.conf

client
dev tap0
proto udp

remote my.openvpnserver.great 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca   keys/ca.crt
cert keys/client1.crt
key  keys/client1.key
ns-cert-type server

comp-lzo
verb 3
log /var/log/openvpn-client.log

script-security 3 system
up      /etc/openvpn/client.up
down    /etc/openvpn/client.down


/etc/openvpn/client.up

#!/bin/bash

DEFGW=`ip route | grep default | cut -d ' ' -f 2,3`
echo -n $DEFGW > /etc/openvpn/defgw
/sbin/ip route add my.openvpnserver.great $DEFGW

# not need if we not want go to ipv4 via our openvpn
/sbin/ip route del default
/sbin/ip route add default via 192.168.200.1
/sbin/ip route flush cache
/sbin/iptables -I FORWARD -i tap0 -o eth1 -j ACCEPT
/sbin/iptables -I FORWARD -i eth1 -o tap0 -j ACCEPT
/sbin/iptables -t nat -I POSTROUTING -o tap0 -j MASQUERADE
/sbin/iptables -P FORWARD DROP
/sbin/sysctl -w net.ipv4.ip_forward=1

### IPV6 TUNING FOR TAP0 ####
/sbin/sysctl -w net.ipv6.conf.tap0.accept_ra=0
/sbin/ip -6 addr add 2222:aaaa:bbbb:cccc::101/64 dev tap0
/sbin/ip -6 route add default via 2222:aaaa:bbbb:cccc::1 dev tap0

exit 0


/etc/openvpn/client.down

#!/bin/bash

DEFGW=`cat /etc/openvpn/defgw`

/sbin/ip route del default
/sbin/ip route add default $DEFGW
/sbin/ip route flush cache
rm /etc/openvpn/defgw

# disabling ipv4 over openvpn
/sbin/iptables -D FORWARD -i tap0 -o eth1 -j ACCEPT
/sbin/iptables -D FORWARD -i eth1 -o tap0 -j ACCEPT
/sbin/iptables -t nat -D POSTROUTING -o tap0 -j MASQUERADE
/sbin/iptables -P FORWARD DROP

exit 0


now we setting up dnsmasq for our LAN

/etc/dnsmasq.conf

interface=eth1
dhcp-range=10.0.1.100,10.0.1.200,1h
dhcp-range=1111:aaaa:bbbb:1::1000, 1111:aaaa:bbbb:1::2000, slaac
enable-ra


Same for client2 (with 1111:aaaa:bbbb:2:: network) and etc.

You mean this?