• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Re-routing a Tunnelbroker IPv6 tunnel over an IPv4 OpenVPN link?

Started by pghe, August 18, 2015, 08:53:48 AM

Previous topic - Next topic


I have configured two machines




I've established an IPv4 OpenVPN tunnel from local (client) to remote (server), and selectively route traffic to/from machines on the local LAN through it.

The remote has full, native IPv6 connectivity.

The local, and the LAN behind it, are fully IPv4 & IPv6 dual-stacked, but the ISP blocks all protocol 41 tunnel traffic.

I.e., I can't esablish an HE Tunnelbroker IPv6 tunnel through that ISP.

I want to circumvent the blocking ISP, and establish an HE Tunnelbroker tunnel from the 'local' machine, over the OpenVPN tunnel.

I can easily create a Tunnelbroker tunnel.  There a couple of approaches to setting it up ...

IIUC, the HE tunnel's 'sit' interface can be setup either on the 'remote' or the 'local', with either the remote's or the local's eth0's IPv4 address as the tunnel client endpoint.

My 1st inclination is to set up 'sit' on the remote, using the remote's eth0 IPv4 as client endpoint.  Whether and where to setup a radvd instance, or a DHCP-PD server, for local/LAN IPv6 configuration I'm not sure yet. Or do I need to setup a routing platform -- Quagga? -- to get this working?

In this case -- "forwarding" a Tunnelbroker tunnel over an OpenVPN link, what's the/a recommended setup?


I'm actually attempting to accomplish something very similar. Not unlike your situation, all of my IPv4 traffic is routed through an OpenVPN tunnel; I'm currently utilizing a packet filtering script to control what does and does not get routed through the VPN. However, there are several dfferences: I'm only working with one machine and I'm using one of HE's 6in4 tunnels. The problem I'm running into is that, because the remote OpenVPN server doesn't support IPv6, I am unable to utilize IPv6 at all.

Initially I looked into tinkering with iptables, specifically the NAT table, but I think I'm barking up the wrong tree. It looks like the solution to this issue is to create a tunnel between the OpenVPN connection and the 6in4 tunnel. I believe this is possible using PPTP or L2TP/IPSec, but honestly this is all way over my head.


Openvpn server has a ipv4 white address. Clients can connect from any network.

0. Get from HE additional networks on your ipv6 tunnel:

IPv6 Tunnel Endpoints
Server IPv4 Address:     x.x.x.x
Server IPv6 Address:     xxxxx:xxx:xxxx:xxxx::xxx/64
Client IPv4 Address:       y.y.y.y
Client IPv6 Address:       xxxxx:xxxxx:xxxx:xxxx::xxx/64

Routed IPv6 Prefixes
Routed /64:            2222:aaaa:bbbb:cccc::/64
Routed /48:            1111:aaaa:bbbb::/48

network plan:
INTERNET<------OpenvpnServer[2222:aaaa:bbbb:cccc::1]<----openvpn-via-ipv4------[2222:aaaa:bbbb:cccc::101] client1 ------- LAN [1111:aaaa:bbbb:1::]
                                                                              <----openvpn-via-ipv4------[2222:aaaa:bbbb:cccc::102] client2 ------- LAN [1111:aaaa:bbbb:2::]

1. Setup openvpn server:


auto eth0
iface eth0
  address y.y.y.y
  netmask mmmmmm
  gateway mmmmmm

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
        address xxxxx:xxxxx:xxxx:xxxx::xxx
        netmask 64
        endpoint x.x.x.x
        local y.y.y.y
        ttl 255
        gateway xxxxx:xxx:xxxx:xxxx::xxx


port 1194
proto udp
dev tap0 # <------ STRONGLY USE TAP DEVICE (for ipv6 support)

ca keys/ca.crt
cert keys/server.crt
key keys/server.key 
crl-verify /etc/openvpn/keys/crl.pem

dh keys/dh1024.pem
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120

user root
group root


status openvpn-status.log

log         openvpn.log
verb 3

script-security 3 system
up      ./up-server.sh







# setting up ipv6 address for tap device
/sbin/ip -6 addr add 2222:aaaa:bbbb:cccc::1/64 dev tap0

# route to ipv6 network 1 via client1
/sbin/ip -6 route add 1111:aaaa:bbbb:1::/64 via 2222:aaaa:bbbb:cccc::101 dev tap0
# route to ipv6 network 2 via client2
/sbin/ip -6 route add 1111:aaaa:bbbb:2::/64 via 2222:aaaa:bbbb:cccc::102 dev tap0

##### add some ip6tables firewalling if needed #####

#enable forwarding
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
exit 0

2. Setup client1



# this is a LAN part

allow-hotplug eth1
iface eth1 inet static
iface eth1 inet6 static
    address             1111:aaaa:bbbb:1::1
    netmask             64
    autoconf            0
    dad-attempts        0
    accept_ra           0
    post-up /sbin/sysctl -w net.ipv6.conf.all.forwarding=1


dev tap0
proto udp

remote my.openvpnserver.great 1194

resolv-retry infinite

ca   keys/ca.crt
cert keys/client1.crt
key  keys/client1.key
ns-cert-type server

verb 3
log /var/log/openvpn-client.log

script-security 3 system
up      /etc/openvpn/client.up
down    /etc/openvpn/client.down



DEFGW=`ip route | grep default | cut -d ' ' -f 2,3`
echo -n $DEFGW > /etc/openvpn/defgw
/sbin/ip route add my.openvpnserver.great $DEFGW

# not need if we not want go to ipv4 via our openvpn
/sbin/ip route del default
/sbin/ip route add default via
/sbin/ip route flush cache
/sbin/iptables -I FORWARD -i tap0 -o eth1 -j ACCEPT
/sbin/iptables -I FORWARD -i eth1 -o tap0 -j ACCEPT
/sbin/iptables -t nat -I POSTROUTING -o tap0 -j MASQUERADE
/sbin/iptables -P FORWARD DROP
/sbin/sysctl -w net.ipv4.ip_forward=1

/sbin/sysctl -w net.ipv6.conf.tap0.accept_ra=0
/sbin/ip -6 addr add 2222:aaaa:bbbb:cccc::101/64 dev tap0
/sbin/ip -6 route add default via 2222:aaaa:bbbb:cccc::1 dev tap0

exit 0



DEFGW=`cat /etc/openvpn/defgw`

/sbin/ip route del default
/sbin/ip route add default $DEFGW
/sbin/ip route flush cache
rm /etc/openvpn/defgw

# disabling ipv4 over openvpn
/sbin/iptables -D FORWARD -i tap0 -o eth1 -j ACCEPT
/sbin/iptables -D FORWARD -i eth1 -o tap0 -j ACCEPT
/sbin/iptables -t nat -D POSTROUTING -o tap0 -j MASQUERADE
/sbin/iptables -P FORWARD DROP

exit 0

now we setting up dnsmasq for our LAN


dhcp-range=1111:aaaa:bbbb:1::1000, 1111:aaaa:bbbb:1::2000, slaac

Same for client2 (with 1111:aaaa:bbbb:2:: network) and etc.

You mean this?