IPV6 over OpenVPN tunnel

This post is a fast tutorial on how I created my own IPV6 tunnel over OpenVPN.

I have a Xen VPS with VR.org – 256 MB RAM, 10 GB disk space, 200GB data transfer/month and Debian Squeeze installed, with IPV6 connectivity. This is perfect for my needs.

I am not going to go into the details of how to install and configure OpenVPN over Debian – for that, refer to this article.

Once you have you OpenVPN server up and running, here is how to get IPV6 working:

Server side modifications

1. Edit your OpenVPN server configuration and change dev tun to dev tap – yes we will use the tap device to get IPv6 working.

Also add the following line as the very first line of the configuration:

script-security 3 system

This line allows OpenVPN to execute user-defined scripts.

2. Add the following lines to the end of the server configuration:

client-connect /etc/openvpn/client-connect.sh
client-disconnect /etc/openvpn/client-disconnect.sh

These two scripts build/destroy the IPv6 tunnel each time a client connects/disconnects.

Here is the content of client-connect.sh

#!/bin/bash

BASERANGE="2a00:dd80:003d:000c"
ifconfig $dev up
ifconfig $dev add ${BASERANGE}:1001::1/64
ip -6 neigh add proxy 2a00:dd80:003d:000c:1001::2 dev eth0
exit 0

My host assigns me IPV6 addresses from the 2a00:dd80:003d:000c::/64 block. Hence, I use
2a00:dd80:003d:000c as the BASERANGE. Modify this value as per what your host has assigned you.

Each time a client connects to OpenVPN, this script assigns the address 2a00:dd80:003d:000c:1001::1 as the IPV6 address of the tap0 interface of the server.

The last line sets up Neighbor Discovery for our tunnel. I have added the IPv6 address of the client side tap0 connection as the proxy address. Read all about IPv6 Neighbor Discovery…

Here is the content of client-disconnect.sh


#!/bin/bash

BASERANGE="2a00:dd80:003d:000c"
/sbin/ip -6 addr del ${BASERANGE}::1/64 dev $dev
exit 0

This just deletes the IPv6 tunnel address of the server, when the client disconnects. Modify the value of BASERANGE as appropriate.

3. Make the scripts executable:

chmod 700 /etc/openvpn/client-connect.sh
chmod 700 /etc/openvpn/client-disconnect.sh

4. Add the following entries to /etc/rc.local (You can also modify the appropriate sysctls in /etc/sysctl.conf)

echo 1 >/proc/sys/net/ipv6/conf/all/proxy_ndp
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

/etc/init.d/firewall stop && /etc/init.d/firewall start

These entries activate Neighbor Discovery and Forwarding. I have also added a firewall.

5. Create /etc/init.d/firewall and put in the following content:

#!/bin/sh
# description: Firewall

IPT=/sbin/iptables
IPT6=/sbin/ip6tables

case "$1" in
start)
$IPT -F INPUT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
$IPT -A INPUT -i tap+ -j ACCEPT
$IPT -A FORWARD -i tap+ -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -F POSTROUTING
$IPT -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
$IPT -A INPUT -i eth0 -j DROP

$IPT6 -F INPUT
$IPT6 -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPT6 -A INPUT -i eth0 -p icmpv6 -j ACCEPT
$IPT6 -A FORWARD -s 2a00:dd80:003d:000c::/64 -i tap0 -o eth0 -j ACCEPT
$IPT6 -A INPUT -i eth0 -j DROP

exit 0
;;

stop)
$IPT -F
$IPT6 -F
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac

Modify the BASERANGE as appropriate.

6. Run /etc/rc.local and start the firewall:

sh /etc/rc.local

This completes the server side modifications.

Client side modifications

1. Edit your OpenVPN client configuration and change dev tun to dev tap – yes we will use the tap device to get IPv6 working.

Also add the following line as the very first line of the configuration:

script-security 3 system

This line allows OpenVPN to execute user-defined scripts.

2. Add the following as the last lines of your client configuration:

# create the ipv6 tunnel
up /etc/openvpn/up.sh
down /etc/openvpn/down.sh

# need this so when the client disconnects it tells the server
explicit-exit-notify

The up and down scripts build/destroy the IPV6 client end points of the client tap0 connection each time a client connects/disconnects to or from the OpenVPN server.

Here is the content of up.sh

#!/bin/bash

IPV6BASE="2a00:dd80:3d:c"
ifconfig $dev up
ifconfig $dev add ${IPV6BASE}:1001::2/64
ip -6 route add default via ${IPV6BASE}:1001::1
exit 0

The script assigns the IPV6 address 2a00:dd80:3d:c:1001::2 as the client IPV6 address and sets the default IPV6 route through the server.

Modify IPV6BASE to be the same as BASERANGE in the server configuration.

Here is the content of down.sh

#!/bin/bash

IPV6BASE="2a00:dd80:3d:c"
/sbin/ip -6 addr del ${IPV6BASE}::2/64 dev $dev
/sbin/ip link set dev $dev down
/sbin/ip route del ::/0 via ${IPV6BASE}::1
exit 0

This just deletes the IPV6 address of the client and tears down the IPV6 route when the client disconnects from the server.

Modify IPV6BASE to be the same as BASERANGE in the server configuration.

3. Make these scripts executable:

chmod 700 /etc/openvpn/up.sh
chmod 700 /etc/openvpn/down.sh

4. Optionally, modify /etc/resolv.conf and add Google’s IPV6 nameservers for DNS resolution:

nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

Connect and Enjoy

Restart openvpn on the server and then connect to it from the client. You should be connected.

Visit test-ipv6.com to see that your IPV6 connectivity over OpenVPN is working.

Here is my result…

Just for information, here are my OpenVPN server and client configurations.

Enjoy.

Written by Michael R.M. David

IPV6 over OpenVPN tunnel, 9.8 out of 10 based on 4 ratings