Adding IPv6 support

Support for IPv6 addresses is relatively new in OpenVPN. As IPv6 addresses are now being used more and more by companies and Internet Service Providers, this recipe provides a setup for using IPv6 for tunnel endpoints as well as using it inside the tunnel.

Getting ready

This recipe is a continuation of the previous one. Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates using the previous recipe. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 20 Linux and OpenVPN 2.3.9. Keep the configuration file, basic-udp-server.conf, from the previous recipe at hand as well as the client configuration file, basic-udp-client.conf.

How to do it...

  1. Modify the server configuration file, basic-udp-server.conf, by adding a line:
        server-ipv6 2001:db8:100::0/112
    

    Then save it as example2-4-server.conf.

  2. Start the server:
          [root@server]# openvpn --config example2-4-server.conf
    [...]
    do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
    /sbin/ip link set dev tun0 up mtu 1500
    /sbin/ip addr add dev tun0 10.200.0.1/24 broadcast  
              10.200.0.255
    /sbin/ip -6 addr add 2001:db8:100::1/112 dev tun0
    [...]
    
  3. Start the client using the configuration file from the previous recipe:
          [root@client]# openvpn --config basic-udp-client.conf
    [...]
    [openvpnserver] Peer Connection Initiated with         
              [AF_INET]openvpnserver:1194
    TUN/TAP device tun0 opened
    do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
    
    /usr/sbin/ip link set dev tun0 up mtu 1500
    /usr/sbin/ip addr add dev tun0 10.200.0.2/24 broadcast 
              10.200.0.255
    /usr/sbin/ip -6 addr add 2001:db8:100::1000/112 dev tun0
    Initialization Sequence Completed
    

    The output showing that OpenVPN has configured an IPv6 address is shown in boldface.

  4. Verify that we can reach the server using the ping6 command:
          [client]$   ping6 -c 4  2001:db8:100::
    PING 2001:db8:100::1(2001:db8:100::1) 56 data bytes
    64 bytes from 2001:db8:100::1: icmp_seq=1 ttl=64 time=9.01 ms
    64 bytes from 2001:db8:100::1: icmp_seq=2 ttl=64 time=10.8 ms
    64 bytes from 2001:db8:100::1: icmp_seq=3 ttl=64 time=9.42 ms
    64 bytes from 2001:db8:100::1: icmp_seq=4 ttl=64 time=8.36 ms
    --- 2001:db8:100::1 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time   
              3004ms
    rtt min/avg/max/mdev = 8.364/9.409/10.832/0.904 ms
    

How it works...

IPv6 support in OpenVPN works almost exactly like IPv4. The addressing format is different and most options need an extra -ipv6 suffix.

There's more...

There are a couple of useful tricks to keep in mind when using client configuration files. Some of these tricks are explained here.

IPv6 endpoints

If the server openvpnserver.example.com resolves to an IPv6 address and the client has a valid IPv6 address, then the connection can be automatically established using IPv6. This is achieved by changing the proto udp line in both client and server configurations to proto udp6. It is then also possible to specify an IPv6 address for the server, using the following command:

remote 2001:db8:120:e120:225:90ff:fec0:3ed1

Note that even with proto udp6 in the server configuration file, IPv4 clients can still connect.

IPv6-only setup

Even with OpenVPN 2.4, it is not yet possible to set up an IPv6-only VPN. You must always supply an (bogus) IPv4 address range for the VPN IP space. However, with OpenVPN 2.4, it is possible to set up an OpenVPN server that will accept requests only from IPv6-enabled clients. A new flag for the bind directive was added for this:

proto udp6 
bind ipv6only 
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.226.200.172