For the final recipe of this chapter, we will show how to integrate IPv6 settings into TAP-style networks. TAP-style networks have had support for IPv6 traffic longer than TUN-style networks, as a TAP-style network provides an Ethernet-like layer. This layer is capable of transporting almost any kind of network protocol, including IPv6. In OpenVPN 2.3, better IPv6 support was added so that an OpenVPN server could provide a DHCP pool with IPv6 addresses. In this recipe, we will show just how to do that.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, both the server computer and the client computer were running CentOS 6 Linux and OpenVPN 2.3.10. For the server, keep the configuration file example3-1-server.conf
from the first recipe of this chapter at hand. For the client, keep the client configuration file example3-1-client.conf
from the first recipe of this chapter at hand.
We use the following network layout:
example3-1-server.conf
, by adding a line:server-ipv6 2001:db8:99::0/112
example3-9-server.conf
.[root@server]# openvpn --config example3-9-server.conf
[root@client1]# openvpn --config example3-1-client.conf --suppress-timestamps OpenVPN 2.3.10 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 4 2016 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03 Control Channel Authentication: using '/etc/openvpn/cookbook/ta.key' as a OpenVPN static key file UDPv4 link local: [undef] UDPv4 link remote: [AF_INET]openvpnserver:1194 [openvpnserver] Peer Connection Initiated with [AF_INET]openvpnserver:1194 TUN/TAP device tap0 opened do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 /sbin/ip link set dev tap0 up mtu 1500 /sbin/ip addr add dev tap0 192.168.99.2/24 broadcast 192.168.99.255 /sbin/ip -6 addr add 2001:db8:99::1000/112 dev tap0 Initialization Sequence Completed
Note that we have suppressed timestamps in the log file using the command-line directive --suppress-timestamps
.
ping6
command:[client]$ ping6 -c 4 2001:db8:99::1 ping6 -c 4 2001:db8:99::1 PING 2001:db8:99::1(2001:db8:99::1) 56 data bytes 64 bytes from 2001:db8:99::1: icmp_seq=1 ttl=64 time=0.620 ms 64 bytes from 2001:db8:99::1: icmp_seq=2 ttl=64 time=0.630 ms 64 bytes from 2001:db8:99::1: icmp_seq=3 ttl=64 time=0.631 ms 64 bytes from 2001:db8:99::1: icmp_seq=4 ttl=64 time=0.627 ms --- 2001:db8:99::1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.620/0.627/0.631/0.004 ms
IPv6 support for TAP-style networks is nearly identical to IPv6 support for TUN-style networks. By adding a single line to the server configuration file, we provide IPv6 addresses to the connecting VPN clients:
server-ipv6 2001:db8:99::0/112
The same directives, ending in -ip6
, which apply to TUN-based setups, also apply to TAP-style networks.
The firewall rules for IPv6 traffic are slightly different from the firewall rules for IPv4 traffic. Also, with TAP-style networks, it is often useful to allow all incoming and outgoing traffic on the tap+
adapter range. This can be especially helpful when debugging a non-working setup:
# iptables -I INPUT -i tap+ -j ACCEPT # iptables -I OUTPUT -o tap+ -j ACCEPT # ip6tables -I INPUT -i tap+ -j ACCEPT # ip6tables -I OUTPUT -o tap+ -j ACCEPT # iptables -I FORWARD -i tap+ -j ACCEPT # iptables -I FORWARD -o tap+ -j ACCEPT # ip6tables -I FORWARD -i tap+ -j ACCEPT # ip6tables -I FORWARD -o tap+ -j ACCEPT
Note that such rules should be used for debugging purposes only.
3.142.133.147