In this recipe, we extend the complete site-to-site network recipe to include support for IPv6.
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 22 Linux and OpenVPN 2.3.10. We'll use the secret.key
file from the OpenVPN secret keys recipe here.
We will use the following network layout:
dev tun proto udp local openvpnserver.example.com lport 1194 remote openvpnclient.example.com rport 1194 secret secret.key 0 ifconfig 10.200.0.1 10.200.0.2 route 192.168.4.0 255.255.255.0 tun-ipv6 ifconfig-ipv6 2001:db8:100::1 2001:db8:100::2 user nobody group nobody # use "group nogroup" on some distros persist-tun persist-key keepalive 10 60 ping-timer-rem verb 3 daemon log-append /tmp/openvpn.log
example1-9-server.conf
.dev tun proto udp local openvpnclient.example.com lport 1194 remote openvpnserver.example.com rport 1194 secret secret.key 1 ifconfig 10.200.0.2 10.200.0.1 route 172.31.32.0 255.255.255.0 tun-ipv6 ifconfig-ipv6 2001:db8:100::2 2001:db8:100::1 user nobody group nobody # use "group nogroup" on some distros persist-tun persist-key keepalive 10 60 ping-timer-rem verb 3
example1-9-client.conf
. [root@server]# openvpn --config example1-9-server.conf
This is the code for the client end:
[root@client]# openvpn --config example1-9-client.conf
Now our site-to-site tunnel is established.
[client]$ ping6 -c 4 2001:db8:100::1 PING 2001:db8:100::1(2001:db8:100::1) 56 data bytes 64 bytes from 2001:db8:100::1: icmp_seq=1 ttl=64 time=7.43 ms 64 bytes from 2001:db8:100::1: icmp_seq=2 ttl=64 time=7.54 ms 64 bytes from 2001:db8:100::1: icmp_seq=3 ttl=64 time=7.77 ms 64 bytes from 2001:db8:100::1: icmp_seq=4 ttl=64 time=7.42 ms --- 2001:db8:100::1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 7.425/7.546/7.778/0.177 ms
Both client and server configuration files are very similar to the ones from the Complete site-to-site setup recipe, with the addition of the following two lines:
tun-ipv6 ifconfig-ipv6 2001:db8:100::2 2001:db8:100::1
This enables IPv6 support, next to the default IPv4 support.
Also, in the client configuration, the options daemon
and log-append
are not present, hence all of the OpenVPN output is sent to the screen and the process continues running in the foreground.
Let's talk a bit about log file errors and the IPv6-only tunnel.
If we take a closer look at the client-side connection output, we will see a few error messages after pressing Ctrl + C , most notably the following:
RTNETLINK answers: operation not permitted
This is a side-effect when you use the user nobody
option to protect an OpenVPN setup, and it often confuses new users. What happens is this:
OpenVPN starts as root
, opens the appropriate tun
device, and sets the right IPv4 and IPv6 addresses on this tun
interface.
For extra security, OpenVPN then switches to nobody
, dropping all the privileges associated with root
.
When OpenVPN terminates (in our case, by pressing
Ctrl
+
C
), it closes the access to the tun
device and tries to remove the IPv4 and IPv6 addresses assigned to that device. At this point, the error messages appear, as nobody
is not allowed to perform these operations.
Upon termination of the OpenVPN process, the Linux kernel closes the tun
device and all the configuration settings are removed.
In this case, these error messages are harmless, but in general, one should pay close attention to the warning and error messages that are printed by OpenVPN.
The recipe Complete site-to-site setup, earlier in this chapter, in which an IPv4-only site-to-site setup is explained in detail.
The last recipe of Chapter 6, Troubleshooting OpenVPN - Configurations, which explains how to interpret the OpenVPN log files in detail.
3.147.74.27