Redirecting the IPv6 default gateway

With the advent of IPv6 networks, it is becoming increasingly important to be able to set up a VPN that will secure both IPv4 and IPv6 traffic. If only IPv4 traffic is secured over a VPN tunnel, then it is still possible for traffic to leak out over IPv6. In this recipe, we will set up OpenVPN to secure all IPv6 traffic as well. Support for this was added in OpenVPN 2.4.

Getting ready

The network layout used in this recipe is the same as in the Server-side routing recipe.

This recipe uses the PKI files created in the first recipe of this chapter. Install OpenVPN 2.4 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.4 and the client was running Fedora 20 Linux and OpenVPN 2.4. For the server, keep the IPv6 configuration file, example2-4-server.conf, from the Adding IPv6 support recipe at hand. For the client, keep the configuration file, basic-udp-client.conf, from the Server-side routing recipe at hand.

How to do it...

  1. Create the server configuration file by adding a line to the example2-4-server.conf file:
            push "redirect-gateway ipv6 !ipv4" 
    

    Save it as example2-8-server.conf.

  2. Start the server:
           [root@server]# openvpn --config example2-8-server.conf
    
  3. In another server terminal, enable IP-traffic forwarding:
           [root@server]# sysctl -w net.ipv6.conf.all.forwarding=1
    
  4. Start the client:
          [root@client]# openvpn --config basic-udp-client.conf
    [...]
    add_route_ipv6(::/3 -> 2001:db8:100::1 metric -1) dev tun1
    add_route_ipv6(2000::/4 -> 2001:db8:100::1 metric -1) dev 
              tun1
    add_route_ipv6(3000::/4 -> 2001:db8:100::1 metric -1) dev 
              tun1
    add_route_ipv6(fc00::/7 -> 2001:db8:100::1 metric -1) dev 
              tun1
    Initialization Sequence Completed
    

How it works...

When the client connects to the OpenVPN server, a special redirect statement is pushed out by the server to the OpenVPN client:

push "redirect-gateway ipv6 !ipv4" 

The configuration flag ipv6 tells the OpenVPN client to redirect all of the IPv6 traffic over the tunnel, by adding three routes to the client operating system:

2000::/4 
3000::/4 
fc00::/4 

This effectively redirects all of the IPv6 traffic over the VPN tunnel.

The second flag !ipv4, tells the OpenVPN client to not redirect IPv4 traffic. This was added to this example to demonstrate that it is also possible to redirect IPv6 traffic only.

There's more...

It is possible to achieve the same behavior by adding the following lines to the server configuration file:

push "route-ipv6 2000::/4" 
push "route-ipv6 3000::/4" 
push "route-ipv6 fc00::/4" 

This is supported in OpenVPN 2.3 as well. However, there is a very important caveat to this: if the IPv6 address of the server is in the same range as any of the preceding addresses, then this setup will fail, as all of the traffic for the preceding IPv6 networks will be redirected over the tunnel. To overcome this problem, the flag ipv6 was introduced in OpenVPN 2.4.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.14.247.9