Integrating IPv6 into TAP-style networks

For the final recipe of this chapter, we will show how to integrate IPv6 settings into TAP-style networks. TAP-style networks have had support for IPv6 traffic longer than TUN-style networks, as a TAP-style network provides an Ethernet-like layer. This layer is capable of transporting almost any kind of network protocol, including IPv6. In OpenVPN 2.3, better IPv6 support was added so that an OpenVPN server could provide a DHCP pool with IPv6 addresses. In this recipe, we will show just how to do that.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, both the server computer and the client computer were running CentOS 6 Linux and OpenVPN 2.3.10. For the server, keep the configuration file example3-1-server.conf from the first recipe of this chapter at hand. For the client, keep the client configuration file example3-1-client.conf from the first recipe of this chapter at hand.

We use the following network layout:

Getting ready

How to do it...

  1. Modify the server configuration file, example3-1-server.conf, by adding a line:
            server-ipv6 2001:db8:99::0/112 
    
  2. Save it as example3-9-server.conf.
  3. Start the server:
    [root@server]# openvpn --config example3-9-server.conf
    
  4. Start the client:
    [root@client1]# openvpn --config example3-1-client.conf 
                               --suppress-timestamps
    OpenVPN 2.3.10 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO]    
            [EPOLL] [PKCS11] [MH] [IPv6] built on Jan  4 2016
    library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
    Control Channel Authentication: using    
            '/etc/openvpn/cookbook/ta.key' as a OpenVPN static key file
    UDPv4 link local: [undef]
    UDPv4 link remote: [AF_INET]openvpnserver:1194
    [openvpnserver] Peer Connection Initiated with     
            [AF_INET]openvpnserver:1194
    TUN/TAP device tap0 opened
    do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
    /sbin/ip link set dev tap0 up mtu 1500
    /sbin/ip addr add dev tap0 192.168.99.2/24 broadcast 
            192.168.99.255
    /sbin/ip -6 addr add 2001:db8:99::1000/112 dev tap0
    Initialization Sequence Completed
    

    Note that we have suppressed timestamps in the log file using the command-line directive --suppress-timestamps.

  5. After the VPN is established, verify that we can reach the server using the ping6 command:
          [client]$   ping6 -c 4  2001:db8:99::1
    ping6 -c 4 2001:db8:99::1
    PING 2001:db8:99::1(2001:db8:99::1) 56 data bytes
    64 bytes from 2001:db8:99::1: icmp_seq=1 ttl=64 time=0.620 ms
    64 bytes from 2001:db8:99::1: icmp_seq=2 ttl=64 time=0.630 ms
    64 bytes from 2001:db8:99::1: icmp_seq=3 ttl=64 time=0.631 ms
    64 bytes from 2001:db8:99::1: icmp_seq=4 ttl=64 time=0.627 ms
    --- 2001:db8:99::1 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 
              3000ms
    rtt min/avg/max/mdev = 0.620/0.627/0.631/0.004 ms
    

How it works...

IPv6 support for TAP-style networks is nearly identical to IPv6 support for TUN-style networks. By adding a single line to the server configuration file, we provide IPv6 addresses to the connecting VPN clients:

server-ipv6 2001:db8:99::0/112 

The same directives, ending in -ip6, which apply to TUN-based setups, also apply to TAP-style networks.

There's more...

The firewall rules for IPv6 traffic are slightly different from the firewall rules for IPv4 traffic. Also, with TAP-style networks, it is often useful to allow all incoming and outgoing traffic on the tap+ adapter range. This can be especially helpful when debugging a non-working setup:

# iptables -I INPUT -i tap+ -j ACCEPT
# iptables -I OUTPUT -o tap+ -j ACCEPT
# ip6tables -I INPUT -i tap+ -j ACCEPT
# ip6tables -I OUTPUT -o tap+ -j ACCEPT
# iptables -I FORWARD -i tap+ -j ACCEPT
# iptables -I FORWARD -o tap+ -j ACCEPT
# ip6tables -I FORWARD -i tap+ -j ACCEPT
# ip6tables -I FORWARD -o tap+ -j ACCEPT

Note that such rules should be used for debugging purposes only.

See also

  • The Adding IPv6 support recipe from Chapter 2Client-server IP-only Networks, in which IPv6 support is added to a very similar TUN-style setup
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.74.27