Ipv6 over openvpn server
Shadow Hawkins on Monday, 01 August 2011 02:04:07
I got this working on my own. The situation is an IPv6/Ipv4 lan with openvpn in server mode, which supports ipv4 only. Openvpn server mode allows a number of laptops (running Fedora linux) to securely connect to the home server from anywhere in the world (tested in Ecuador and Israel). The key to bringing IPv6 as well is 6in4 protocol 41. The openvpn server uses private net 192.168.110.0/24, and the lan has public IPv6 2001:db8:1234:8888::/64.
My first thought was to assign the sit2 tunnel 2002:c0a8:6e00::/40, and let 6to4 automatically forward packets to the proper IPv4 node. This works - but of course the IPs are effectively private. I then assigned a /80 public net in 2001:db8:1234:8888:6e00::/72 to each node, and routed through the 2002:c0a8:6e00::/40 net. That worked for talking Ipv6 through the private net, but when a node tried ping out globally, it would use the 2002:c0a8 ip from the tunnel, which is of course not reachable. I *think* this could be fixed by assign a global IP as the primary for the tunnel (which would be used for outgoing packets?) and the 2002:c0a8 ip as the secondary. I haven't tested this yet. Here is what is *did* do and tested:
/etc/sysconfig/ifcfg-sit2:
--------------------------
DEVICE=sit2
IPV6INIT=yes
IPV6_MTU=1384
IPV6TUNNELIPV4=any
IPV6TUNNELIPV4LOCAL=192.168.110.1
#IPV6ADDR=2002:c0a8:6e01::1/40
IPV6ADDR=2001:db8:1234:8888:6e01::1/72
/etc/sysconfig/route6-sit2:
---------------------------
2002:db8:1234:6e0a::/64 via ::192.168.110.10 dev sit2
2002:db8:1234:6e1a::/64 via ::192.168.110.26 dev sit2
2002:db8:1234:6e2e::/64 via ::192.168.110.46 dev sit2
and so on ... a lot more trouble than the 6to4 solution. I think the routes could be added by a client up script on the openvpn server, but I just added the ones I needed statically. The private IPs are permanently assigned to nodes by SLL certificate.
On the client nodes, the config looks like this:
/etc/sysconfig/ifcfg-sit1:
--------------------------
DEVICE=sit1
IPV6INIT=yes
IPV6_MTU=1384
#
# For static tunnels
IPV6TUNNELIPV4=192.168.110.1
IPV6TUNNELIPV4LOCAL=192.168.110.10
IPV6ADDR=2001:db8:1234:8888:6e0a::1/80
/etc/sysconfig/route6-sit1:
---------------------------
default dev sit1
Ipv6 over openvpn server - youtube slow (interesting problem)
Shadow Hawkins on Wednesday, 03 August 2011 20:09:44
Interesting problem. The routable IPv6 subnet I provided for the openvpn clients is part of a sixxs subnet. Outgoing packets hit my home linux router, and enter the internet through the 6to4 gateway. Response packets go to the sixxs tunnel at the office, and then over the VPN and home. This works, but throughput to youtube.com is *very* slow (still works though).
Using a 6to4 IP on the local LAN works much better. But I can't route to a 6to4 over openvpn server - anytime you push a 6to4 IP through a sit interface, it gets routed to the IPv4 IP. Although *maybe* it would work if the 6to4 IP was the primary IP on the client sit interface (will try when I get a chance).
Ipv6 over openvpn server - youtube slow (interesting problem)
Shadow Hawkins on Thursday, 04 August 2011 03:31:20
Ok, so I discovered youtube uses the same logic as sixxs website, and connections from 2002::/16 are rejected causing the browser to immediately retry as IPv4. When I make the primary IPv6 addr a 2001::, then you tube is slow even on the LAN. I tried changing the route so that the return path is symmetrical (going over the tunnel both ways) - but youtube is just as slow. Perhaps the tunnel can't handle video - or perhaps youtubes IPv6 servers just aren't up to snuff.
I see there is a thread about youtube slow in the applications section. But wouldn't it be nice if you could add sites that don't work well to an IPv6 blacklist, instead of turning off IPv6 altogether?
Posting is only allowed when you are logged in. |