Setting up a tunnel server
Carmen Sandiego on Sunday, 20 April 2008 17:32:03
Hi,
i recently ordered a dedicated server from OVH and they assign all theyre servers a /64 ipv6 subnet. I'd like to use this connection for my home v6 traffic, so i need a tunnel through ipv4.
Right now i'm using openvpn for the tunneling, but this doesn't work very well and doesn't seem to be very stable as sometimes packets are lost and the configuration isnt very comfortable either.
Is it possible to get the software SixXS uses for tunnel hosting so i can use it to provide my own tunnel? And if not can you recommend ways to set up such a tunnel?
I hope you can help me,
Christoph :)
Setting up a tunnel server
Shadow Hawkins on Sunday, 20 April 2008 18:55:34
Hi Christoph,
what's the issue with openvpn? Work's flawlessly here using tap-devices.
Nevertheless I guess, you could use simple Ipv6-in-Ipv4-Tunnels, e.g.
ip tunnel add sit1 mode sit remote $remote_ipv4 local $local_ipv4
Just issue this on both client and server and you can use the tunnel like it was a regular NIC.
ip link set sit1 up
ip addr add ...
ip r add ...
Hope, I could help.
Cheers,
Timo
Setting up a tunnel server
Carmen Sandiego on Sunday, 20 April 2008 19:36:28
will this work if the client is located behind a NAT router?
Setting up a tunnel server
Shadow Hawkins on Sunday, 20 April 2008 20:22:39
I don't think so.
Anyways, I use openvpn for my setup, which includes servers in different data centers and my NAT-Box at home. It works great. I really can't understand your issues. Have you had a look at tinc, though?
Setting up a tunnel server
Carmen Sandiego on Sunday, 20 April 2008 20:47:40
Okay ill describe the topology a little so you can advise me how to setup openvpn :)
the tunnel server should be hosted on a server in a datacenter in france, to this server a /64 net is routed, but it doesnt send the packets directly to the mac address of the server, instead it sends a neighbor solicitation to ask for the mac address of the client.
i want to connect multiple endpoints to this server and route a subnet of my /64 net to each of those endpoints. the endpoints have ipv4 access to the server and are behind nat-routers with dynamic ipv4 addresses.
what i tried is setting the server up this way:
dev tun
tun-ipv6
ping 15
ping-restart 45
ping-timer-rem
verb 4
up /etc/upscript
and the upscript looks like this:
ip link set ${INTERFACE} up
ip link set mtu ${TUN_MTU} dev ${INTERFACE}
ip -6 addr add 2001:41d0:1:ae76:ff::1/112 dev ${INTERFACE}
ip -6 addr add fe80::ff:1/64 dev ${INTERFACE}
(without the subnet routing for now)
now i connect with two clients as ..ff:2 and ..ff:3, both can ping ..ff:1 but they cant ping each other, so openvpn or the tunnel driver doesnt forward the packages to the same subnet to the other clients.
furthermore i need to activate proxy_ndp and add every single client with `ip -6 neigh add proxy <addr> dev eth0` on the server to it answers to the neighbor solicitation with its on address.
any ideas on how to set this up?
Christoph
Setting up a tunnel server
Shadow Hawkins on Sunday, 20 April 2008 21:03:51
All right,
as mentioned before I use tap-Devices with my openvpn setup. They route ethernet packets rather then ip packets, which adds a little overhead but works really good.
So, my openvpn-Config contains "dev tap0". The rest should be trivial.
The Up-Script looks like this
#
#
# IPv6
sysctl -w net.ipv6.conf.all.forwarding=1
ip link set tap0 up
#
# Add IPs for routing
ip addr add {IPv6-Tunnel-Server-Gateway-IP} dev tap0
and the routing should work :-)
btw: Please make sure, that all interfaces have link-local addresses assigned, or neighbor solicitation won't work properly.
Setting up a tunnel server
Shadow Hawkins on Sunday, 20 April 2008 21:09:17
Sorry, I forgot to mention, that you still need the subnet routing of course.
Setting up a tunnel server
Shadow Hawkins on Monday, 21 April 2008 12:07:25
See the client-to-client option of OpenVPN.
Setting up a tunnel server
Carmen Sandiego on Monday, 21 April 2008 13:34:23
the client-to-client option requires mode server which forbids tun-ipv6, does it work with tap?
or how to setup openvpn in mode server?
Setting up a tunnel server
Carmen Sandiego on Monday, 21 April 2008 23:23:14
Okay thanks so far
I am now running the openvpn server in mode server with a tap interface an individual tls keys for each client. they all can ping each other and the routing works just fine.
now the last problem is that the isp the server uses is not sending packets to my /64 net directly to the server, instead it send a neighbor solicitation to ask for the hw address of the client. so if a want to route a subnet of my /64, lets say a /80, my server has to answer to all solicitations for that net. i could force linux to reply for single addresses using proxy_ndp=1 and `ip -6 neigh add proxy <addr> dev eth0`. but i dont know how to set this up for whole subnets.
help is very welcome :)
Setting up a tunnel server
Shadow Hawkins on Tuesday, 22 April 2008 14:53:24
Ah, now I see.
"so if a want to route a subnet of my /64, lets say a /80,"
There is no such thing as /80 subnet.
/64 is ONE subnet. You cant subdivide it into smaller subnets.
The lower 64 bits of an IPv6 address are the "host ID".
It should not be divided into net/host...
The upper 64 bits are for subnetting. To be more specific: the bits 48-64 are for subnetting. The rest id off limits.
You probably think, that the ISP assigne you millions of addresses to use. That is wrong. He assigned you ONE (sub)net. That's it. Maybe you can request and they'll assign you some more.
Setting up a tunnel server
Shadow Hawkins on Tuesday, 22 April 2008 14:57:32
I checked www.ovh.com and it says the they assign a /56 prefix.
Which package exactly do you have ?
Setting up a tunnel server
Carmen Sandiego on Tuesday, 22 April 2008 22:22:08
yes youre right, the website says that they give a /56, but in fact you only get a /64 embedded in this /56 :(
and on subnets smaller /64, i though a subnet has to be at least /64 to allow autoconfiguration (EUI-64), but smaller subnets are possible without autoconfiguration. why shouldnt it be possible to divide a /64 into multiple /80s and use dhcpv6 to give the clients addresses for example?
greetings
christoph
Setting up a tunnel server
Shadow Hawkins on Wednesday, 23 April 2008 12:02:58
The site says "Each server has IPv6 /56 Blocs or 4,722,366,482,869,645,213,696 fixed IP addresses (or 4 700 billions of billions) to use."
Complain about false advertising. (Ask first, maybe there is just a misunderstanding).
About your idea:
RFC 4291* says in paragraph "2.5.4. Global Unicast Addresses" :
All Global Unicast addresses other than those that start with binary
000 have a 64-bit interface ID field (i.e., n + m = 64), formatted as
described in Section 2.5.1. Global Unicast addresses that start with
binary 000 have no such constraint on the size or structure of the
interface ID field.
So no, you can't chop it up for subnetting.
Setting up a tunnel server
Shadow Hawkins on Wednesday, 23 April 2008 12:04:06
Forgot the botton:
* - [url]http://tools.ietf.org/html/rfc4291#section-2.5.4[/url]
Posting is only allowed when you are logged in. |