IPv6 tinc routing example

From SixXS Wiki
Jump to: navigation, search

This article is adapted from an article User:MAL1-SIXXS posted to http://www.tinc-vpn.org/examples/ipv6-network .

Scenario Parameters

  1. IPv6 is provided via a native or tunnel-brokered service at a main site. If you need a tunnel, refer to Wikipedia's list of IPv6 tunnel brokers.
  2. The IPv6 allocation given is 2001:db8:beef::/48, using a tunnel from 2001:db8:dead:beef::1 to 2001:db8:dead:beef::2.
  3. All the tinc connections share a subnet of 2001:db8:beef:0::/64, and their addresses are tied to 2001:db8:beef:(subnet #)::/64 allocations. For example, "routerc" will listen on tinc at 2001:db8:beef::3, will have a LAN address of 2001:db8:beef:3::1, and a subnet of 2001:db8:beef:3::/64.
  4. All the routers & servers using tinc connect over the IPv4 Internet, using WAN addresses based on 192.0.2.0/24. "routerc" uses 192.0.2.3.
  5. "routera" is a Linux server that manages the #1 subnet, and makes the connection to the IPv6 Internet.
  6. All other routers are assumed to be Linux based for their TUN/TAP support of bridged-Ethernet.

Configuration Files

  • On Debian/Ubuntu systems, an entry in "/etc/network/interfaces" can be used to statically assign the ::1 address for the local LAN.
    iface eth1 inet6 static
         address 2001:db8:beef:1::1
         netmask 64
         mtu 1280
  • On non Debian/Ubuntu systems, a line can be put in a boot script, such as "ip -6 addr add 2001:db8:beef:1::1/64 dev eth1".
  • IPv6 forwarding needs to be enabled: put "echo "1" >/proc/sys/net/ipv6/conf/all/forwarding" in a boot script, or "net.ipv6.conf.all.forwarding = 1" in "/etc/sysctl.conf".
  • This setup uses tinc's "switch" mode: subnets are not assigned in the host files; only Address (for ConnectTo targets only) and the key are required in host files.
  • It is assumed that the config files go into something like "/etc/tinc/link" and "/etc/tinc/nets.boot" has an entry for "link".

"routera" master-router

tinc.conf

    Name = routera
    Device=/dev/net/tun
    TCPOnly = on
    PMTU = 1280
    PMTUDiscovery = yes
    Mode = switch
    Interface = vpn6

tinc-up

    #!/bin/sh
    #Enable tinc
    ip -6 link set vpn6 up mtu 1280 txqueuelen 1000
    ip -6 addr add 2001:db8:beef::1/64 dev vpn6
    ip -6 route add 2001:db8:beef::/48 dev vpn6
    #Static routing table
    ip -6 route add 2001:db8:beef:2::/64 via 2001:db8:beef::2
    ip -6 route add 2001:db8:beef:3::/64 via 2001:db8:beef::3
    ip -6 route add 2001:db8:beef:4::/64 via 2001:db8:beef::4

tinc-down

    #!/bin/sh
    #Static routing table
    ip -6 route del 2001:db8:beef:2::/64 via 2001:db8:beef:::2
    ip -6 route del 2001:db8:beef:3::/64 via 2001:db8:beef:::3
    ip -6 route del 2001:db8:beef:4::/64 via 2001:db8:beef:::4
    #Disable tinc
    ip -6 route del 2001:db8:beef::/48 dev vpn6
    ip -6 addr del 2001:db8:beef::1/64 dev vpn6
    ip -6 link set vpn6 down

"routerb" client-router

tinc.conf

    Name=routerb
    Device=/dev/net/tun
    TCPOnly = yes
    PMTU = 1280
    PMTUDiscovery = yes
    Mode = switch
    Interface = vpn6
    ConnectTo = routera

tinc-up

    #!/bin/sh
    ip -6 link set vpn6 up mtu 1280
    ip -6 addr add 2001:db8:beef::2/64 dev vpn6
    ip -6 route add default via 2001:db8:beef::1

tinc-down

    #!/bin/sh
    ip -6 route del default via 2001:db8:beef::1
    ip -6 addr del 2001:db8:beef::2/64 dev vpn6
    ip -6 link set vpn6 down

Stateless autoconfiguration of the LAN

You can use radvd or Quagga to perform stateless address autoconfiguration on your LAN. Don't forget to enable the zebra daemon.

zebra.conf

    ipv6 forwarding
    !
    interface eth1
     no ipv6 nd suppress-ra
     ipv6 address 2001:db8:beef:1::1/64
     ipv6 nd prefix 2001:db8:beef:1::/64
     ipv6 nd ra-interval 10
    !
    interface vpn6
    !
    interface lo

See also