Providing ipv6 through openvpn part 2: Routing additional subnets

Consider the following situation:

+-------------------------------------+
| Local office network, private ipv4  |
|                                     |
| gateway with only ipv4 access       |
+---+---------------------------------+
    |
 Internet (ipv4)
    |
+---+---------------------------------+
|Hosted server with openvpn and ipv6  |
+-------------------------------------+

Using the openvpn setup from the previous post, it is possible to assign ipv6 addresses to the gateway of a local office network where ipv6 is not readily available.  If additional ipv6 subnets are available, these can be assigned to the office network behind this gateway and routed to the internet through OpenVPN. This post describes the extra settings needed to do that.

Routing extra subnets through openvpn

In the previous section, ipv6 subnet 2001:db8:f00:1::/64 is used for assigning openvpn clients an ipv6 address. Now, another subnet is needed in order to provide ipv6 addresses to the computers on the the network behind the office gateway. For the local network of the client in this example, the 2001:db8:f00:dada::/64 subnet is used.

First, a list of what is needed:

  • Ipv6 firewalling on the office gateway to protect unsafe devices on the office network from the evil internet
  • Configuring an ipv6 address on the new subnet for the office gateway
  • Configuring the OpenVPN server to route extra ipv6 subnets
  • Setting up ipv6 autoconfiguration on the office gateway to provide ipv6 to the local office network
  • Configuring the office gateway to route ipv6 packets between office and the OpenVPN server

Firewalling the local office network

As a first step, ipv6 firewalling is needed to make sure devices on the local network do not accidentally become accessible through ipv6 from all of internet. We can do this simply with the following commands:

ipt6tables -P FORWARD DROP
ip6tables -A FORWARD -s 2001:db8:f00:dada::/64 -d ::/0 -m comment --comment "allow outgoing traffic from local ipv6 range" -j ACCEPT
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "Accept established" -j ACCEPT
ip6tables -A INPUT -i eth0 -j ACCEPT

The first line disables ipv6 forwarding by default. The second line allows packets from the internal network to reach the internet. The third line allows the answers to those packets to be forwarded. Finally, we allow the local network connected to interface et0 to access this server. Of course, the firewalling from part 1 should already be in place.

The nice thing about ipv6 is that every device on the local office can have a real, routable address. The firewalling rules we just created, disallowed hosts on internet to connect directly to the devices on the local net. If we want to e.g. make the office’s airconditioner, with ip address 2001:db8:f00:dada::c01d, accessible from the internet, inserting the following rule makes that possible:

ip6tables -A FORWARD -d 2001:db8:f00:dada::c01d/64 -m comment --comment "let internet conrtol airco" -j ACCEPT

Use with care!

Configuring the OpenVPN server

Now that basic ipv6 firewalling is in place, it is time to configure the OpenVPN server. The following is added to OpenVPN server configuration:

route-ipv6 2001:db8:f00:dada::/64
client-config-dir ccd

The first line instructs the OpenVPN server to route packets for the office client network. The second line indicates, that the directory “/etc/openvpn/ccd” contains client-specific configuration options for each client. If the certificate of the client has a cn of “client”, the file “/etc/openvpn/ccd/client” should contain:

iroute-ipv6 2001:db8:f00:dada::/64

This configuration option instructs OpenVPN to route ipv6 traffic for 2001:db8:f00:dada::/64 trough the connection with “client”.

Configuring the office gateway to route ipv6 traffic for the local net

The OpenVPN server is now configured for routing the ipv6 subnet 2001:db8:f00:dada::/64 through the connection with “client”. The next step is configuring the office gateway for “client” to route the packets for this subnet to the local office network. The first step is to allow ipv6 forwarding in the Linux kernel. This is done by executing:

sysctl sys.net.ipv6.conf.all.forwarding=1

Adding the following line to /etc/sysctl.conf makes the change persistent across reboots:

net.ipv6.conf.all.forwarding=1

The next step is configuring ipv6 autoconfiguration on the local office network. That way, devices on the local office can automatically setup working ipv6 settings. This is done with radvd. First create /etc/radvd.conf:

# file: /etc/radvd.conf
interface eth0
{ 
  AdvSendAdvert on; 
  prefix 2001:db8:f00:dada::/64 
  {
    AdvOnLink on;
    AdvAutonomous on;
  }; 
};

Now, radvd can be installed, and the local office network instantly has working autoconfiguration for ipv6:

apt-get install radvd

After installing radvd, the office network on eth0 has ipv6 access!

If you have any questions, contact us. Have fun and… be careful!