SixXS::Sunset 2017-06-06

Direct IPv6 subnet peering using tunnels
[de] Shadow Hawkins on Tuesday, 12 June 2007 20:47:03
With a number of people I run a "extranet" just for fun and privacy. We are using OpenVPN tunnels to build a mesh. OpenVPN runs in static key mode with dynamic IP addresses on both ends of each tunnel. Each peer finds the other by using dynamic DNS entries. Addresses for the connected networks are assigned out of 10/8 and dynamically routed using BGP (Quagga). So we have a little NAT-free world. I would like to introduce IPv6 into this network. My idea is: I announce my IPv6-Prefix to my peers, they announce theirs and the traffic is routed through the existing tunnels instead the IPv6 upstream. This saves latency and ensures privacy (by encrypting the traffic). Here is the problem: IPv6 support in OpenVPN is nonexistent. I have tried a 6in4 tunnel over the OpenVPN link (oh no! IPv6 over IPv4 over IPv4), but the results are disappointing. At least Linux seems to have no concept of a IPv6 point-to-point link, so I have to use a /64 for every link. The link detection in the bgpd has also issues. Any suggestions? Have someone a working IPv6 setup like this?
Direct IPv6 subnet peering using tunnels
[pl] Shadow Hawkins on Tuesday, 12 June 2007 21:55:09
"We" have made something like you want to do. We using it for test/learning. But "we" not using openvpn. AFAIK you have to make a PtP(IPv4) over openvpn and then make normal IPv6 inside. This is how "we" look like in our way : http://its-hb.de/poldi/ FYI: http://openvpn.net/faq.html
Direct IPv6 subnet peering using tunnels
[de] Shadow Hawkins on Tuesday, 12 June 2007 23:42:32
I built ipv6 tunnels using openvpn without a problem. From my config: ------/etc/openvpn/client.peername.conf------- remote insert-ipv4-addr-from-peer dev tun tun-ipv6 tun-mtu 1280 ifconfig 10.142.100.2 10.142.100.1 #perhaps it works without ipv4? secret client.peername.key up /etc/openvpn/client.peername.up ------- -------/etc/openvpn/client.peername.up------- #!/bin/bash INTERFACE=$1; shift; TUN_MTU=$1; shift; UDP_MTU=$1; shift; LOCAL_IP=$1; shift; REMOTE_IP=$1; shift; MODUS=$1; shift; ip link set ${INTERFACE} up ip link set mtu ${TUN_MTU} dev ${INTERFACE} ip -6 addr add TUNNEL-V6ADDR-THIS-SIDE dev ${INTERFACE} ip -6 route add TUNNEL-V6ADDR-REMOTE-SIDE dev ${INTERFACE} exit 0 -------------
Direct IPv6 subnet peering using tunnels
[de] Shadow Hawkins on Thursday, 14 June 2007 22:36:50
So we have a little NAT-free world.
cool :)
Here is the problem: IPv6 support in OpenVPN is nonexistent.
As armin mentioned, you could use tun-ipv6 tunnels. tun-ipv6 tunnels can't carry IPv4, so you would need them in addition to the existing tunnels. Alternatively, you could use tap tunnels. They don't tunnel IPv4 or IPv6 but ethernet, so they're independent from IPv4 or IPv6, but add a further, small overhead. Also, I'm not sure how you'd want to configure them exactly to follow your current configuration.
I have tried a 6in4 tunnel over the OpenVPN link (oh no! IPv6
over IPv4 over IPv4), but the results are disappointing. At least
Linux seems to have no concept of a IPv6 point-to-point link,
so I have to use a /64 for every link.
Which tools+kernels do you use? Using the ip command from the iproute2 package, you should be able to do something like this: (<tdev> is the tunnel's interface name, <dev> is the device the tunnel is running over, not sure whether it's required) Create the tunnel: # ip tunnel add <tdev> mode sit local 10.0.0.1 remote 10.0.0.2 dev <dev> Add our address(es): (can be used multiple times) # ip -6 addr add 2001:1::1/128 dev <tdev> Add a route to our peer: (can also be used multiple times) # ip -6 route add 2001:2::1/128 dev <tdev> Alternatively, add our address(es) along with a subnet: # ip -6 route add 2001:1::1/64 Add routes: (can also be used as often as needed) First case: # ip -6 route add 2001:10::/48 via 2001:2::1 Second case: # ip -6 route add 2001:10::/48 via 2001:1::2 Show addresses: ip addr ip -4 addr ip -6 addr Show routes: ip -6 route show
The link detection in the
bgpd has also issues.
I can't comment on this, as I've never used bgpd.
Any suggestions? Have someone a working IPv6 setup like this?
I'm using tunnels as described above, though over normal ethernet connections, but I don't think that this should matter. Regards, Milan
Direct IPv6 subnet peering using tunnels
[de] Shadow Hawkins on Tuesday, 19 June 2007 08:25:51
As armin mentioned, you could use tun-ipv6 tunnels. tun-ipv6 tunnels can't
carry IPv4, so you would need them in addition to the existing tunnels.
They carry IPv4 and IPv6. I use it for my notebook to connect to the campus network over a public WLAN. I have IPv6 and IPv4 going through this tunnel. Works fine.
Direct IPv6 subnet peering using tunnels
[de] Shadow Hawkins on Wednesday, 20 June 2007 18:51:21
Problem solved. On Linux it is necessary to assign IPv6 link-local addresses to the tunnel interfaces manually. On FreeBSD this happens automatically. Without addresses of course there is no IPv6 traffic possible. (Isn't this a IPv6 standard violation?) I have done this via zebra (from Quagga). It abstracts IP configuration from proprietary OS tools and unifies it over different Unix variants.
interface tun1 ipv6 address fe80::c000:0201/64 interface tun2 ipv6 address fe80::c000:0201/64 (...)
(and so on) The bgpd then needs to know on what interface his peer resides. Sample configuration:
router bgp 64512 router-id 192.0.2.1 neighbor 192.0.2.2 remote-as 64513 neighbor 192.0.2.2 interface tun1 neighbor 192.0.2.3 remote-as 64514 neighbor 192.0.2.3 interface tun2 (...) address-family ipv6 network 2001:.../48 neighbor 192.0.2.2 activate neighbor 192.0.2.3 activate (...) exit-address-family
192.0.2.* are sample addresses for the OpenVPN tunnels. Together with --tun-ipv6 on OpenVPN IPv6 Routing works fine now. Thanks for your replies.
Direct IPv6 subnet peering using tunnels
[de] Shadow Hawkins on Saturday, 07 July 2007 23:54:50
We're running about the same thing - see http://spaceboyz.net/ or http://wiki.diac24.net/DIAC24/Topology (Wiki quite empty due to a server relocation) - using OpenVPN, GRE-Tunnels (with own dynamic update tool :) and other tunnels for v4 & v6 with BGP. The ppl at http://www.nap-ix.net/ do the same (v4 only) Go and visit #spaceboyz @ irc.spaceboyz.net (port 9999 for ssl) if interested..
Direct IPv6 subnet peering using tunnels
[si] Shadow Hawkins on Sunday, 23 March 2008 17:21:47
(yes, it is a late reply) Or you could simply use TAP mode, which supports every protocol in existence ;) (that is every protocol, that works on ethernet) Regards, David

Please note Posting is only allowed when you are logged in.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker