Aiccu/Installing on OpenWRT

From SixXS Wiki

Jump to: navigation, search

Main topic page: Aiccu.

It is possible to maintain a dynamic AYIYA tunnel using the Aiccu client on a OpenWRT Router. The subnet can then be announced on the lan giving IPv6 connectivity to all compatible connected devices.


For this walk through we assume you have a basic install of OpenWRT Kamikaze installed and know how to connect to it using ssh, Linux directory transversal and vi.

Contents

Prerequisites

Out of the box, OpenWRT does not have any IPv6 utilities or kernel level support for IPv6. This can easily be solved by installing the necessary packages.

To install the packages, execute the following commands on your OpenWRT-box: 

opkg update
opkg install kmod-ipv6
opkg install kmod-ip6tables
opkg install ip6tables
opkg install ip
opkg install kmod-tun
opkg install aiccu
opkg install radvd
opkg install ntpclient

In order, the above packages are:

  • Kernel support for IPv6
  • Kernel support for iptables for IPv6 (Optional: Needed to create IPv6_Firewalling)
  • iptables for IPv6 (Optional: See above)
  • Utilities to manage the IP configuration
  • Kernel support for Virtual Network Interface devices (tun) to create tunnels
  • AICCU: Automatic IPv6 Connectivity Client Utility
  • Router IPv6 Advertisement Daemon (Optional, not needed if you do not have a subnet, or if you use static IPv6 adresses)
  • System clock requires synchronization for tunnel to stay up, so some ntp package is required. ntpclient is recommended.

If you run White Russian, be warned that that distribution contains an old aiccu and backports a broken one. If you want a working one for mipsel, you can get it here (see related blog post for more information).

In addition, the White Russian install-program is called ipkg instead of Kamikaze's opkg.

After installing the above packages: 

reboot

Set Time

If your system clock is not synchronized to network time, the aiccu tunnel will collapse without notifying you. Also, ntpclient will not correct your time if it is not close to correct. So, first, correct the time by hand.

In another linux-box, you can type the following to get the date in the proper syntax: 

date +%m%d%k%M%Y.%S

Then on OpenWRT, type the following, replacing the date string with the output from the above command (you may need to replace spaces where appropriate with zeros): 

date -s mmddkkMMYYYY.SS

ntpclient should keep your clock synchronized from here on but some report it fails and hangs. Please post solution.

Tunnel Configuration

White Russian

Edit /etc/aiccu.conf to include your login and what tunnel to bind to.

Sample Configuration: 

# AICCU Configuration
#
# Login information (defaults: none)
username ABC1-SIXXS
password 1234
#
# Interface names to use (default: aiccu)
ipv6_interface sixxs
#
# The tunnel_id to use (default: none)
# (only required when there are multiple tunnels in the list)
tunnel_id T12345
#
# Be verbose? (default: false)
verbose false
#
# Daemonize? (default: true)
# Set to false if you want to see any output
# When true output goes to syslog
daemonize true
#
# Automatic Login and Tunnel activation?
automatic true
#
# Require TLS?
#
requiretls false
#
# PID File
pidfile /var/run/aiccu.pid
#
# Add a default route (default: true)
defaultroute true

Start aiccu and check the system logs for errors using the following. 

aiccu start
logread

If aiccu is pleased it will show in the log something along the lines of 

Jul 18 13:47:51 (none) local7.info syslog: Succesfully retrieved tunnel information for T12345
Jul 18 13:47:51 (none) local7.info syslog: AICCU running as PID 1234
Jul 18 13:47:52 (none) local7.info syslog: [AYIYA-start] : Anything in Anything (draft-02)
Jul 18 13:47:52 (none) local7.info syslog: [AYIYA-tun->tundev] : (Socket to TUN) started

Check that ipv6 is working by pinging sixxs. 

ping6 sixxs.net


Kamikaze

Kamikaze uses /etc/config/aiccu for it's configuration.

The first time you will have a file like: 

config aiccu
       option username         'ABC1-SIXXS'
       option password         '1234'
       option protocol         
       option server           
       option interface        'sixxs'
       option tunnel_id        
       option requiretls       '0'
       option defaultroute     '1'
       option nat              '1'
       option heartbeat        '1'

Edit the file to your settings. Protocol is typically tic and server is tic.sixxs.net

It the command prompt, type: 

/etc/init.d/aiccu start

The above command will start the aiccu-client by using /etc/config/aiccu as a basis for it's configuration. [The configuration is generated and stored in /tmp/run/aiccu-cfg######.conf. However, do not edit this file, since it is generated automatically by the /etc/init.d/aiccu script.]

You can verify that the tunnel started by executing: 

logread

If aiccu is pleased it will show in the log something like: 

Jul 18 13:47:51 (none) local7.info syslog: Succesfully retrieved tunnel information for T12345
Jul 18 13:47:51 (none) local7.info syslog: AICCU running as PID 1234

Check that ipv6 is working by pinging sixxs: 

ping6 sixxs.net

The tunnel will start automatically at every reboot, however, sometimes the tunnel may start too early. Therefore, you should edit /etc/init.d/aiccu and change the line: 

START=50

to 

START=80

Subnet Configuration

Note that the IPv6 router does not need to be on the same device as your IPv4 router. Traffic will be routed by your Sixxs IPv6 tunnel transparently through your IPv4 gatway. Therefore, your IPv6 router can be located internal to your existing gateway and firewall. For this reason, pay attention to this new exposure of the inside of your network and to the configuration of your ip6 traffic rules which will not be handled by your existing IPv4 iptables. (See ip6tables)


Routing

To give connectivity to other hosts on your subnet, you first need to set the IPv6 address for your OpenWRT-box, which is now your router. We assume it has the postfix 1 for the examples below.

Edit /etc/config/network and add the following line under the correct interface: 

option 'ip6addr' <Subnet-Prefix>::'1/64'

Here is part of an example config-file: 

config 'interface' 'lan'
	option 'type' 'bridge'
	option 'ifname' 'eth0.0'
	option 'proto' 'static'
	option 'ipaddr' '192.168.10.1'
	option 'netmask' '255.255.255.0'
	option 'dns' '192.168.10.5'
	option 'defaultroute' '0'
	option 'peerdns' '0'
	option 'ip6addr' '2001:####:###::1/64'

Then you need to add / uncomment the following line at the bottom of /etc/sysctl.conf: 

net.ipv6.conf.all.forwarding=1

Radvd

Radvd is how IPv6 advertises the existence of the router on your network. It accomplishes much of what DHCP does for IPv4. Without needing to be polled by devices, the radvd process advertises the IPv6 address of the router along with a prefix from which clients can self-generate their own IP assignments (originally by appending their MAC address, though that is no longer the only way.)

If you have been assigned a subnet such as a /48, you may be tempted to use it all for your network prefix, but take note that automatic address assignments by your network's client devices will only work if you advertise a /64 prefix, since they are trying to use their MAC address for the remaining 64 bits.

For details on the other radvd options, refer to the man page for radvd.conf.

White Russian

Edit /etc/radvd.conf to make radvd properly advertise the subnet.

(note br-lan, the configuration default is br0) 

interface br-lan
{
       AdvSendAdvert on;
       prefix <Subnet-Prefix>::/64
       {
               AdvOnLink on;
               AdvAutonomous on;
       };
};

Kamikaze

Kamikaze ignores /etc/radvd.conf and instead uses /etc/config/radvd which lists options corresponding to those listed in the radvd.conf file shown above.

The /etc/config/radvd options list also includes the option ignore which needs to be set to zero for radvd to be enabled.

Finalize

Execute the following commands to configure these services to autostart after the next reboot of your router: 

/etc/init.d/radvd enable
/etc/init.d/aiccu enable

Then restart the router one last time to make everything take effect. 

reboot

If everything is working correctly, then restarting the network adapter of a connected device should result in it assigning itself an IPv6 address on your subnet. If this does not happen, unplug the router, count to 30 and plug it back in to make sure computers on the LAN are not caching old settings. Do not worry if your devices show a router address different from your subnet and beginning with FE80. This is a link local address which also works just fine for reaching your router. You get one of these also. As long as you also show an IP address on the new subnet, you can know that the router can direct external traffic to your device.

Post Setup

You can use the command ip6tables (iptables for IPv6) to setup IPv6 Firewalling.

For Kamikaze, the rules should go in the /etc/firewall.user. Please note, default kernel for OpenWRT does not support rt-matching, so you can not block RH0-packages.

Troubleshooting

Installation brcm-2.4

When you follow the instructions above for installation, you will get the following error when installing aiccu: 

  root # opkg install aiccu
  Collected errors:
   * Cannot find package aiccu.

In the current version of kamikaze 8.09.1 (aiccu_20070115-2.1_mipsel.ipk), there seems to be a dependency on a 2.6 kernel. (Cannot satisfy the following dependencies for aiccu: * kmod-sit *)

To get around this you can do the following: 

  cd /tmp
  wget http://downloads.openwrt.org/kamikaze/8.09.1/brcm-2.4/packages/aiccu_20070115-2.1_mipsel.ipk 
  opkg -force-depends install aiccu_20070115-2.1_mipsel.ipk

You will get the following error message, which you can ignore: 

  Collected errors:
   * Warning: Cannot satisfy the following dependencies for aiccu:
      *  kmod-sit *

Then continue to follow the instructions above.

Running processes

Look at your running processes with ps. You should see aiccu, radvd, and ntpclient. If any of these are missing, either they were not started, or there is some reason they stopped. Find out why and fix.

If your tunnel is active, ifconfig will show an interface named aiccu: 

aiccu     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet6 addr: 2001:.....
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1280  Metric:1
          ....

If you do not see it, try starting aiccu again. If this does not reappear in the ifconfig list, check logread for clues. Make sure your aiccu config file is correct.

Timing

If logread shows a message like: 

May 31 12:15:29 OpenWrt local7.err syslog: The clock is off by 8577949 seconds, use NTP to sync it!
May 31 12:15:29 OpenWrt local7.err syslog: Couldn't retrieve first tunnel for the above reason, aborting

This means the tunnel started but due to your system clock being unsynchronized, it immediately collapsed. Make sure you set the clock approximately, manually, and that ntpclient is running properly.

If the number of seconds off is a near multiple of 3600, your error is in hours and likely a result of improperly set timezone. Change the TZ setting and then set your clock again to the current time and try again.

DNS

If you can not successfully ping6 sixxs.net, try pinging the address numerically to assess if this is just a DNS problem.: 

ping6 2001:838:1:1:210:dcff:fe20:7c7c


Routing

If you can ping6 www.sixxs.net from your router, and you can ping6 your router from your clients, but somehow the clients cannot ping6 www.sixxs.net, you appear to have an issue with your default route. Check out this forum post: OpenWRT Kamikaze routing problem (Some people solve the problem by ensuring that aiccu starts after radvd).

IPv6 Stack not found

Possibly from using a version of OpenWrt with Linux kernel 2.4 (e.g. brcm-2.4). Try brcm47xx if you can. Note that the kernel was held back for Broadcom because the wireless driver was not as stable in 2.6, so there is a tradeoff.

References

Retrieved from "http://www.sixxs.net/wiki/Aiccu/Installing_on_OpenWRT"