Tunneling IPv6 Traffic Over OpenVPN

Author: 

Shawn Webb

Introduction

Current IPv6 tunnel brokers carry requirements that you might not be able to meet on the network you're using. For example, if you're using a public, open wireless network which you don't control and you want to create a 6in4 tunnel to he.net, you're met with difficulties. If ICMP is disabled on the WAN port of the network, you won't be able to connect. I've come up with a solution: use OpenVPN to tunnel your 6in4 tunnel. This article describes how to use OpenVPN 2.2 (which doesn't have IPv6 support in the tun device) to create a secure tunnel to enable IPv6 on a remote wireless network.

Basically, I'm at BSDCan right now. The University of Ottawa does not have an IPv6 network. I brought my wireless router and wanted IPv6. I'm piggy-backing off my IPv6 network at home, routing an IPv6 network here through my home network. Due to network restrictions at the University of Ottawa, I've come up with the following setup. It's not the most efficient setup, but it's guaranteed to work.

Prerequisites

  • pfSense 2.1-DEVELOPMENT (I'll just call it 2.1)
  • OpenVPN on both ends of the tunnel
  • FreeBSD on the client end of the tunnel

Production releases of pfSense do not support IPv6, yet; however, 2.1 does. If you're running a version of pfSense less than 2.1, you'll need to upgrade. If you're using a non-pfSense router/firewall, this article still applies to you, but you will need to modify the commands to fit your OS.

My Home Setup

My pfSense firewall is responsible for integrating with Hurricane Electric's (he.net) IPv6 network. The firewall is directly connected to the public Internet. The firewall serves a NATed LAN that has an IPv4 network of 192.168.2.0/24 and has the .1 IP assigned in that network. The IPv6 network assigned to the LAN is 2001:470:8142:2::/64. I have an OpenVPN instance running on my OpenIndiana server, which has an IPv4 ddress of 192.168.2.6 and an IPv6 address of 2001:470:8142:2::6. OpenVPN is configured to use tun devices and serve up the 10.8.0/24 network. The OpenVPN server is assigned an IPv4 address of 10.8.0.1. The 6in4 IPv6 tunnel between the VPN server and client have an IPv6 network of 2001:470:8142:3::/64. The firewall will have a 6in4 IPv6 address of 2001:470:8142:3::1 and the OpenVPN client will have a 6in4 address of 2001:470:8142:3::2. The wireless network will have an IPv6 network of 2001:470:8142:5::/64. Because OpenVPN is running on my OpenIndiana server, the firewall needs to know to route 10.8.0.0/24 packets through the server, so a stataic route is set to do that. Because IPv6 neighbor discovery packets for the 2001:470:8142:5::/64 network aren't routed through the OpenVPN tunnel, a static route is also set on the firewall to route 2001:470:8142:5::/64 packets through the OpenIndiana server. For purposes of this article, the OpenVPN client will be assigned the IPv4 address of 10.8.0.6. This might sound a bit confusing, but it works.

Nitty Gritty

So now we're going to just dive into the commands. There's a lot of commands to run (don't worry, I have this scripted and up on GitHub). If you're running OpenVPN straight on pfSense, you'll need to change some of these commands. Some of the commands you won't need at all. For the purposes of this article, we'll assume your setup is just the same as mine. If you can't figure out how to adapt the commands to your setup, feel free to contact me and I'd be glad to help.

Setting up the firewall:

  • Set up a new gateway. We'll tell pfSense that the OpenIndiana server is the a gateway.
  • Set up a new static route to route 10.8.0.0/24 through the new gateway.
  • pfSense does not currently support setting up an IPv6 static route through the web interface. Login to the firewall through ssh and add the route manually:
    • route add -inet6 2001:470:8142:5::/64 2001:470:8142:3::2
  • Add a new gif interface:
    • Parent interface: LAN
    • Remote address: 10.8.0.6
    • Tunnel local address: 2001:470:8142:3::1
    • Tunnel remote address: 2001:470:8142:3::2
  • Assign the gif interface to a new OPT interface:
    • No IPv4 address
    • IPv6 address: 2001:470:8142:3::1

 

Setting up the OpenVPN server

  • Push a route to 192.168.2.1 to the clients

 

Setting up the OpenVPN client

  • Start OpenVPN and connect to the server (OpenVPN setup is outside the scope of this article other than the pushed route above)
  • Create a new gif device:
    • ifconfig gif0 create
      ifconfig gif0 tunnel 10.8.0.6 192.168.2.1
      ifconfig gif0 inet6 2001:470:8142:3::2 2001:470:8142:3::1 prefixlen 64
  • Add the default IPv6 route:
    • route add -inet6 default 2001:470:8142:3::1
  • Set the LAN device for the wireless network to have an IP of 2001:470:8142:5::1/64:
    • ifconfig alc0 inet6 alias 2001:470:8142:5::1/64
  • Restart the IPv6 route advertising daemon:
    • /etc/rc.d/rtadvd restart

 

Conclusion

Using the setup above, you'll have a full dual-stack IPv4 and IPv6 network on remote networks, tunneled through a VPN to your home network. I've automated the client side of this setup as a bash script. The script can be found on GitHub.

Tags: 

2 Comments

openvpn tap

i don't know how well this will translate to freebsd and pfsense, but i have tested this on a 'lesser' operating system. :) you could also use openvpn in tap mode. this creates a virtual ethernet interface and openvpn passes ethernet frames across the tunnel. you can then assign ipv4 and ipv6 addresses on top of this virtual ethernet device. the difference in the size of transferred packets shouldn't be very different and it might give a more natural way of configuring ipv6 instead of configuring a ipv6-in-ipv4 tunnel. a lot of people knock on using openvpn in a tap mode but it occasionally serves a useful purpose.

just a random thought.