之前我们已经给 VPS 配置好了 HE Tunnel Broker 提供的 IPv6 地址,但是这 2^80 个 IPv6 地址都放在服务器上有些太浪费了,为何不弄到家里电脑来,让家里电脑也可以使用 IPv6 呢?等着国内运营商提供 IPv6 恐怕得猴年马月了吧?
Google 了一下,使用 OpenVPN Tunnel 可以轻松完成这个工作,有两种方法:第一种是用 tap 模式建立网桥,服务器端运行 radvd 给客户端分配 IPv6 地址并作路由。第二种使用 sit 设备,不需要配置服务,但是需要客户端做相应的绑定。我选择第二种,主要是想将 OpenVPN 维持在 tun 模式。
基 本思路是根据给客户端分配的内部 IPv4 地址的最后一位(X)在服务器端(在 Debian / Ubuntu 测试通过)起一个 sitX 设备,并且绑定 2001:1111:2222:X::1 这个地址,同时客户端(我这里是 Mac OS X,Windows / Linux 也可以分别使用批处理 / Bash 脚本调用 ip 命令搞定) gif 设备绑定 2001:1111:2222:X::2,并将默认路由设置为 2001:1111:2222:X::1,从而实现 IPv6 通路。下面是简单的设置过程和脚本文件:
服务器端设置:
vi /etc/openvpn/server.conf
最后加入:
script-security 2
client-connect /etc/openvpn/client-connect.sh
client-disconnect /etc/openvpn/client-disconnect.sh
编辑客户连接脚本
vi /etc/openvpn/client-connect.sh
内容:
#!/bin/bash# This is a script that is run each time a remote client connects
# to this openvpn server.
# it will setup the ipv6 tunnel depending on the ip address that was
# given to the clientBASERANGE="2001:xxxx:xxxx"
# v6net is the last section of the ipv4 address that openvpn allocated
V6NET=$(echo ${ifconfig_pool_remote_ip} | awk -F. '{print $NF}')SITID="sit${V6NET}"# setup the sit between the local and remote openvpn addresses
sudo /sbin/ip tunnel add ${SITID} mode sit ttl 255 remote ${ifconfig_pool_remote_ip} local ${ifconfig_local}
sudo /sbin/ip link set dev ${SITID} up# config routing for the new network
sudo /sbin/ip -6 addr add ${BASERANGE}:${V6NET}::1/64 dev ${SITID}
sudo /sbin/ip -6 route add ${BASERANGE}:${V6NET}::/64 via ${BASERANGE}:${V6NET}::2 dev ${SITID} metric 1# log to syslog
echo "${script_type} client_ip:${trusted_ip} common_name:${common_name} local_ip:${ifconfig_local} \
remote_ip:${ifconfig_pool_remote_ip} sit:${SITID} ipv6net:${V6NET}" | /usr/bin/logger -t ovpn
客户断开脚本
vi /etc/openvpn/client-disconnect.sh
内容:
#!/bin/bash# This is a script that is run each time a remote client disconnects
# to this openvpn server.BASERANGE="2001:xxxx:xxxx"
# v6net is the last section of the ipv4 address that openvpn allocated
V6NET=$(echo ${ifconfig_pool_remote_ip} | awk -F. '{print $NF}')SITID="sit${V6NET}"sudo /sbin/ip -6 addr del ${BASERANGE}:${V6NET}::1/64 dev ${SITID}# remove the sit between the local and:qremote openvpn addresses
sudo /sbin/ip link set dev ${SITID} down
sudo /sbin/ip tunnel del ${SITID} mode sit ttl 255 remote ${ifconfig_pool_remote_ip} local ${ifconfig_local}# log to syslog
echo "${script_type} client_ip:${trusted_ip} common_name:${common_name} local_ip:${ifconfig_local} \
remote_ip:${ifconfig_pool_remote_ip} sit:${SITID} ipv6net:${V6NET} duration:${time_duration} \
received:${bytes_received} sent:${bytes_sent}" | /usr/bin/logger -t ovpn
开启 IPv6 包转发:
sudo vi /etc/sysctl.conf
设置
net.ipv6.conf.all.forwarding=1
之后
sudo sysctl -p
客户端,编辑 client.conf,加入
up ./up.sh
down ./down.sh
如果选中了 Set nameserver 的话,这时候 TunnelBlick 在连接时就会调用
--up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh
从而造成 up ./up.sh 失败,所以我们不选 Set nameserver,然后将那个脚本并入我们自己的脚本中
up.sh 内容:
#!/bin/bash -e
bash /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -dINTERFACE=$1; shift;
TUN_MTU=$1; shift;
UDP_MTU=$1; shift;
LOCAL_IP=$1; shift;
REMOTE_IP=$1; shift;
MODUS=$1; shift;#script that is run on the client when it creates a tunnel to the remote OpenVPN server
IPV6BASE=2001:xxxx:xxxxSERVER_IP=10.8.0.1V6NET=$(echo ${LOCAL_IP} | cut -d. -f4)GIFID="gif0"sudo /sbin/ifconfig ${GIFID} tunnel ${LOCAL_IP} ${SERVER_IP}
sudo /sbin/ifconfig ${GIFID} inet6 ${IPV6BASE}:${V6NET}::2/64
sudo /sbin/route delete -inet6 default
sudo /sbin/route add -inet6 default ${IPV6BASE}:${V6NET}::1exit 0
down.sh 内容
#!/bin/bash –e
INTERFACE=$1; shift;
TUN_MTU=$1; shift;
UDP_MTU=$1; shift;
LOCAL_IP=$1; shift;
REMOTE_IP=$1; shift;
MODUS=$1; shift;# script that is run on the client when it creates a tunnel to the remote OpenVPN server
IPV6BASE=2001:xxxx:xxxxSERVER_IP=10.8.0.1V6NET=$(echo ${LOCAL_IP} | cut -d. -f4)GIFID="gif0"sudo /sbin/route delete -inet6 default
sudo /sbin/ifconfig ${GIFID} inet6 ${IPV6BASE}:${V6NET}::2 -alias
sudo /sbin/ifconfig ${GIFID} deletetunnelbash /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d --up-restartexit 0
至此设置完毕,如果一切顺利的话以后再连接这个 OpenVPN 就可以在 gif0 上获取到 IPv6 地址了。
参考:Personal IPv6 Tunnel Broker with OpenVPN
-----------------------------------------------------------------
-----------------------------------------------------------------
This document details how I setup an ipv6 tunnel broker system with OpenVPN
Why I did itI have a Xen VM from Goscomb Technologies. As part of the package they also provide a /48 of ipv6 addresses for each VPS. This is good if you want to play with ipv6 to see how it works.
There are different methods to tunnel ipv6 packets over an ipv4 network. One of the easiest is to use the sit device to create a tunnel between two ipv4 systems. This method does have some problems though -
- Each end of the tunnel must have a static ipv4 address
- Each of the ipv4 endpoints must be reachable by the other - i.e. one end can not be a private ip address like 192.168.22.58
How do you provide a static ipv4 address when you live on the other side of the world, only have a private ip address and only have ADSL with a dynamic public ipv4 address.
The Open source OpenVPN Project is provided with most Linux distributions and can be easily installed. When I get a chance I will provide details on how I installed OpenVPN but in the mean time see your distribution for installation details. When OpenVPN is running it can provide static ipv4 addresses at each endpoint. If my public ipv4 address changes then OpenVPN will still maintain the tunnel ipv4 addresses. Just what we want.
Yes I know that OpenVPN has a tun-ipv6 device that can carry native ipv6 packets. The problem is you currently can not have a server with a tun-ipv6 device. It must be a tap device in bridge mode. I do not want to do this because it means changing the network configuration on my remote server which I do not have console access to. If anything goes wrong I could easily be locked out of my machine.
I received an email from Ian who mentioned that he was having some problems with this setup. It seems that not all providers configure ipv6 the same and he had to ser up Neighbor Discovery Proxy to get his system working.
Here is what he said -
One thing stopped it working. Packets from the internet were not making it back to my VM and from there back down the tunnel. A tcpdump on the VM revealed 'Neighbor Discovery Packets' for my machine being broadcast by the ISPs router. As soon as I added 'Neighbor Discovery Proxy' on my VM for the machine at my home end of the tunnel, it worked perfectly. It's similar to Proxy ARP in ipv4, I read about it here:
and added this to my server's client-connect.sh script:
# config Neighbor Discovery Proxy (like proxy ARP) # also requires 'echo 1 >/proc/sys/net/ipv6/conf/all/proxy_ndp' # e.g. in rc.local or using sysctl sudo /sbin/ip -6 neigh add proxy ${BASERANGE}:${V6NET}::2 dev eth0
Here is the server.conf file I have running on the Xen VM from Goscomb -
# Local IP address for the server to listen on. local 9.8.7.6 # set the port or use the standard 1194 port 56789 # udp is the recommended transport proto udp # there is a tun-ipv6 device but I want to use the tun device dev tun # the keys I generated during the OpenVPN install process ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/keys/dh2048.pem # the ip range that OpenVPN will use for its static ipv4 addresses server 10.18.0.0 255.255.255.0 tls-auth ta.key 0 # This file is secret comp-lzo max-clients 10 keepalive 18 83 user ovpn group nogroup persist-key persist-tun status openvpn-status.log verb 5 # I added these to setup and tear down the ipv6 tunnels when a client connects or disconnects. See below client-connect /etc/openvpn/client-connect.sh client-disconnect /etc/openvpn/client-disconnect.sh
client dev tun proto udp remote 9.8.7.6 56789 resolv-retry infinite nobind keepalive 27 79 user ovpn group nogroup persist-key persist-tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/client1.crt key /etc/openvpn/keys/client1.key ns-cert-type server tls-auth ta.key 1 comp-lzo verb 3 # create the ipv6 tunnel up /etc/openvpn/up.sh down /etc/openvpn/down.sh # need this so when the client disconnects it tells the server so the server can remove the ipv6 tunnel the client was using explicit-exit-notify
The range of ipv6 addresses you get from your provider will look something like 2001:f5a:53::/48
This means to get to a /64 for each remote client then we have to add some number to the above. Why not add the last octet from the ipv4 of the remote OpenVPN client.
For example
OpenVPN allocates the remote client an ipv4 address of 10.18.0.14 The ipv6 range is 2001:f5a:53::/48 We therefore allocate 2001::f5a:53:14::/64 to the remote client From this we use 2001::f5a:53:14::1 as the local end of the ipv6 tunnel and we use 2001::f5a:53:14::2 as the remote ipv6 address for the client Yes we waste the rest of the /64 of ipv6 addresses
This is the script we run on the server each time a client connects. OpenVPN is good because it provides various environment variables with information about the client that has connected. You will notice that the following script uses sudo. This is because the script runs as the same user that OpenVPN runs as so it will not have access to the /sbin/ip command. To get around this we need to add the following to the /etc/sudoers file. This will allow the ovpn user to run only the /sbin/ip command
ovpn ALL=(ALL) NOPASSWD: /sbin/ip
#!/bin/bash # This is a script that is run each time a remote client connects # to this openvpn server. # it will setup the ipv6 tunnel depending on the ip address that was # given to the client BASERANGE="2001:f5a:53" # v6net is the last section of the ipv4 address that openvpn allocated V6NET=$(echo ${ifconfig_pool_remote_ip} | awk -F. '{print $NF}') SITID="sit${V6NET}" # setup the sit between the local and remote openvpn addresses sudo /sbin/ip tunnel add ${SITID} mode sit ttl 255 remote ${ifconfig_pool_remote_ip} local ${ifconfig_local} sudo /sbin/ip link set dev ${SITID} up # config routing for the new network sudo /sbin/ip -6 addr add ${BASERANGE}:${V6NET}::1/64 dev ${SITID} sudo /sbin/ip -6 route add ${BASERANGE}:${V6NET}::/64 via ${BASERANGE}:${V6NET}::2 dev ${SITID} metric 1 # log to syslog echo "${script_type} client_ip:${trusted_ip} common_name:${common_name} local_ip:${ifconfig_local} \ remote_ip:${ifconfig_pool_remote_ip} sit:${SITID} ipv6net:${V6NET}" | /usr/bin/logger -t ovpn
#!/bin/bash # This is a script that is run each time a remote client disconnects # to this openvpn server. BASERANGE="2001:f5a:53" # v6net is the last section of the ipv4 address that openvpn allocated V6NET=$(echo ${ifconfig_pool_remote_ip} | awk -F. '{print $NF}') SITID="sit${V6NET}" sudo /sbin/ip -6 addr del ${BASERANGE}:${V6NET}::1/64 dev ${SITID} # remove the sit between the local and remote openvpn addresses sudo /sbin/ip link set dev ${SITID} down sudo /sbin/ip tunnel del ${SITID} mode sit ttl 255 remote ${ifconfig_pool_remote_ip} local ${ifconfig_local} # log to syslog echo "${script_type} client_ip:${trusted_ip} common_name:${common_name} local_ip:${ifconfig_local} \ remote_ip:${ifconfig_pool_remote_ip} sit:${SITID} ipv6net:${V6NET} duration:${time_duration} \ received:${bytes_received} sent:${bytes_sent}" | /usr/bin/logger -t ovpn
# allow forwarding of ipv6 packets echo "1" >/proc/sys/net/ipv6/conf/all/forwarding # openvpn tunnel will only accept ipv6-in-v4 packets iptables -A INPUT -i tun0 ! -p 41 -j REJECT --reject-with icmp-host-unreachable iptables -A OUTPUT -o tun0 ! -p 41 -j REJECT --reject-with icmp-host-unreachable
At the client end we also need to setup and remove the tunnel The up.sh script on the client
#!/bin/bash # script that is run on the client when it creates a tunnel to the remote OpenVPN server IPV6BASE=2001:f5a:53 V6NET=$(echo ${ifconfig_local} | awk -F. '{print $NF}') # NOTE!!! The following has a hard coded ipv4 address because I can not find a way for the client to find # out the server ipv4 end point of the OpenVPN tunnel /sbin/ip tunnel add sit1 mode sit ttl 255 remote 10.18.0.1 local ${ifconfig_local} /sbin/ip link set dev sit1 up /sbin/ip -6 addr add ${IPV6BASE}:${V6NET}::2/64 dev sit1 /sbin/ip route add ::/0 via ${IPV6BASE}:${V6NET}::1 exit 0
#!/bin/bash IPV6BASE=2001:f5a:53 V6NET=$(echo ${ifconfig_local} | awk -F. '{print $NF}') sudo /sbin/ip -6 addr del ${IPV6BASE}:${V6NET}:2/64 dev sit1 sudo /sbin/ip link set dev sit1 down sudo /sbin/ip tunnel del sit1 mode sit ttl 255 remote 10.18.0.1 local ${ifconfig_local} sudo /sbin/ip route del ::/0 via ${IPV6BASE}:${V6NET}:1 exit 0
And that is about that. Start OpenVPN on the server and connect from the clients and they should create devices like this on the client -
human@dave:~$ ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.18.0.6 P-t-P:10.18.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:1184 errors:0 dropped:0 overruns:0 frame:0 TX packets:1207 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1244833 (1.2 MB) TX bytes:160282 (160.2 KB) human@dave:~$ ifconfig sit1 sit1 Link encap:IPv6-in-IPv4 inet6 addr: 2001:f5a:53:6::2/64 Scope:Global inet6 addr: fe80::a12:6/128 Scope:Link UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1 RX packets:1184 errors:0 dropped:0 overruns:0 frame:0 TX packets:1207 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1221153 (1.2 MB) TX bytes:136142 (136.1 KB)
sit6 Link encap:IPv6-in-IPv4 inet6 addr: 2001:f5a:53:6::1/64 Scope:Global inet6 addr: fe80::a12:1/128 Scope:Link UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1 RX packets:544 errors:0 dropped:0 overruns:0 frame:0 TX packets:485 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:74953 (73.1 KB) TX bytes:432683 (422.5 KB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.18.0.1 P-t-P:10.18.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:97712 errors:0 dropped:0 overruns:0 frame:0 TX packets:93189 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:10047601 (9.5 MB) TX bytes:71844638 (68.5 MB)
Now you can surf the web 128 bits at a time - Have Fun.
from http://www.zagbot.com/openvpn_ipv6_tunnel.html
from http://www.zagbot.com/openvpn_ipv6_tunnel.html
No comments:
Post a Comment