Skip to content

Instantly share code, notes, and snippets.

@stek29

stek29/0readme.md

Last active December 11, 2018 00:40
Show Gist options
  • Save stek29/3b3a9e0108f4cf3e97b376b198589ee9 to your computer and use it in GitHub Desktop.
Save stek29/3b3a9e0108f4cf3e97b376b198589ee9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
0readme.md

This Gist provides examples of providing global IPv6 addresses inside OpenVPN tunnel.

If you have /48 subnet which is most likely routed prefix, see https://community.openvpn.net/openvpn/wiki/IPv6 If you have /64 subnet which is most likely link prefix, see openvpn-link64-v6-over-v4.md file If you have some other configuration (i.e. just /124 -- digitalocean, i'm looking at you), or just want to use weirdest config ever, see openvpn-nat6.md (which is yet to be created)

All configurations I've tested work great on Windows, Linux, iOS and Android. For macOS, either use Viscosity (paid), or see Tunnelblick/Tunnelblick#452 for Tunnelblick.

Raw
openvpn-link64-v6-over-v4.md

Server has IPv6 link (not routed) 2a01:cafe:babe:dead::1/64 on iface eth0

First, openvpn road warrior installer (https://github.com/Nyr/openvpn-install)

Additions to OpenVPN conf:

# Google Public DNS
push "dhcp-option DNS6 2001:4860:4860::8888"
push "dhcp-option DNS6 2001:4860:4860::8844"

# IPv6 addresses given to clients
server-ipv6 2a01:cafe:babe:dead:80::/112

# Probably some are redurant *shrug*
push "redirect-gateway-ipv6 def1 bypass-dhcp-ipv6"
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"

# without script-security openvpn won't start shell script
script-security 2
learn-address /etc/openvpn/ndp-proxy-setup.sh

The /etc/openvpn/ndp-proxy-setup.sh (don't forget chmod +x)

#!/bin/bash

# logger "ndp script: (euid:$EUID) $0 $@"

if [[ "$EUID" -ne 0 ]]; then
	# To avoid waiting for password, use sudo's askpass feature
	SUDO_ASKPASS=/bin/false sudo -A "$0" $@
	exit $?
fi

action="$1"
addr="$2"
pubif="eth0"

if [[ "${addr//:/}" == "$addr" ]]
then
    # not an ipv6 address
    exit
fi

case "$action" in
    add)
        ip -6 neigh add proxy ${addr} dev ${pubif}
        ;;
    update)
        ip -6 neigh replace proxy ${addr} dev ${pubif}
        ;;
    delete)
        ip -6 neigh del proxy ${addr} dev ${pubif}
        ;;
esac

Since openvpn runs as nobody:nogroup, add to sudoers file (visudo):

nobody ALL=NOPASSWD: /etc/openvpn/ndp-proxy-setup.sh
Defaults!/etc/openvpn/ndp-proxy-setup.sh !requiretty

Add to/uncomment in /etc/sysctl.conf:

net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1

(Run sysctl -p to apply)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment