Benutzer-Werkzeuge

Webseiten-Werkzeuge


linux:open_vpn:ds-lite

IPv4 to IPv6 Tunnel

Client —-IPv4—→ Server —-IPv4/IPv6—→ End
Client ←—IPv4—- Server ←—IPv4/IPv6—- End

Voraussetzungen

  • IPv6 /64 Subnet
  • LXC/KVM/Dedicated Server mit Kernel Version 3.2+
  • TUN/TAP

OpenVPN installieren

sudo apt-get install openvpn

Setup

Konfiguration des OpenVPN Servers

/etc/openvpn/server.conf

#############################################
# @AUTHOR: Gurkengewuerz <admin@gurkengewuerz.de>
# @REVIEW: 21.02.2017
# @DESCRIPTION: Dual-Stack OpenVPN Tunnel
# 
# IPTABLES: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# 
# Links:
# https://www.uninformativ.de/blog/postings/2015-03-24/0/POSTING-de.html
# https://forums.openvpn.net/viewtopic.php?t=23226
# 
#############################################

port 1194

proto udp
proto udp6

dev tun
tun-ipv6
push tun-ipv6

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

dh dh4096.pem

client-to-client

# Client Configs
;client-config-dir ccd

script-security 2
learn-address /etc/openvpn/learn-address

server 10.8.0.0 255.255.255.0

server-ipv6 <public ip>/112 # Public IPv6/64 Address (e. g. 2a01:2a6:360:2356::8) -> take a /112 Subnet 
push "route-ipv6 ::/0"

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

push "dhcp-option DNS6 2001:4860:4860::8888"
push "dhcp-option DNS6 2001:4860:4860::8844"

push "redirect-gateway ipv6 def1 bypass-dhcp"

persist-key
persist-tun

keepalive 10 120

cipher AES-128-CBC
comp-lzo

status openvpn-status.log

verb 4

Zusatzkonfiguration

/etc/openvpn/learn-address # neue Datei

#!/bin/bash

action="$1"
addr="$2"
pubif=eth0

if [[ "${addr//:/}" == "$addr" ]]
then
    # not an ipv6 address
    exit
fi

case "$action" in
    add|update)
        ip neigh replace proxy "$addr" dev "$pubif"
        ;;
    delete)
        ip neigh del proxy "$addr" dev "$pubif"
        ;;
esac

Fixe Adressen für Clients

/etc/openvpn/ccd/<client-name>

ifconfig-push 10.8.0.101 255.255.255.0

# ifconfig-ipv6-push <client ip> <server ip>
ifconfig-ipv6-push 2001:db8:702:1000::2/64 2001:db8:702:1000::1/64

IP Tables

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

IP Forwarding (**Nur ab Kernel 3.2+ verfügbar**)

/etc/sysctl.conf

net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.tun0.forwarding = 1
net.ipv6.conf.tun0.mc_forwarding = 0

Client

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.   #
#                      #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.        #
#                      #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension       #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
tun-ipv6

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote vpn.mc8051.de 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20


<ca>
-----BEGIN CERTIFICATE-----
# server
-----END CERTIFICATE-----
</ca>
<cert>
# client.cert
</cert>
<key>
-----BEGIN PRIVATE KEY-----
# client
-----END PRIVATE KEY-----
</key>

Download: openvpn_ds-lite.zip

linux/open_vpn/ds-lite.txt · Zuletzt geändert: 28.12.2017 00:28 (Externe Bearbeitung)