-
Notifications
You must be signed in to change notification settings - Fork 462
ipv6 VPN advanced
In this article, we will setup a VPN with public ipv6 address.
assume you have already set up a tinyfecVPN connection:
#server side
./tinyvpn -s -l 0.0.0.0:30000 --sub-net 10.0.2.0 --tun-dev tun100
#client side
./tinyvpn_mips24kc_be -c -r44.55.66.77:3000 --sub-net 10.0.2.0 --tun-dev tun100
bandwagonhost VPS is used as an example. Though bandwagonhost VPS gives you a /64 block, it only allows you to use 3
individual ipv6 addresses. Nevertheless, we only need 2 to get it work.
It may not work with other VPS providers.
the ifconfig output before we start:
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: 2607:8700:aabb:ccdd::/128 Scope:Global
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:730020 errors:0 dropped:0 overruns:0 frame:0
TX packets:1180760 errors:0 dropped:330 overruns
tun100 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.2.1 P-t-P:10.0.2.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:145461 errors:0 dropped:0 overruns:0 frame:0
TX packets:215513 errors:0 dropped:0 overruns:0 carrier:0
config two ip address at VPS's web control page:
#this should be the default one, you'd better not change it
2607:8700:aabb:ccdd::
#this is the new one you assigned
2607:8700:aabb:ccdd::2
reboot to let the change take effect.
now the ifconfig output:
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: 2607:8700:aabb:ccdd::/128 Scope:Global
inet6 addr: 2607:8700:aabb:ccdd::2/128 Scope:Global
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:730020 errors:0 dropped:0 overruns:0 frame:0
TX packets:1180760 errors:0 dropped:330 overruns
delete one ip addres from the default interface, bc we want to use it for our VPN client
ip addr del 2607:8700:aabb:ccdd::2 dev venet0
the new ifconfig output(it changed back as if no new ip is assigned):
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: 2607:8700:aabb:ccdd::/128 Scope:Global
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:730020 errors:0 dropped:0 overruns:0 frame:0
TX packets:1180760 errors:0 dropped:330 overruns
ip -6 addr add 2607:8700:aabb:ccdd::10/64 dev tun100 # is just any unused ip in the `/64` block, its doesnt need to be configured in the web control page, and it doesnt need to be route-able/accessable
sysctl -w net.ipv6.conf.all.forwarding=1
ip -6 addr add 2607:8700:aabb:ccdd::2/64 dev tun100
ip -6 route add default via 2607:8700:aabb:ccdd::10
Done. Now the client 2607:8700:aabb:ccdd::2 is reachable publicly.
the ifconfig output now:
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: 2607:8700:aabb:ccdd::/128 Scope:Global
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:730020 errors:0 dropped:0 overruns:0 frame:0
TX packets:1180760 errors:0 dropped:330 overruns
tun100 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.2.1 P-t-P:10.0.2.2 Mask:255.255.255.255
inet6 addr: 2607:8700:aabb:ccdd::10/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:145461 errors:0 dropped:0 overruns:0 frame:0
TX packets:215513 errors:0 dropped:0 overruns:0 carrier:0
Vultr assign a /64 block to your default interface by default. You can use any address in the /64 block,without the need of web control page. But you have to use NDP proxy to make new assigned address routeable. (by contrast. bandwagon host's new ip is assigned via web control page, and become routable as soon as you assigned it. bandwagon host only allows 3 individual ipv6 addresses instead of a whole block)
ifconfig output:
eth0 Link encap:Ethernet HWaddr 12:00:00:34:56:78
inet addr:44.55.66.77 Bcast:44.55.66.255 Mask:255.255.254.0
inet6 addr: 2001:19f0:aabb:ccdd:5400:ff:fe61:f22c/64 Scope:Global
inet6 addr: fe80::5400:ff:fe61:f22c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
tun100 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.2.1 P-t-P:10.0.2.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:145461 errors:0 dropped:0 overruns:0 frame:0
TX packets:215513 errors:0 dropped:0 overruns:0 carrier:0
ip -6 addr add 2001:19f0:aabb:ccdd::10/120 dev tun100 # use /120 here, to avoid messing up the route table..
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.proxy_ndp=1
ip -6 neigh add proxy 2001:19f0:aabb:ccdd::2 dev eth0 # its eth0 here, the default network interface.
ip -6 addr add 2001:19f0:aabb:ccdd/120 dev tun100
ip -6 route add default via 2001:19f0:aabb:ccdd::10
done. ifconfig output now:
eth0 Link encap:Ethernet HWaddr 12:00:00:34:56:78
inet addr:44.55.66.77 Bcast:44.55.66.255 Mask:255.255.254.0
inet6 addr: 2001:19f0:aabb:ccdd:5400:ff:fe61:f22c/64 Scope:Global
inet6 addr: fe80::5400:ff:fe61:f22c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
tun100 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.2.1 P-t-P:10.0.2.2 Mask:255.255.255.255
inet6 addr: 2001:19f0:aabb:ccdd::10/120 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
The configuration in this article is well tested, it should work and be stable. But since I am not an expert in ipv6, this article maynot the "right way"/"best way" of setting up a ipv6 VPN, its only a workable way.