Support for IPv6 in client

Got a problem with Viscosity or need help? Ask here!

sveihan

Posts: 5
Joined: Sat Feb 20, 2010 7:56 am

Post by sveihan » Sat Feb 20, 2010 8:06 am
Hi

Is it possible to add a feature to enable IPv6 in the configuration?

Now I have to run these commands to get/route IPv6:
sudo ip6config start-v6 tap0
sudo sysctl -w net.inet6.ip6.accept_rtadv=1

tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 121.34.207.201 netmask 0xfffffc00 broadcast 128.39.207.255
inet6 fe80::40d:cff:fe52:4e18%tap0 prefixlen 64 scopeid 0x9
inet6 2001:400:1700:3b:40d:cff:fe52:4e18 prefixlen 64 autoconf
ether 06:0d:0c:52:4e:20

I can use a script, but it would have been nice to have this in the configuration window.
(road warrior setup)

http://www.whatismyipv6.net
Your IP is 2001:400:1700:3b:40d:cff:fe52:4e18

http://www.whatismyip.com
Your IP Address Is: 121.34.207.201

Svein
Last edited by sveihan on Mon Mar 01, 2010 8:49 pm, edited 2 times in total.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Feb 24, 2010 7:29 pm
Hi Svein,

Yep, IPv6 support is already in version 1.1 of Viscosity, which we hope to have out in beta shortly.

We're also currently working on a re-design of the Details window, however it is a little further off.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

existenz

Posts: 4
Joined: Mon Oct 19, 2009 11:11 pm

Post by existenz » Sat Feb 27, 2010 10:55 pm
Hi Svein,

Could you post here the configuration you use on server side. My tap0 interface always refused to get 'public' ipv6 from my server side network.

On my road warrior :
Code: Select all
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.168.168.50 netmask 0xffffff00 broadcast 192.168.168.255
	inet6 fe80::38e4:69ff:fee1:526e%tap0 prefixlen 64 scopeid 0x9 
	ether 3a:e4:69:e1:52:6e 
	open (pid 6851)
On my linux server :
Code: Select all
br0       Link encap:Ethernet  HWaddr 00:1c:c0:d8:c3:fd  
          inet addr:192.168.168.100  Bcast:192.168.168.255  Mask:255.255.255.0
          inet6 addr: 2a01:XXX:YYY:ZZZ:21c:c0ff:fed8:c3fd/64 Scope:Global
          inet6 addr: fe80::21c:c0ff:fed8:c3fd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14404 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9515 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:10683608 (10.6 MB)  TX bytes:1379801 (1.3 MB)

tap0      Link encap:Ethernet  HWaddr aa:bd:49:04:6c:2c  
          inet6 addr: fe80::a8bd:49ff:fe04:6c2c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1165 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1023 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:258149 (258.1 KB)  TX bytes:503710 (503.7 KB)

Thank you.

sveihan

Posts: 5
Joined: Sat Feb 20, 2010 7:56 am

Post by sveihan » Sun Feb 28, 2010 2:14 am
Hi

I have written a howto in norwegian for our openvpn setup.
If you are interested I can translate it into english.

I´m using openvpn-server for distributing IPv4 and the router(Cisco 6509) for IPv6.
Authentication: username/password (Radius-plugin/AD)
Firewall script for IPv4/IPv6
Only public IP´s (no NAT)
Routing everything through the tunnel.
OS: A minimal installation of Centos 5.4

Svein

existenz

Posts: 4
Joined: Mon Oct 19, 2009 11:11 pm

Post by existenz » Mon Mar 01, 2010 12:17 am
If you are interested I can translate it into english.
I would love it !

sveihan

Posts: 5
Joined: Sat Feb 20, 2010 7:56 am

Post by sveihan » Mon Mar 01, 2010 10:04 pm
Here it is :-)

My OpenVPN (SSL) setup

GOAL
* Bridge our office network to road warriors.
* Support for IPv4 and IPv6(in the tunnel)
* Forward all traffic through the VPN tunnelen.
(Access to all services behind the FW)
* Authentication using username/password (AD-Radius)
* Distribute IPv4 from openvpn-dhcp og IPv6 from the router.

My Network:
Klients: 121.34.204.0/22 - 2001:400:1700:3B::0/64
Servers: 121.34.108.0/24 - 2001:400:1700:32::0/64

Req:
* A minimal Linux installation (I'm using CentOS-5.4-i386)
* Tip: Deactivate the firewall now...
** [root@openvpn ~]# system-config-securitylevel-tui
** SELinux-> Deactivate....
* Exclude IP-range from your DHCP to use for OpenVPN-users:
** MS-DHCP-range: 121.34.204.0/22
** I'm excluding: 121.34.207.200 - 121.34.207.254
* Configure your network router to distribute IPv6 on your vlan:
** (I'm using a Cisco 6509)
** Here is some of the config...:
*** Create a pool for IPv6:
**** ipv6 dhcp pool MSpool
**** dns-server 2001:400:1700:32::A
**** domain-name hive.no
*** Enable IPv6 on the interface
**** interface Vlan200
**** description MS-Klients
**** ipv6 address 2001:400:1700:3B::1/64
**** ipv6 enable
**** ipv6 dhcp server MADpool
* A server with 2 NICs
** Using eth0 for the internett connection:
**** 121.34.108.52/24 (Static)
**** 2001:400:1700:32::34/64 (Static)
** Using eth1 for vlan(200) promiscuous mode (br0 => tap0/eth1)
* Open port 443 on your sentral firewall for 121.34.108.52

Configuration for eth0:
[root@openvpn ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
BROADCAST=121.34.108.255
HWADDR=00:50:56:9e:2a:2a
IPADDR=121.34.108.52
IPV6ADDR=2001:400:1700:32::34/64
IPV6_DEFAULTGW=2001:400:1700:32::1
IPV6INIT=yes
IPV6_AUTOCONF=no
NETMASK=255.255.255.0
NETWORK=121.34.108.0
ONBOOT=yes
GATEWAY=121.34.108.1
TYPE=Ethernet

Configuration for eth1:
[root@openvpn ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=none
ONBOOT=no
HWADDR=00:50:56:9e:63:4d

[root@openvpn ~]# cat /etc/resolv.conf
search hive.no
nameserver 2001:400:1700:32::A
nameserver 2001:400:1700:32::B
nameserver 121.34.108.10
nameserver 121.34.108.11

Test:
[root@openvpn ~]# ping6 ipv6.google.com
PING ipv6.google.com(2a00:1450:8001::68) 56 data bytes
64 bytes from 2a00:1450:8001::68: icmp_seq=0 ttl=51 time=50.2 ms
64 bytes from 2a00:1450:8001::68: icmp_seq=1 ttl=51 time=50.3 ms
[root@openvpn ~]# ping http://www.google.com
PING http://www.l.google.com (66.102.13.147) 56(84) bytes of data.
64 bytes from ez-in-f147.1e100.net (66.102.13.147): icmp_seq=1 ttl=53 time=40.2 ms
64 bytes from ez-in-f147.1e100.net (66.102.13.147): icmp_seq=2 ttl=53 time=40.0 ms


1: Install OpenVPN
We are creating our own RPM, so we need some dependencies:

* OpenSSL (YUM):
[root@openvpn ~]# yum install openssl openssl-devel

* rpm-build (YUM) For creating the RPM:
[root@openvpn ~]# yum install rpm-build

* gcc for compeiling(YUM):
[root@openvpn ~]# yum install gcc

* pam-devel for authenticationYUM):
[root@openvpn ~]# yum install pam-devel

* Download the source code (http://openvpn.net):
[root@openvpn ~]# cd
[root@openvpn ~]# wget http://openvpn.net/release/openvpn-2.1.1.tar.gz

* Now we are ready to create the RPM:
[root@openvpn ~]# rpmbuild -tb openvpn-2.1.1.tar.gz --define 'without_lzo 1' --define 'with_pkcs11 0'
(The package is created here:/usr/src/redhat/RPMS/i386/openvpn-2.1_rc4-1.i386.rpm)

*Install OpenVPN:
[root@openvpn ~]# rpm -ivh /usr/src/redhat/RPMS/i386/openvpn-2.1.1-1.i386.rpm


2: Configure a brigde for OpenVPN:

* Traffic pattern:
121.34.108.52:443(eth0) <-> tap0(virt) <=> br0 <=> eth1 <-> lan(v200)..

* We need to install bridge-utils(YUM)..
[root@openvpn ~]# yum install bridge-utils

* Create script for starting/stoping the bridge + tap0:
[root@openvpn ~]# mkdir scripts
[root@openvpn ~]# cd scripts/
[root@openvpn scripts]# vim bridge-start
#!/bin/bash
openvpn --mktun --dev tap0
ifconfig tap0 down
ifconfig eth1 down
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
ifconfig br0 0.0.0.0 up

[root@openvpn scripts]# vim bridge-stop
#!/bin/bash
ifconfig br0 down
brctl delbr br0
ifconfig eth1 down
openvpn --rmtun --dev tap0

*Make them executable:
[root@openvpn scripts]# chmod +x bridge-st*

* Important: Remember to set ifcfg-eth1 from dhcp til none...or..(BOOTPROTO=static)
[root@openvpn ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1


3. Configure OpenVPN

* Create the CA and generate some certificates:
[root@openvpn scripts]# cp -R /usr/share/doc/openvpn-2.1.1/easy-rsa /etc/openvpn/
[root@openvpn scripts]# cd /etc/openvpn/easy-rsa/2.0/
[root@openvpn 2.0]# vim ./vars
#change these to your...:
export KEY_COUNTRY="NO"
export KEY_PROVINCE="Vestfold"
export KEY_CITY="Tonsberg"
export KEY_ORG="Hogskolen i Vestfold"
export KEY_EMAIL="[email protected]"

[root@openvpn 2.0]# . ./vars
[root@openvpn 2.0]# ./clean-all
[root@openvpn 2.0]# ./build-ca (choose defaults..)
[root@openvpn 2.0]# ./build-key-server openvpn.hive.no

Create a user cerificate and sign it..:
[root@openvpn 2.0]# ./build-key svein

Generate DH parameters:
[root@openvpn 2.0]# ./build-dh

* Copy the server-cert/key and ca-cert
[root@openvpn 2.0]# cd keys/
[root@openvpn keys]# cp openvpn.hive.no.crt openvpn.hive.no.key ca.crt dh1024.pem /etc/openvpn/

* Create server.conf:
[root@openvpn keys]# cd /etc/openvpn/
[root@openvpn openvpn]# vim server.conf
local 121.34.108.52
port 443
proto tcp-server
dev tap0
server-bridge 121.34.204.1 255.255.252.0 121.34.207.200 121.34.207.254
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DOMAIN hive.no"
push "dhcp-option DNS 121.34.108.10"
push "dhcp-option DNS 121.34.108.11"
client-to-client
keepalive 10 120
reneg-sec 1800
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/openvpn.hive.no.crt
key /etc/openvpn/openvpn.hive.no.key
dh /etc/openvpn/dh1024.pem
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 1

[root@openvpn openvpn]# mkdir /var/log/openvpn

4: Then we are ready to test what we have done...:

*Testing on a WIN7 machine:
Download: http://openvpn.net/release/openvpn-2.1.1-install.exe
Install the client.

* Copy the files to your windows-machine(WinSCP?).
svein.crt, svein.key og ca.crt (from here: /etc/openvpn/easy-rsa/2.0/keys)
Download to this location:
Win7 32bit: C:\Programfiler\OpenVPN\config
Win7 64bit: C:\Programfiler (x86)\OpenVPN\config

* Create a client-config in the same folder: openvpn.ovpn
client
dev tap
proto tcp-client
remote 121.34.108.52 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert svein.crt
key svein.key
verb 1

* Start the server for testing:
[root@openvpn openvpn]# cd /etc/openvpn/
[root@openvpn openvpn]# /root/scripts/bridge-start
[root@openvpn openvpn]# openvpn --config ./server.conf

* Start the Windows-client og right-click the icon -> Connect
Now you should be able to log on, and have contact with services behind the
company firewall (and internett).


Check that your traffic is routed through the tunnel:
http://www.whatismyipv6.net/ IPv6 in this range: 2001:400:1700:3b:X:X:X:X
http://www.whatismyip.com/ IPv4 in this range: 121.34.207.200 - 254

* Not working? hmmm... Go back and check....


3: Working? YES: Now it's time to configure the AD-radius authentication:

* The AD-Radius configuration is not described here..

* Stop everything..:
Stop the Windows-clienten by right-clicking the icon -> Disconnect
Stop OpenVPN..: Ctrl+C
Stop Bridge: [root@openvpn openvpn]# /root/scripts/bridge-stop

* PAM to RADIUS authentication module, pam_radius
[root@openvpn openvpn]# cd
Download from: http://www.freeradius.org/pam_radius_auth/
[root@openvpn ~]# wget ftp://ftp.freeradius.org/pub/radius/pam ... .17.tar.gz
[root@openvpn ~]# tar -zxvf pam_radius-1.3.17.tar.gz
[root@openvpn ~]# cd pam_radius-1.3.17

* Compile and copy the module:
[root@openvpn pam_radius-1.3.17]# make
[root@openvpn pam_radius-1.3.17]# cp pam_radius_auth.so /lib/security/

* Create conf-file for the module.
[root@openvpn pam_radius-1.3.17]# cd /etc/
[root@openvpn etc]# mkdir raddb
[root@openvpn etc]# vim raddb/server
#Server:port shared secret
121.34.108.15:1812 jailbird 1
[root@openvpn etc]# cd /etc/pam.d/
[root@openvpn pam.d]# vim openvpn
#%PAM-1.0
auth sufficient pam_radius_auth.so
account sufficient pam_permit.so
session sufficient pam_permit.so

* We need a plugin, find it:
[root@openvpn pam.d]# updatedb
[root@openvpn pam.d]# locate openvpn-auth-pam.so
/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so

* PAM authentication in the OpenVPN config(Add):
[root@openvpn pam.d]# cd /etc/openvpn/
[root@openvpn openvpn]# vim server.conf
.........................
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
username-as-common-name
client-cert-not-required


* Now you can start OpenVPN again for testing:
[root@openvpn openvpn]# /root/scripts/bridge-start
[root@openvpn openvpn]# openvpn --config ./server.conf

* Add changes to the Windows-client-config:
Add to: C:\Programfiler (x86)\OpenVPN\config\openvpn.ovpn:
......................
auth-user-pass

Remove your reference to (ex): svein.crt og svein.key
from openvpn.ovpn since it's no longer required(client-cert-not-required)

* Start the Windows-client og right-click the icon -> Connect
Type your AD username/password

* Not working? hmmm... Go back and check....

Working? YES: Let's finalize the server:

4: Configure OpenVPN to run as a daemon:
* Stop the server:
Stop OpenVPN..: Ctrl+C
Stop Bridge: [root@openvpn openvpn]# /root/scripts/bridge-stop

* Create symbolic links to your scripts so the will run automatically:
[root@openvpn openvpn]# ln -s /root/scripts/bridge-start /etc/openvpn/openvpn-startup
[root@openvpn openvpn]# ln -s /root/scripts/bridge-stop /etc/openvpn/openvpn-shutdown

Enable at boot:
[root@openvpn openvpn]# chkconfig --list openvpn
openvpn 0:av 1:av 2:av 3:på 4:på 5:på 6:av

Start the OpenVPN daemon:
[root@openvpn openvpn]# /etc/init.d/openvpn start


5: Firewall:
* Verify that the firewall is enabled at boot:
[root@openvpn openvpn]# chkconfig --list iptables
iptables 0:av 1:av 2:på 3:på 4:på 5:på 6:av
[root@openvpn openvpn]# chkconfig --list ip6tables
ip6tables 0:av 1:av 2:på 3:på 4:på 5:på 6:av

* Customize the firewall with a script:
[root@openvpn openvpn]# cd
[root@openvpn ~]# cd scripts/
[root@openvpn scripts]# vim firewall.sh
#!/bin/bash
#
# Remove all rules
iptables -F
ip6tables -F
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
#
# localhost
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
#
#Let the packages fly over the brigde...
iptables -A INPUT -i tap0 -j ACCEPT
ip6tables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
ip6tables -A FORWARD -i br0 -j ACCEPT
#
# Accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#
#Port
#
# PING
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m ipv6-icmp --icmpv6-type echo-request -j ACCEPT
#
# port 443 (OpenVPN)
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
ip6tables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
#
# Save the firewall
#
/sbin/service iptables save
/sbin/service ip6tables save
#
# Show current rules
#
iptables -L -v
ip6tables -L -v


[root@openvpn scripts]# chmod +x ./firewall.sh
[root@openvpn scripts]# ./firewall.sh

6: Test again...
* Reboot the server and verify that everyting i is working...

Svein Hansen

existenz

Posts: 4
Joined: Mon Oct 19, 2009 11:11 pm

Post by existenz » Thu Mar 04, 2010 3:07 am
Hi Svein,

Thank you for this great tutorial.

It's almost work on my configuration. I means there is still a problem with ipv6 router sollicitation packet : I always have to wait until my ipv6 router (which is an adsl box) to send a router advertisement to get my public ipv6 on client tap side. This kind of packet is emitted every 200 seconds by the router.
For an unknown reason, OSX does not send router sollicitation packet when I launch ipv6 service on tap device (sudo ip6config start-v6 tap0).
Did you expect some issue like that ?

thx
7 posts Page 1 of 1