Changes between Version 4 and Version 5 of IPv6


Ignore:
Timestamp:
03/11/14 14:58:36 (10 years ago)
Author:
michele
Comment:

add alternative setup that requires one IPv6 netblock only

Legend:

Unmodified
Added
Removed
Modified

  • IPv6

    v4 v5  
    1818
    1919* An existing and functional OpenVPN configuration (use the official howto if you don't yet have this.)
    20 * A routed IPv6 network block that will reach the host configured as the OpenVPN server
    2120* Both client and server must support IPv6; most modern systems these-days include this support already
     21
     22Additionally:
     23
     24* **Recommended** A routed IPv6 network block that will reach the host configured as the OpenVPN server
     25* alternatively, check section "Splitting a single routable IPv6 netblock" below
     26
    2227
    2328=== Details: IPv6 routed block ===
     
    7883push "route-ipv6 2000::/3"
    7984}}}
     85
     86
     87== Splitting a single routable IPv6 netblock ==
     88
     89Otherwise, there is a way out. Typically /64 IPv6 netblocks are assigned, leaving a large address space. For an OpenVPN setup, this address space can be broken in 2, /65-prefix parts, the first being assigned to the physical network interface, and the second to the VPN. **Warning** operating netblocks smaller than /64 might break some network features.
     90
     91**Avoid** this setup if you are using any of:
     92
     93* SLAAC. If you are using SLAAC and have no way around, ask your ISP for permission to use static address assignment on your VPN server.
     94* IPv6 Multicast - RFC3306
     95* Cryptographically Generated Address - CGA - RFC3972
     96* NAT64 - RFC6052
     97* IPv6-to-IPv6 Network Prefix Translation - NPTv6 - RFC6296
     98* Identifier-Locator Network Protocol - ILNP - RFC6741
     99* Multihoming Shim Protocol for IPv6 - shim6 - RFC5533
     100
     101See this [http://tools.ietf.org/html/draft-carpenter-6man-why64-00 Internet Draft] for details.
     102
     103=== Split netblock configuration ===
     104
     105Get the original IPv6 netblock on your OpenVPN server; let's assume it's
     106{{{
     1072001:db8:123::/64
     108}}}
     109
     1101. check that your NIC uses no addresses in the upper /65 block (in this case, addresses greater than 2001:db8:123:8000::/65). If you do, you can't use this setup until you eliminate those.
     1111. re-assign the new restricted netblock – lower part. The command for this depends on your OS. For example, in **FreeBSD**:
     112{{{
     113### check this on your OS!
     114# ifconfig igb0 inet6 2001:db8:123::/64 -alias
     115# ifconfig igb0 inet6 2001:db8:123::/65
     116###
     117### re-assign the other aliases previously set under the /64 block
     118# ifconfig igb0 inet6 2001:db8:123::dead/128 alias
     119# ifconfig igb0 inet6 2001:db8:123::ea:beef/128 alias
     120# ...
     121}}}
     1221. assign the higher part of the restricted netblock to OpenVPN. Add
     123{{{
     124# add this line
     125server-ipv6 2001:db8:123:8000::/65
     126}}}
     1271. restart the VPN
     128
     129You can do this also if your assigned IPv6 netblock is already shorter than /64, e.g. /112 . Just perform the same steps and compute the base address of the upper subnet: the lower starts with the last bit in the netmask set to 0, the upper starts with it set to 1.