Re: Tunnelling IPv4 over IPv6 for GitHub access?

From: Michael Gmelin <freebsd_at_grem.de>
Date: Tue, 3 Nov 2015 10:32:53 +0100
On Mon, 2 Nov 2015 19:29:39 -0800
Craig Rodrigues <rodrigc_at_FreeBSD.org> wrote:

> On Mon, Nov 2, 2015 at 3:50 PM, Michael Gmelin <freebsd_at_grem.de>
> wrote:
> >
> >
> >
> > On Mon, 2 Nov 2015 14:04:18 -0800
> >
> > ikvjwd.com once offered a service using haproxy, you can find their
> > configuration here:
> >
> >
> https://github.com/rcsheets/ikvjwd/commit/58979dcaf42fbbd9203067a6ba4629ba01469120
> >
> 
> We were using ikvjwd.com, but that service did not seem to be very
> reliable.
> 
> 
> >
> > Another way to tunnel all IPv4 traffic is set up an OpenVPN server
> > on a dual stack machine and route your client IPv4 traffic over it
> > (that approach is actually very easy to accomplish, stable and will
> > work with any service).
> >
> 
> Can you point me to some docs for how to do this?  This could work
> for me.
> 
> I have two separate networks that are connected:
> 
> +--------------+           +--------------+
> |              |           |              |
> |              |           |              |
> |    Dual      +---------> |   IPv6       |
> |    stack     |           |   only       |
> |              |           |              |
> +--------------+           +--------------+
> 
> 
> My machine is in the IPv6 only network, but it has access to
> a dual stack network.  I still need to run my stuff which accesses
> GitHub in the IPv6 only network.

Basic guide for a point to point connection (this assumes that the
client machine on your IPv6 only network still has an IPv4 stack in
the kernel - also, if all you want is proxying one website [github
http], setting up a proxy might make more sense):

Install and enable openvpn on both machines

pkg install openvpn
setrc openvpn_enable=YES

Example config side A (client):

Fixed tunnel interface in rc.conf (so you can use tun8 in firewall
rules 

cloned_interfaces="tun8"
ifconfig_tun8="inet 10.10.10.1 10.10.10.2"

/usr/local/etc/openvpn.conf:

tls-client
dev tun8
verb 3
remote hostnameOrIpv6AddressToConnectTo 1294
proto udp6
ca   /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/client.crt
key  /usr/local/etc/openvpn/client.key
tls-auth /usr/local/etc/openvpn/ta.key 1

ifconfig 10.10.10.1 10.10.10.2

# add IPv4 networks you want to route over the tunnel
# you can also use static routed in rc.conf instead
# or push the routes from the server side:
route 141.1.1.0 255.255.255.0

keepalive 10 60
ping-timer-rem
user nobody
group nobody
persist-key
persist-tun
daemon

tun-mtu-extra 6

Example server side B (dual stack in your case):

Fixed tunnel interface in rc.conf (so you can use tun8 in firewall
rules 

cloned_interfaces="tun8"
ifconfig_tun8="inet 10.10.10.2 10.10.10.1"

/usr/local/etc/openvpn.conf:


tls-server
dev tun8
verb 3
local IpV6AddressToListenTo
port 1294
proto udp6
ca   /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/server.crt
key  /usr/local/etc/openvpn/server.key
dh   /usr/local/etc/openvpn/dh4096.pem
tls-auth /usr/local/etc/openvpn/ta.key 0

ifconfig 10.10.10.2 10.10.10.1
# routes to send the other direction (optional)
# ...

keepalive 10 60
ping-timer-rem
user nobody
group nobody
persist-key
persist-tun
daemon

tun-mtu-extra 6



tun-mtu-extra was required in my setup, you might not need it.

tls-auth is optional (it allows openvpn to hide, which you probably
won't need on your local network).

If you don't want to create a set of certificates and/or security is
secondary, you can save yourself the work of creating all the
certificates and replace it with a static shared secret. In this case
ca cert key can be removed and replaced with "secret filename".
filename is generated using "openvpn --genkey --secret filename".

You then need some firewall rule to NAT the traffic that comes over the
tunnel on the server side.

If you have multiple clients, it's better to switch to an address pool
(e.g. server 10.8.0.0 255.255.255.0). In that case I would recommend to
push all relevant routes to the client (push "route ip netmask" in the
server config) and not bother to use a fixed tunnel interface on
the client side (so no entry in rc.conf and change "tun8" to "tun" in
the client configuration).

It's really not as complicated as my description makes it look like :p

You can find plenty of examples on openvpn.net, including a long
example configuration that details all options:
https://openvpn.net/index.php/open-source/documentation/howto.html#examples

There are plenty of howtos out there. I've been using this for a few
years now to circumvent a broken DS-LITE gateway outbound and allow
IPv4 connectivity inbound, it's stable and performs well.

- Michael


-- 
Michael Gmelin
Received on Tue Nov 03 2015 - 08:39:40 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:00 UTC