On Mon, 2 Nov 2015 19:29:39 -0800 Craig Rodrigues <rodrigc_at_FreeBSD.org> wrote: > On Mon, Nov 2, 2015 at 3:50 PM, Michael Gmelin <freebsd_at_grem.de> > wrote: > > > > > > > > On Mon, 2 Nov 2015 14:04:18 -0800 > > > > ikvjwd.com once offered a service using haproxy, you can find their > > configuration here: > > > > > https://github.com/rcsheets/ikvjwd/commit/58979dcaf42fbbd9203067a6ba4629ba01469120 > > > > We were using ikvjwd.com, but that service did not seem to be very > reliable. > > > > > > Another way to tunnel all IPv4 traffic is set up an OpenVPN server > > on a dual stack machine and route your client IPv4 traffic over it > > (that approach is actually very easy to accomplish, stable and will > > work with any service). > > > > Can you point me to some docs for how to do this? This could work > for me. > > I have two separate networks that are connected: > > +--------------+ +--------------+ > | | | | > | | | | > | Dual +---------> | IPv6 | > | stack | | only | > | | | | > +--------------+ +--------------+ > > > My machine is in the IPv6 only network, but it has access to > a dual stack network. I still need to run my stuff which accesses > GitHub in the IPv6 only network. Basic guide for a point to point connection (this assumes that the client machine on your IPv6 only network still has an IPv4 stack in the kernel - also, if all you want is proxying one website [github http], setting up a proxy might make more sense): Install and enable openvpn on both machines pkg install openvpn setrc openvpn_enable=YES Example config side A (client): Fixed tunnel interface in rc.conf (so you can use tun8 in firewall rules cloned_interfaces="tun8" ifconfig_tun8="inet 10.10.10.1 10.10.10.2" /usr/local/etc/openvpn.conf: tls-client dev tun8 verb 3 remote hostnameOrIpv6AddressToConnectTo 1294 proto udp6 ca /usr/local/etc/openvpn/ca.crt cert /usr/local/etc/openvpn/client.crt key /usr/local/etc/openvpn/client.key tls-auth /usr/local/etc/openvpn/ta.key 1 ifconfig 10.10.10.1 10.10.10.2 # add IPv4 networks you want to route over the tunnel # you can also use static routed in rc.conf instead # or push the routes from the server side: route 141.1.1.0 255.255.255.0 keepalive 10 60 ping-timer-rem user nobody group nobody persist-key persist-tun daemon tun-mtu-extra 6 Example server side B (dual stack in your case): Fixed tunnel interface in rc.conf (so you can use tun8 in firewall rules cloned_interfaces="tun8" ifconfig_tun8="inet 10.10.10.2 10.10.10.1" /usr/local/etc/openvpn.conf: tls-server dev tun8 verb 3 local IpV6AddressToListenTo port 1294 proto udp6 ca /usr/local/etc/openvpn/ca.crt cert /usr/local/etc/openvpn/server.crt key /usr/local/etc/openvpn/server.key dh /usr/local/etc/openvpn/dh4096.pem tls-auth /usr/local/etc/openvpn/ta.key 0 ifconfig 10.10.10.2 10.10.10.1 # routes to send the other direction (optional) # ... keepalive 10 60 ping-timer-rem user nobody group nobody persist-key persist-tun daemon tun-mtu-extra 6 tun-mtu-extra was required in my setup, you might not need it. tls-auth is optional (it allows openvpn to hide, which you probably won't need on your local network). If you don't want to create a set of certificates and/or security is secondary, you can save yourself the work of creating all the certificates and replace it with a static shared secret. In this case ca cert key can be removed and replaced with "secret filename". filename is generated using "openvpn --genkey --secret filename". You then need some firewall rule to NAT the traffic that comes over the tunnel on the server side. If you have multiple clients, it's better to switch to an address pool (e.g. server 10.8.0.0 255.255.255.0). In that case I would recommend to push all relevant routes to the client (push "route ip netmask" in the server config) and not bother to use a fixed tunnel interface on the client side (so no entry in rc.conf and change "tun8" to "tun" in the client configuration). It's really not as complicated as my description makes it look like :p You can find plenty of examples on openvpn.net, including a long example configuration that details all options: https://openvpn.net/index.php/open-source/documentation/howto.html#examples There are plenty of howtos out there. I've been using this for a few years now to circumvent a broken DS-LITE gateway outbound and allow IPv4 connectivity inbound, it's stable and performs well. - Michael -- Michael GmelinReceived on Tue Nov 03 2015 - 08:39:40 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:00 UTC