Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
OpenVPN Cookbook

You're reading from   OpenVPN Cookbook Get the most out of OpenVPN by exploring it's advanced features.

Arrow left icon
Product type Paperback
Published in Feb 2017
Publisher
ISBN-13 9781786463128
Length 400 pages
Edition 2nd Edition
Languages
Tools
Concepts
Arrow right icon
Author (1):
Arrow left icon
Jan Just Keijser Jan Just Keijser
Author Profile Icon Jan Just Keijser
Jan Just Keijser
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. Point-to-Point Networks 2. Client-server IP-only Networks FREE CHAPTER 3. Client-server Ethernet-style Networks 4. PKI, Certificates, and OpenSSL 5. Scripting and Plugins 6. Troubleshooting OpenVPN - Configurations 7. Troubleshooting OpenVPN - Routing 8. Performance Tuning 9. OS Integration 10. Advanced Configuration

Using IPv6

In this recipe, we extend the complete site-to-site network recipe to include support for IPv6.

Getting ready

Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 22 Linux and OpenVPN 2.3.10. We'll use the secret.key file from the OpenVPN secret keys recipe here.

We will use the following network layout:

Getting ready

How to do it...

  1. Create the server configuration file:
            dev tun 
            proto udp 
            local  openvpnserver.example.com 
            lport  1194 
            remote openvpnclient.example.com 
            rport  1194 
     
            secret secret.key 0 
            ifconfig 10.200.0.1 10.200.0.2 
            route 192.168.4.0 255.255.255.0 
     
            tun-ipv6 
            ifconfig-ipv6 2001:db8:100::1 2001:db8:100::2 
     
            user  nobody 
            group nobody  # use "group nogroup" on some distros 
            persist-tun 
            persist-key 
            keepalive 10 60 
            ping-timer-rem 
     
            verb 3 
            daemon 
            log-append /tmp/openvpn.log 
    
  2. Save it as example1-9-server.conf.
  3. On the client side, create the configuration file:
            dev tun 
            proto udp 
            local  openvpnclient.example.com 
            lport  1194 
            remote openvpnserver.example.com 
            rport  1194 
     
            secret secret.key 1 
            ifconfig 10.200.0.2 10.200.0.1 
            route 172.31.32.0 255.255.255.0 
     
            tun-ipv6 
            ifconfig-ipv6 2001:db8:100::2 2001:db8:100::1 
     
            user  nobody 
            group nobody  # use "group nogroup" on some distros 
            persist-tun 
            persist-key 
            keepalive 10 60 
            ping-timer-rem 
     
            verb 3 
    
  4. Save it as example1-9-client.conf.
  5. Then start the tunnel on both ends The following is for the server end:
              [root@server]# openvpn --config example1-9-server.conf
    

    This is the code for the client end:

              [root@client]# openvpn --config example1-9-client.conf
    

    Now our site-to-site tunnel is established.

  6. After the connection comes up, the machines on the LANs behind both end points can be reached over the OpenVPN tunnel. Notice that the client OpenVPN session is running in the foreground.
  7. Next, ping the IPv6 address of the server endpoint to verify that IPv6 traffic over the tunnel is working:
             [client]$ ping6 -c 4 2001:db8:100::1
             PING 2001:db8:100::1(2001:db8:100::1) 56 data bytes
             64 bytes from 2001:db8:100::1: icmp_seq=1 ttl=64 time=7.43 ms
             64 bytes from 2001:db8:100::1: icmp_seq=2 ttl=64 time=7.54 ms
             64 bytes from 2001:db8:100::1: icmp_seq=3 ttl=64 time=7.77 ms
             64 bytes from 2001:db8:100::1: icmp_seq=4 ttl=64 time=7.42 ms
             --- 2001:db8:100::1 ping statistics ---
             4 packets transmitted, 4 received, 0% packet loss, time 3005ms
             rtt min/avg/max/mdev = 7.425/7.546/7.778/0.177 ms
    
  8. Finally, abort the client-side session by pressing Ctrl + C. The following screenshot lists the full client-side log:
    How to do it...

How it works...

Both client and server configuration files are very similar to the ones from the Complete site-to-site setup recipe, with the addition of the following two lines:

tun-ipv6 
ifconfig-ipv6 2001:db8:100::2 2001:db8:100::1 

This enables IPv6 support, next to the default IPv4 support.

Also, in the client configuration, the options daemon and log-append are not present, hence all of the OpenVPN output is sent to the screen and the process continues running in the foreground.

There's more...

Let's talk a bit about log file errors and the IPv6-only tunnel.

Log file errors

If we take a closer look at the client-side connection output, we will see a few error messages after pressing Ctrl +  C , most notably the following:

RTNETLINK answers: operation not permitted 

This is a side-effect when you use the user nobody option to protect an OpenVPN setup, and it often confuses new users. What happens is this:

OpenVPN starts as root, opens the appropriate tun device, and sets the right IPv4 and IPv6 addresses on this tun interface.

For extra security, OpenVPN then switches to nobody, dropping all the privileges associated with root.

When OpenVPN terminates (in our case, by pressing  Ctrl +  C ), it closes the access to the tun device and tries to remove the IPv4 and IPv6 addresses assigned to that device. At this point, the error messages appear, as nobody is not allowed to perform these operations.

Upon termination of the OpenVPN process, the Linux kernel closes the tun device and all the configuration settings are removed.

In this case, these error messages are harmless, but in general, one should pay close attention to the warning and error messages that are printed by OpenVPN.

IPv6-only tunnel

With OpenVPN 2.3, the IPv6-only tunnel is required to always enable IPv4 support. From OpenVPN 2.4 on, it is possible to set up an IPv6-only connection.

See also

The recipe Complete site-to-site setup, earlier in this chapter, in which an IPv4-only site-to-site setup is explained in detail.

The last recipe of Chapter 6, Troubleshooting OpenVPN - Configurations, which explains how to interpret the OpenVPN log files in detail.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime