How to use bridged environment with TAP and IPv6.

[correajl]

I would like some help to configure a server that uses a bridged environment and IPv6. I've the IPv4 environment working. Let me describe my needs.

I have some internal networks with some clients. I need that when these clients connects from Internet to VPN server they enter in the same network that they use when they are phisically here. The reason is that they should be submited to the same firewall rules, so I can't use one network for all VPN clients.

I did this using IPv4 and apparently is working well. Each client has a certificate and a different configuration file. I'll have one server for each subnet and client will connect to the right server.

View OriginalServer Config

# IPv4 configuration
local 10.129.128.200
port 1194
proto udp
dev tap-nti-udp
ca nti/nti-ca.crt
cert nti/nti-server.crt
key nti/nti-server.key # This file should be kept secret
dh nti/nti-dh2048.pem
ifconfig-pool-persist nti/nti-ipp.txt
server-bridge 10.129.32.254 255.255.255.0 10.129.32.230 10.129.32.250
push "dhcp-option DOMAIN mydomain"
push "dhcp-option DNS A.B.C.D"
push "redirect-gateway def1"
client-to-client
keepalive 10 120
tls-auth nti/nti-ta.key 0
key-direction 0
cipher AES-128-CBC
auth SHA256
comp-lzo
max-clients 20
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/nti-udp-openvpn-status.log
log-append /var/log/openvpn/nti-udp-openvpn.log
verb 3
crl-verify nti/nti-crl.pem

On the server I have:

interface 1: with 10.129.128.200 address that receives the clients connections
interface 2: the tap-nti-upd interface; this interface is on a bridge with interface 3
interface 3: connects to one internal network (10.129.32.0/24) called nti

The directive

Code: Select all

server-bridge 10.129.32.254 255.255.255.0 10.129.32.230 10.129.32.250

tells clients that 10.129.32.254 is the gateway and they will get addresses from 10.129.32.230 to 10.129.32.250 (they are reserved).

Then,

Code: Select all

push "redirect-gateway def1"

makes all client traffic go through 10.129.32.254. Once there is a bridge with tap interface and the 10.129.32.0/24 network, it is like the client would be inside the network.

Well, I need to do the same configuration using IPv6.

I can create the tap interface, the bridge, use --local with an ipv6 address etc. But, how can I configure the server as like I did with IPv4 but using IPv6, mainly on these directives:

View OriginalServer Config

#
server-bridge 10.129.32.254 255.255.255.0 10.129.32.230 10.129.32.250
push "redirect-gateway def1"

It would be something like:

View OriginalServer Config

#
server-bridge 2001:DB8::1 64 2001:DB8::2 2001:DB8::100
push "redirect-gateway ipv6"

I'd tested a lot of ipv6 directives but not successful. How can I combine the ipv6 configuration to set this scenario?

From man:

IPv6 Related Options
The following options exist to support IPv6 tunneling in peer-to-peer and client-server mode. All options are modeled after their IPv4 counterparts, so more detailed explanations given there apply
here as well (except for --topology , which has no effect on IPv6).

--ifconfig-ipv6 ipv6addr/bits ipv6remote
configure IPv6 address ipv6addr/bits on the ``tun'' device. The second parameter is used as route target for --route-ipv6 if no gateway is specified.

--route-ipv6 ipv6addr/bits [gateway] [metric]
setup IPv6 routing in the system to send the specified IPv6 network into OpenVPN's ``tun''. The gateway parameter is only used for IPv6 routes across ``tap'' devices, and if missing, the
``ipv6remote'' field from --ifconfig-ipv6 is used.

--server-ipv6 ipv6addr/bits
convenience-function to enable a number of IPv6 related options at once, namely --ifconfig-ipv6, --ifconfig-ipv6-pool and --push tun-ipv6 Is only accepted if ``--mode server'' or
``--server'' is set. Pushing of the --tun-ipv6 directive is done for older clients which require an explicit ``--tun-ipv6'' in their configuration.

--ifconfig-ipv6-pool ipv6addr/bits
Specify an IPv6 address pool for dynamic assignment to clients. The pool starts at ipv6addr and matches the offset determined from the start of the IPv4 pool.

--ifconfig-ipv6-push ipv6addr/bits ipv6remote
for ccd/ per-client static IPv6 interface configuration, see --client-config-dir and --ifconfig-push for more details.

--iroute-ipv6 ipv6addr/bits
for ccd/ per-client static IPv6 route configuration, see --iroute for more details how to setup and use this, and how --iroute and --route interact.

Thank you!!

[TinCanTech]

Some useful info:
https://community.openvpn.net/openvpn/wiki/IPv6

[correajl]

Some useful info:
https://community.openvpn.net/openvpn/wiki/IPv6

Thank you for the answer. I've read this guide and it explains about a routed setup. I'm looking for just the 'other way', using bridge, layer 2.

At the top of this guide we can see "a bridged (dev tap) setup is not recommended in general, and users doing so are presumably advanced enough to know what they're doing."

As I mentioned the setup is ok for IPv4. I think I know what "I'm trying to do" So, I hope to find some help with the forum guys to do the same with IPv6, how to use the ipv6 options to do the same setup.

[TinCanTech]

At the top of this guide we can see "a bridged (dev tap) setup is not recommended in general, and users doing so are presumably advanced enough to know what they're doing."

Yeah .. I have never tried it with IPv6 ..

You could be the first !

[Adambean]

Hi correajl,

Just checking in if you ever got this working? I think I'm just about there working this out.

I think the only difference between us is I intend on a "road warrior" scenario, whereby the OpenVPN clients do not route all their external traffic through the VPN tunnel. (Use for remote access to a specific network only.) That shouldn't matter in this case though, as our problem is at a lower level.

(Using replacements "example.com", "800.800.800.x", and "2a02:zzzz:zzzz:1:" in place of my public FQDNs and IP address blocks.)

IPv4 overview:

Subnets:

• "172.24.128.0/24" is a private subnet VLAN for OpenVPN clients.
• "172.24.64.0/24" is a private subnet VLAN for anything physical at the remote network.
• "800.800.800.x/28" is a public subnet (allocated by my ISP) VLAN for anything physical at the remote network, servers mostly.

Endpoints:

• "172.24.128.254" is the private IP address in which the primary router resides on to route OpenVPN client traffic to/from other VLANs.
• "800.800.800.94" is the public IP address for the primary router at the remote network, also where the OpenVPN server resides.

IPv6 overview:

Subnets:

• "fd32:8cf5:1dfb:ec4e::/64" is a private subnet VLAN for OpenVPN clients.
• "2a02:zzzz:zzzz:1::/64" is a public subnet VLAN for anything physical at the remote network.

Endpoints:

• "fd32:8cf5:1dfb:ec4e:ffff:ffff:ffff:ffff" is the private IP address in which the primary router resides on to route OpenVPN client traffic to/from other VLANs.
• "2a02:zzzz:zzzz:1:ffff:ffff:ffff:ffff" is the public IP address for the primary router at the remote network, also where the OpenVPN server resides.

OpenVPN configurations:

View OriginalServer Config

port 1194
proto udp6
dev tap0
sndbuf 0
rcvbuf 0
persist-key
persist-tun
keepalive 20 120
explicit-exit-notify 1

ifconfig-pool-persist ipp.txt
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3

user ovpn
group ovpn

ca /etc/ssl/certs/example.com_CA.pem
cert /etc/ssl/certs/router.example.com.crt
key /etc/ssl/private/router.example.com.pem
dh /etc/openvpn/server/dhp4096.pem

keysize 256
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
ncp-ciphers AES-256-GCM
cipher AES-256-GCM

mode server
tls-server

topology subnet
ifconfig 172.24.128.254 255.255.255.0
ifconfig-pool 172.24.128.1 172.24.128.253
ifconfig-ipv6 fd32:8cf5:1dfb:ec4e:ffff:ffff:ffff:ffff/64 fd32:8cf5:1dfb:ec4e:ffff:ffff:ffff:ffff
ifconfig-ipv6-pool fd32:8cf5:1dfb:ec4e::/64

push "topology subnet"
push "tun-ipv6"

push "route 172.24.64.0 255.255.255.0 172.24.128.254"
push "route 800.800.800.80 255.255.255.240 172.24.128.254"
push "route 800.800.800.94 255.255.255.255 net_gateway"

push "route-ipv6 2a02:zzzz:zzzz:1::/64 fd32:8cf5:1dfb:ec4e:ffff:ffff:ffff:ffff"
#push "route-ipv6 2a02:zzzz:zzzz:1:fff:ffff:ffff:ffff net_gateway"

push "dhcp-option DNS 2a02:zzzz:zzzz:1:ffff:ffff:ffff:ffff"
push "dhcp-option DNS 800.800.800.94"
push "dhcp-option DNS 172.24.64.254"
push "dhcp-option WINS 172.24.64.1"
push "dhcp-option WINS 172.24.64.2"

View OriginalClient Config

client
dev tap
dev-node OpenVPN
proto udp6
remote router.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cryptoapicert "THUMB:xxxx"
ca "C:/Users/Adam Reece/Files/Certificates/example.com Clients CA.pem"
remote-cert-tls server
cipher AES-256-GCM
auth SHA512
verb 3

IPCONFIG /ALL and ROUTE PRINT outputs on client: (Windows)

NB: "172.29.10.0/24" and "2a02:xxxx:xxxx:1::/64" are the network of the Windows client at a remote location, with "172.29.10.254" and "2a02:xxxx:xxxx:1:ffff:ffff:ffff:ffff" as its default gateway.

Code: Select all

Ethernet adapter OpenVPN:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-B3-B9-77-FF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fd32:8cf5:1dfb:ec4e::1(Preferred)
   Link-local IPv6 Address . . . . . : fe80::a5fd:c006:8efc:8833%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.24.128.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 18 April 2020 13:10:32
   Lease Expires . . . . . . . . . . : 18 April 2021 13:10:32
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 172.24.128.0
   DHCPv6 IAID . . . . . . . . . . . : 570490803
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-E7-05-90-D0-17-C2-8B-8F-0C
   DNS Servers . . . . . . . . . . . : 2a02:zzzz:zzzz:1:ffff:ffff:ffff:ffff
                                       800.800.800.94
                                       172.24.64.254
   Primary WINS Server . . . . . . . : 172.24.64.1
   Secondary WINS Server . . . . . . : 172.24.64.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    172.29.10.254    172.29.10.125     25
   800.800.800.80  255.255.255.240   172.24.128.254     172.24.128.2    281
   800.800.800.94  255.255.255.255    172.29.10.254    172.29.10.125    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      172.24.64.0    255.255.255.0   172.24.128.254     172.24.128.2    281
     172.24.128.0    255.255.255.0         On-link      172.24.128.2    281
     172.24.128.2  255.255.255.255         On-link      172.24.128.2    281
   172.24.128.255  255.255.255.255         On-link      172.24.128.2    281
      172.29.10.0    255.255.255.0         On-link     172.29.10.125    281
    172.29.10.125  255.255.255.255         On-link     172.29.10.125    281
    172.29.10.255  255.255.255.255         On-link     172.29.10.125    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      192.168.56.1    281
        224.0.0.0        240.0.0.0         On-link     172.29.10.125    281
        224.0.0.0        240.0.0.0         On-link      172.24.128.2    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      192.168.56.1    281
  255.255.255.255  255.255.255.255         On-link     172.29.10.125    281
  255.255.255.255  255.255.255.255         On-link      172.24.128.2    281
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 20     41 ::/0                     fe80::21d:aaff:fee5:d1c8
  1    331 ::1/128                  On-link
 20    281 2a02:xxxx:xxxx:1::125/128
                                    On-link
 13    281 2a02:zzzz:zzzz:1::/64    fd32:8cf5:1dfb:ec4e:ffff:ffff:ffff:ffff
 20     26 2a02:zzzz:zzzz:1:ffff:ffff:ffff:ffff/128
                                    fe80::21d:aaff:fee5:d1c8
 13     25 fd32:8cf5:1dfb:ec4e::/64 fd32:8cf5:1dfb:ec4e::1
 13    281 fd32:8cf5:1dfb:ec4e::1/128
                                    On-link
 16    281 fe80::/64                On-link
 20    281 fe80::/64                On-link
 13    281 fe80::/64                On-link
 20    281 fe80::859f:dc89:2a1a:743f/128
                                    On-link
 13    281 fe80::a5fd:c006:8efc:8833/128
                                    On-link
 16    281 fe80::c984:ff80:960f:251a/128
                                    On-link
  1    331 ff00::/8                 On-link
 16    281 ff00::/8                 On-link
 20    281 ff00::/8                 On-link
 13    281 ff00::/8                 On-link
===========================================================================

Results:

Both:

Clients at remote networks seem to be assigned both a IPv4 and IPv6 address correctly, with routing working as intended. Their external traffic to the rest of the Internet is not routed through the OpenVPN tunnel as intended.

IPv4:

OpenVPN clients are correctly given an IP address in the "172.24.128.0/24" subnet.
Routes are correctly pushed to the client so that traffic to/from "172.24.64.0/24" and "800.800.800.x/28" are tunnelled through the OpenVPN link using "172.24.128.254" as a gateway, with the exception of traffic to/from the primary router itself on "800.800.800.94".

IPv6:

OpenVPN clients are correctly given an IP address in the "fd32:8cf5:1dfb:ec4e::/64" subnet.
Routes are correctly pushed to the client so that traffic to/from "2a02:zzzz:zzzz:1::/64" are tunnelled through the OpenVPN link using "fd32:8cf5:1dfb:ec4e:ffff:ffff:ffff:ffff" as a gateway, with the exception of traffic to/from the primary router itself on "2a02:zzzz:zzzz:1:ffff:ffff:ffff:ffff". -- I'm not sure how though, as pushing route "route-ipv6" through "net_gateway" is not available on IPv6. (This causes a config error.)



Hope this helps. :)