IPv6 routing over OpenVPN

Turns out it is was not quite so easy to use my hosted server as an IPv6 gateway. It is doable though it is a multi step process.

I ended up asking bit in here, so the following is a summary of what I have learned during the process.

To get a routable subnet I went to Hurricane Electric and got myself a routed /48 subnet from Hurricane Electric. Visit https://tunnelbroker.net for more information about how to obtain your own subnet.

They will provide a IPv6 routed over IPv4 tunnel and also tell you what you should add to you /etc/interfaces.

My IPv6 addresses on the tunnel link is on the form: 2001:470:xxxx:xxx::/64. Therefore the following lines should be added to /etc/interfaces:

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
    address 2001:470:xxxx:xxx::2
    netmask 64
    endpoint <ipv4 address Tunnelbroker side> 
    local <public ipv4 address your side>
    ttl 255
    gateway 2001:470:xxxx:xxx::1

But due to my server already have a public IPv6 address, it will cause some issues that we will have to mitigate before I can ping anything from the Tunnelbroker subnet.

#Enter policy based routing.

The idea is that the server decides which outbound link it should for IPv6 traffic depending on source IPv6 address.

The rules are pretty simple.

• If traffic originates from the server itself then use the default gateway.
• If traffic originates from my /48 subnet then use the IPv6 over IPv4 link.

This means you need two routing tables. The default routing table (called: main) and your own table (I called mine mynet6).

First add an entry for custom routing table:

echo 100     mynet6 > /etc/iproute2/rt_tables

For agument sake lets say I am assigned the subnet 2001:db8:cafe::/48.

I made a script that is called by OpenVPN when VPN link is up, since my /48 subnet resides only on my VPN link. The script goes a bit like this:

# Reset IPv6 routing table.
ip -6 rule flush

# Add default IPv6 rules again - since they gets deleted by the initial rule 
# flush command.
ip -6 rule add priority 32766 from all table main

# Reset Tunnelbroker routing table (table name: "mynet6").
ip -6 route flush table mynet6

# All traffic from my /48 subnet should be added to Tunnelbroker routing table
ip -6 rule add priority 32000 from 2001:DB8:CAFE::/48 table mynet6

# Add routeable VPN subnets to Tunnelbroker routing table
ip -6 rule add from 2001:DB8:CAFE::/48 table he-ipv6

# Remember to add a rule that if no machine does not respond to a 
# packet address in my /48, then we should return unreachable. 
# Else the package will be forwarded by default out through the 
# Hurricane Electric connection.

#(From the Internet)
ip -6 route add unreachable 2001:DB8:CAFE::/48

#(From my /48 subnet)
ip -6 route add unreachable 2001:DB8:CAFE::/48 table mynet6

# Any traffic that originates from VPN has to be forwarded via Tunnelbroker 
# routing table using the tunnelbroker link (link name: he-ipv6).
ip -6 route add default via 2001:470:xxxx:xxx::1 dev he-ipv6 table mynet6

#Verification of configuration

You can verify your routing setup with the command:

ip -6 rule show

It should contain something like:

0:      from all lookup local
32000:  from 2001:db8:cafe::/48 lookup mynet6
32766:  from all lookup main

The routing table for Tunnelbroker link can be found with:

ip -6 route show table mynet6

And it should output something like:

unreachable 2001:db8:cafe::/48 dev lo  metric 1024  error -113 pref medium
default via 2001:470:xxxx:xxx::1 dev he-ipv6  metric 1024  pref medium

You default routing table is found here:

ip -6 route show table main

And it should have among others the lines:

unreachable 2001:db8:cafe::/48 dev lo  metric 1024  error -113 pref medium
default via XXXX:XXXX:XXXX::1 dev eth0  metric 1024  pref medium

That should take of what the server have todo when it recieve traffic from the /48 subnet. How you assign the /48 subnet your to own network is an entire different chapter, that I am not going cover here. :-)