# Beispiel-Listings fuer die Nutzung von IPv6 via OpenVPN # (c) Copyright 2005 Hartmut Goebel # Listing 1: Server-Konfiguration tls-server dev tun # routed tunnel tun-ipv6 # enable tun to forward IPv6 # beim Tunneln durch SSH oder Proxy ;proto tcp-server ;port 443 up /etc/openvpn/server.up # Drop Privileges user openvpn group openvpn # Tunnel-Restart trotz Drop-Privileges ermöglichen persist-key # tun/tap device offen lassen persist-tun # SSL/TLS and Diffie-Hellman Parameter ca /etc/openvpn/cacert.pem cert /etc/openvpn/OpenVPN_Server-cert.pem key /etc/openvpn/OpenVPN_Server-key.pem dh /etc/openvpn/dh1024.pem cipher AES-128-CBC # Listing 2: Server-Up-Skript #!/bin/bash # server.up fuer OpenVPN # IDs/Nummern der Einzelclients, die wir unterstützen VPN_RemoteClients="98 99" INTERFACE=$1 TUN_MTU=$2 # restliche Argumente werden ignoriert ip link set ${INTERFACE} up ip link set mtu ${TUN_MTU} dev ${INTERFACE} for ClientId in $VPN_RemoteClients ; do MyIPAddr=2001:0db8:feed:f1ff::${ClientId}1/124 LinkLocalAddr=fe80:f1ff::${ClientId}1/124 # link-local Adresse setzen ip addr add ${LinkLocalAddr} dev ${INTERFACE} # point-to-point Adresse setzen ip addr add ${MyIPAddr} dev ${INTERFACE} done # Listing 3: Client-Konfiguration tls-client dev tun # routed tunnel tun-ipv6 # enable tun to forward IPv6 nobind # VPN-Gateway in der Firma remote gate.example.com 1194 # Für Tunneln durch SSH oder Proxy ;remote gate.example.com 443 ;proto tcp-client ;connect-retry 30 # Sekunden (nur bei tcp-client, default: 5) ;http-proxy 192.168.1.80 8080 ;http-proxy-retry up /etc/openvpn/client.up # up-Skript erst nach den aufbau des Tunnels ausführen up-delay 0 # Drop Privileges user openvpn group openvpn # Tunnel-Restart trotz Drop-Privileges ermöglichen persist-key cipher AES-128-CBC # Listing 4: Client-Up-Skript #!/bin/bash # client.up fuer OpenVPN # (c) Copyright 2005 Hartmut Goebel # ID/Nummer dieses Einzelclients ClientId=99 INTERFACE=$1 TUN_MTU=$2 # restliche Argumente werden ignorieren ip link set ${INTERFACE} up ip link set mtu ${TUN_MTU} dev ${INTERFACE} HomeNet=2001:0db8:feed:0100::/64 MyIPAddr=2001:0db8:feed:f1ff::${ClientId}2/124 LinkLocalAddr=fe80:f1ff::${ClientId}2/124 # link-local Adresse setzen ip addr add ${LinkLocalAddr} dev ${INTERFACE} # point-to-point Adresse setzen ip addr add ${MyIPAddr} dev ${INTERFACE} # Route für Netzwerk auf Server-Seite ip route add ${HomeNet} dev ${INTERFACE} metric 5 # Bei Bedarf: IPv6 Default-Route #ip route add default dev ${INTERFACE} metric 5 # Listing 5: Interface-Konfiguration # -*- mode: sh -*- # /etc/sysconfig/network-scripts/ifcfg-eth0 # Erweiterungen (c) Copyright 2005 Hartmut Goebel DEVICE=eth0 ONBOOT=yes MII_NOT_SUPPORTED=no USERCTL=no METRIC=10 # Parameter für dhcp DHCP_CLIENT=dhclient NEEDHOSTNAME=no PEERDNS=yes PEERYP=no PEERNTPD=no # IPv6 aktivieren IPV6INIT=yes IPV6ADDR=2001:0db8:feed:0100::21/64 IPV6ADDR_SECONDARIES="" BOOTPROTO= if ! $( ip link show $DEVICE | grep -q UP ) ; then # Interface hoch nehmen, damit arping funktioniert ip link set $DEVICE up elif $( ip -4 addr show $DEVICE | grep -q 'inet ' ) ; then # Interface hat schon einen IPv4-Adresse BOOTPROTO=none fi __FindNet () { # Parameter: IPv4-Adresse, Netzmaske, Gateway if [ -z "$BOOTPROTO" -o "$BOOTPROTO" = "none" ] ; then IPADDR=$1 NETMASK=$2 GATEWAY=$3 if [ "$BOOTPROTO" = "none" ] ; then # Interface hat schon einen IPv4-Adresse if $( ip -4 addr show $DEVICE | grep -q $IPADDR ) ; then # Interface hat die gesuchte IPADDR BOOTPROTO=static fi elif ! arping -D -q -c 2 -w 3 -I ${DEVICE} ${GATEWAY} ; then # GATEWAY ist erreichbar BOOTPROTO=static fi fi } # Kunde 1, Standort 1 __FindNet 192.168.1.156 255.255.255.128 192.168.1.1 # Kunde 1, Standort 2 __FindNet 192.168.2.17 255.255.255.0 192.168.2.1 # Kunde 2 __FindNet 10.44.17.238 255.255.255.0 10.44.17.2 # Default: DHCP if [ -z "$BOOTPROTO" ] ; then BOOTPROTO=dhcp fi ######################### ######################### # Beispiel einer flexiblen Konfiguration #!/bin/bash # server.up fuer OpenVPN # (c) Copyright 2005 Hartmut Goebel INTERFACE=$1 TUN_MTU=$2 # restliche Argumente ignorieren ip link set ${INTERFACE} up ip link set mtu ${TUN_MTU} dev ${INTERFACE} source /etc/sysconfig/firma_local function iamServerSubnet() { ThereNetId=$1 ThereNet=$LOCAL_IPv6_Prefix:${ThereNetId}00::/64 # link-local address ip addr add fe80::f1${ThereNetId}:1/64 dev ${INTERFACE} # transfer network P2Pnet=$LOCAL_IPv6_Prefix:f100 HERE=${P2Pnet}::f1${ThereNetId}:1/122 ip addr add ${HERE} dev ${INTERFACE} # subnet at client side ip route add ${ThereNet} dev ${INTERFACE} } function iamServerSingleHost() { ClientId=$1 P2Pnet=$LOCAL_IPv6_Prefix:f1ff HERE=${P2Pnet}::${ClientId}1/124 # link-local address LINK_LOCAL=${HERE/$P2Pnet/fe80:f1ff} ip addr add ${LINK_LOCAL} dev ${INTERFACE} # point-to-point network ip addr add ${HERE} dev ${INTERFACE} } for id in $LOCAL_IPv6_VPN_RemoteSubnets ; do iamServerSubnet $id done for id in $LOCAL_IPv6_VPN_RemoteClients ; do iamServerSingleHost $id done ######################### # /etc/sysconfig/firma_local für Server-Seite LOCAL_IPv6_Prefix=2001:0db8:feed LOCAL_IPv6_VPN_HereNetId=01 # Netze hinter Subnet-Clients LOCAL_IPv6_VPN_RemoteSubnets="02 03" # Einzelhosts LOCAL_IPv6_VPN_RemoteClients="98 99" LOCAL_IPv6_VPN_TransferNetId=f1 ######################### #!/bin/bash # client.up fuer OpenVPN # (c) Copyright 2005 Hartmut Goebel INTERFACE=$1 TUN_MTU=$2 # restliche Argumente ignorieren source /etc/sysconfig/LOCAL function iamSubnetClient() { HereNetId=$1 HereNet=$LOCAL_IPv6_Prefix:${HereNetId}00::/64 HomeNetId=$2 HomeNet=$LOCAL_IPv6_Prefix:${HomeNetId}00::/64 # transfer network P2Pnet=$LOCAL_IPv6_Prefix:f1ff PEER=${P2Pnet}::${HereNetId}1 HERE=${P2Pnet}::${HereNetId}2 ip addr add ${HERE}/124 dev ${INTERFACE} # link-local address: ip addr add fe80::f1${HereNetId}:2/64 dev ${INTERFACE} ip route add ${HomeNet} via ${PEER} metric 5 #ip route add default dev ${INTERFACE} metric 5 } function iamSingleClient() { ClientId=$1 HomeNetId=$2 HomeNet=$LOCAL_IPv6_Prefix:${HomeNetId}00::/64 P2Pnet=$LOCAL_IPv6_Prefix:f1ff HERE=${P2Pnet}::${ClientId}2/124 # link-local address LINK_LOCAL=${HERE/$P2Pnet/fe80:f1ff} ip addr add ${LINK_LOCAL} dev ${INTERFACE} # point-to-point network ip addr add ${HERE} dev ${INTERFACE} # server side network ip route add ${HomeNet} dev ${INTERFACE} metric 5 #ip route add default dev ${INTERFACE} metric 5 } ip link set ${INTERFACE} up ip link set mtu ${TUN_MTU} dev ${INTERFACE} [ -z "$LOCAL_IPv6_VPN_HereNetId" ] || \ iamSubnetClient $LOCAL_IPv6_VPN_HereNetId \ $LOCAL_IPv6_VPN_HomeNetId [ -z "$LOCAL_IPv6_VPN_HereClientId" ] || \ iamSingleClient $LOCAL_IPv6_VPN_HereClientId \ $LOCAL_IPv6_VPN_HomeNetId ######################### # /etc/sysconfig/firma_local für Client-Seite LOCAL_IPv6_Prefix=2001:0db8:feed LOCAL_IPv6_VPN_HomeNetId=01 # Bei einem Subnet-Client #LOCAL_IPv6_VPN_HereNetId=03 # Bei einem Einzel-Client LOCAL_IPv6_VPN_HereClientId=99 LOCAL_IPv6_VPN_TransferNetId=f1 ######################### # Server-Konfiguration proto tcp-server tls-server dev tun # routed tunnel tun-ipv6 # enable tun to forward IPv6 up /etc/openvpn/server.up cipher AES-128-CBC # oder 'none' für SSH-Tunnel # Drop Privileges user openvpn group openvpn # Tunnel-Restart trotz Drop-Privileges ermöglichen: persist-key ######################### # Client-Konfiguration nobind proto tcp-client # default: udp tls-client connect-retry 30 # Sekunden (nur bei tcp-client, default: 5) dev tun # routed tunnel tun-ipv6 # enable tun to forward IPv6 # Proxy-Optionen. Weitere Optionen (Authentifizierung, retry, # timeoute, HTTP-Version, etc.) siehe manpage. ;http-proxy-retry # retry on connection failures ;http-proxy 62.156.190.36 8080 # TSI Koeln up /etc/openvpn/client.up # setup iface and routes after connection establishment up-delay 0 # The hostname/IP and port of the server. remote localhost 51194 ;remote mail.dyn.goebel-consult.de 51194 cipher AES-128-CBC # oder 'none' für SSH-Tunnel # Drop Privileges user openvpn group openvpn # Tunnel-Restart trotz Drop-Privileges ermöglichen: persist-key ######################### # SSH-Konfiguration Host office # Kunde 1 #ProxyCommand /usr/local/bin/ssh_connect -H 192.168.1.80:8080 %h 443 # Kunde 2 #ProxyCommand /usr/local/bin/ssh_connect -H 10.44.1.80:8080 %h %p CheckHostIP no HostKeyAlias server-internal.example.com Hostname gate.example.com KeepAlive yes LocalForward 1194 192.168.1.10:1194 ######################### # Interface-Konfiguration # -*- mode: sh -*- # /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 ONBOOT=yes MII_NOT_SUPPORTED=no USERCTL=no METRIC=10 # Paramater für dhcp DHCP_CLIENT=dhclient NEEDHOSTNAME=no PEERDNS=yes PEERYP=no PEERNTPD=no BOOTPROTO= if ! $( ip link show $DEVICE | grep -q UP ) ; then # Interface hoch nehmen, damit arping funktioniert ip link set $DEVICE up elif $( ip -4 addr show $DEVICE | grep -q 'inet ' ) ; then # Interface hat schon einen IPv4-Adresse BOOTPROTO=none fi __FindNet () { # Parameter: IPV4-Adresse, Netzmaske, Gateway if [ -z "$BOOTPROTO" -o "$BOOTPROTO" = "none" ] ; then IPADDR=$1 NETMASK=$2 GATEWAY=$3 if [ "$BOOTPROTO" = "none" ] ; then # Interface hat schon einen IPv4-Adresse if $( ip -4 addr show $DEVICE | grep -q $IPADDR ) ; then # Interface hat die gesuchte IPADDR BOOTPROTO=static fi elif ! arping -q -c 2 -w 3 -D -I ${DEVICE} ${GATEWAY} ; then # GATEWAY ist erreichbar BOOTPROTO=static fi fi } # Kunde 1, Standort 1 __FindNet 192.168.1.156 255.255.255.128 192.168.1.1 # Kunde 1, Standort 2 __FindNet 192.168.2.17 255.255.255.0 192.168.2.1 # Kunde 2 __FindNet 10.44.17.238 255.255.255.0 10.44.17.2 # Default: DHCP if [ -z "$BOOTPROTO" ] ; then BOOTPROTO=dhcp fi source /etc/sysconfig/firma_local IPV6INIT=yes IPV6ADDR=$LOCAL_IPv6_Prefix:0100::21/64 IPV6ADDR_SECONDARIES="2001:db8:babe:1234::42/48 2001:db8:dead:8765::111/48"