VPN with tinc and IPv6 (Using OpenWrt Routers)

The vpn software tinc has full support for IPv6 according to its projects' web site.

Here are the features in short:

  • Encryption, authentication and compression
  • Automatic full mesh routing
  • Easily expand your VPN
  • Ability to bridge ethernet segments (check this)
  • Runs on many operating systems and supports IPv6

Installing tinc

On OpenWrt Routers:

opkg update
opkg install tinc

On Ubuntu / Debian:

sudo apt-get update && sudo apt-get install tinc

On Mac OS X using Homebrew (you also need TunTap for OS X):

brew update && brew install tinc

Set Up Your tinc Configuration

OK, so let's start setting up our own 'private' IPv6 network which is also able to reach the outside using one of the tinc vpn routers.

The tinc server / clients can be any OS / device (such as a Debian GNU/Linux machine or an OpenWrt router) which is really nice. In my test setup, the computer routing the IPv6 traffic to the outside world using a SIXXS AYIYA tunnel was an Ubuntu machine (running SIXXS's client software aiccu). On a different (IPv4 connected) site I set up an OpenWrt router to connect to the tinc server and also advertising the IPv6 network prefix on the local network. I mostly followed the guide "Example: IPv6 Networking" where you can find an illustration of the topology.

Enable IPv6 Routing

First, make sure, you have IPv6 forwarding enabled on any router involved in your setup:

echo "1" >/proc/sys/net/ipv6/conf/all/forwarding
# and permanently set this flag in `/etc/sysctl.conf`:
echo "net.ipv6.conf.all.forwarding = 1" | tee -a /etc/sysctl.conf

On Ubuntu/Debian:

echo "1" | sudo tee /proc/sys/net/ipv6/conf/all/forwarding
echo "net.ipv6.conf.all.forwarding = 1" | sudo tee -a /etc/sysctl.conf

Create the tinc Network

First create a network profile for tinc (here I name it ipv6net):

sudo mkdir /etc/tinc/ipv6net
sudo mkdir /etc/tinc/ipv6net/hosts

In this folder /etc/tinc/ipv6net you should create a couple of files.

The network Gateway Router (Server)

tinc.conf

# A unique name for every node of the tinc VPN:
Name = tincleader
Mode = switch
#Interface = ipv6net
PrivateKeyFile = /etc/tinc/ipv6net/rsa_key.priv

tinc-up on the server:

#!/bin/sh
#Enable tinc
ip -6 link set $INTERFACE up mtu 1280 txqueuelen 1000
ip -6 addr add 2001:db8:beef::1/64 dev $INTERFACE
ip -6 route add 2001:db8:beef::/48 dev $INTERFACE
#Static routing table
ip -6 route add 2001:db8:beef:2::/64 via 2001:db8:beef::2
ip -6 route add 2001:db8:beef:3::/64 via 2001:db8:beef::3
ip -6 route add 2001:db8:beef:4::/64 via 2001:db8:beef::4

tinc-down:

#!/bin/sh
#Static routing table
ip -6 route del 2001:db8:beef:2::/64 via 2001:db8:beef:::2
ip -6 route del 2001:db8:beef:3::/64 via 2001:db8:beef:::3
ip -6 route del 2001:db8:beef:4::/64 via 2001:db8:beef:::4
#Disable tinc
ip -6 route del 2001:db8:beef::/48 dev $INTERFACE
ip -6 addr del 2001:db8:beef::1/64 dev $INTERFACE
ip -6 link set $INTERFACE down

Create the certificate on the server:

tincd -n ipv6net -K
The network Clients

Place the following three files (tinc.conf, tinc-up and tinc-down) in the folder /etc/tinc/ipv6net on the client.

tinc.conf on the clients:

Name=somenode
Mode = switch
ConnectTo = tincleader
#Interface = ipv6net
PrivateKeyFile = /etc/tinc/ipv6net/rsa_key.priv

tinc-up:

#!/bin/sh
ip -6 link set $INTERFACE up mtu 1280
ip -6 addr add 2001:db8:beef::2/64 dev $INTERFACE
ip -6 route add default via 2001:db8:beef::1

tinc-down:

#!/bin/sh
ip -6 route del default via 2001:db8:beef::1
ip -6 addr del 2001:db8:beef::2/64 dev $INTERFACE
ip -6 link set $INTERFACE down

Also create a certificate on the clients:

tincd -n ipv6net -K
A Road Warrior Setup for a Mac OS X Client

tinc.conf on the clients:

Name=philip_roadwarrior
Mode = switch
ConnectTo = tincleader
PrivateKeyFile=/usr/local/etc/tinc/ipv6net/rsa_key.priv
# ↓ needs:   sudo kextload /Library/Extensions/tap.kext
Device = /dev/tap0

tinc-up:

#!/bin/sh
set -x
LOCAL_IPV6_ADDR=2001:db8:beef::ff00
IPV6_ROUTER=2001:db8:beef::1

ifconfig $INTERFACE up mtu 1280
# prefixlen has to be 48 for road worriers (satellite stations):
ifconfig $INTERFACE inet6 $LOCAL_IPV6_ADDR prefixlen 48
route -n add -inet6 default $IPV6_ROUTER

tinc-down:

#!/bin/sh
set -x
LOCAL_IPV6_ADDR=2001:db8:beef::ff00
IPV6_ROUTER=2001:db8:beef::1

route -n delete -inet6 default $IPV6_ROUTER
ifconfig $INTERFACE down
# prefixlen has to be 48 for road worriers (satellite stations):
ifconfig $INTERFACE inet6 $LOCAL_IPV6_ADDR prefixlen 48 delete

Exchange Public Keys

In order to allow the tinc network to connect you have to set up the hosts:

Creating the keys creates the file /etc/tinc/ipv6net/hosts/NAME on each tinc node. Copy this file from the clients to the tinc master server and then

Startup Scripts for tinc

Starting tinc for debug purposes
sudo tincd -n ipv6net -D

which will send the log to stdout (can be changed by adding --logfile=tmp.log). You can then kill tincd using

sudo tincd -n ipv6net -k
Ubuntu / Debian

Just add a line containing the name of your tinc network to the nets.boot file:

echo "ipv6net" >> /etc/tinc/nets.boot
If you're setting tinc up on an OpenWrt machine

Create the configuration files just as you would on any other machine in /etc/tinc/ipv6net/ (you have to create the folder first).

Replace the default /etc/config/tinc by this much simpler one:

config tinc-net ipv6net
        option enabled 1

        ## Daemon Configuration (cmd arguments)
        option log /tmp/log/tinc.ipv6net.log
        option debug 3

Assigning an IP from the local network to your internal network adapter on your routers

On OpenWrt:

config 'interface' 'lan'
        # ...
        option 'ip6addr' '2001:db8:beef:1::1/64'

Setting up the Linux IPv6 Router Advertisement Daemon (radvd)

On Ubuntu / Debian machines
sudo apt-get install radvd

Sample /etc/radvd.conf:

#  the interface where radvd should send advertisements
interface eth0
{
    AdvSendAdvert on;
    AdvManagedFlag off;
    AdvOtherConfigFlag off;
    #  your local subnet (depending on which site you are configuring):
    prefix 2001:db8:beef:1::/64
    {
        AdvOnLink on;
        AdvAutonomous on;
    };
};

Check /usr/share/doc/radvd/examples/ for further information on the configuration file.

Restart radvd using sudo /etc/init.d/radvd restart.

On OpenWrt devices

On OpenWrt devices, install radvd using opkg update && opkg install radvd and change the configuration file /etc/config/radvd:

config interface
    option interface    'lan'
    option AdvSendAdvert    1
    option AdvManagedFlag   0
    option AdvOtherConfigFlag 0
    list client     ''
    option ignore       0

config prefix
    option interface    'lan'
    list prefix     '2001:db8:beef:1::/64'
    option AdvOnLink    1
    option AdvAutonomous    1
    option AdvRouterAddr    0
    option ignore       0

Enable and run radvd using /etc/init.d/radvd enable and /etc/init.d/radvd start.

More Configuration Options

See Main configuration variables in the tinc manual.

KeyExpire = 1200
PingInterval = 30

For the hosts:

Compression = 10
Cipher = blowfish
PMTU = 1514
IndirectData = yes
Port = 655

Resources

Comments