IPv6 snack; access for residential LAN via tunnel service

[Originally posted Mar 22, 2012 12:46 PM by Antti Uitto   [ updated Mar 23, 2012 6:17 AM ]]

My previous experiences with Sixxs service have been very positive but this time I used Freenet6 for no other reason but just to try out another one. And like Sixxs, this one seems to be well done. Setup was easy with two minor hiccups. (I will elaborate later in the text)

This site has a little LAN with an IPv4 Internet access through many-to-one NAT, via wireless router.  My plan was to use the old desktop machine and install Virtualbox on it. Then I would create a new virtual host with Ubuntu Server as OS and use this as my IPv6 router.

Steps taken

  1. Installed Ubuntu server (new virtual host)
  2. Enabled routing for IPv6
  3. Installed Gogo-client gogoc.
  4. Modified gogoc’s configuration
  5. Connected and pinged around
  6. Wrote ip6tables firewall rules
  7. Made things persist over reboots

 

Ubuntu Server

I installed Ubuntu Server to be my router. Nothing special here; bridged networking to host systems eth0, SSH server, static IPv4 address from our private network.

Routing IPv6

Because this machine is going to act as IPv6 router for other machines in the LAN I enabled IPv6 routing by editing file

/etc/sysctl.conf, uncommenting
net.ipv6.conf.all.forwarding=1

I then applied this change by rebooting the host.

You can also apply by running command
sudo /sbin/sysctl -q -p

Gogo-client

On Ubuntu router
sudo apt-get install gogoc

Gogo-client’s configuration

The config file for gogoc is at
/etc/gogoc/gogoc.conf

userid=MyUserName
passwd=MyPasswd
auth_method=any
host_type=router
prefixlen=56
if_prefix=eth0
tunnel_mode=v6udpv4

if_prefix means the interface on which I want my prefix to be advertised. This would be the interface facing the LAN with the client computers.

tunnel_mode The mode i chose is the one meant for hosts that are unfortunate enough to connect from behind NAT.

Connecting to IPv6 Internet

After modifying the gogoc config file, I attempted to connect. Here was a minor issue. I could make the connection to work if I changed the config to use anonymous connection. Connecting authenticated would not work. After wondering about for a while I found out (by running the client on foreground) that while attempting authenticated connection the client’s script was asking Yes/No question about wether or not I want to accept a servers key. I once accepted it and after that running client on background produced a working connection.

Run Gogo-client by commanding
sudo gogoc

Then check that you have a new tunnel interface with an IPv6 address and a globally valid-looking IPv6 address in your LAN interface.
ifconfig

Sometimes the connecting seems to take a while. Be patient and if you lose faith, check the log to see what is going on.

tail -F /var/log/gogoc/gogoc.log

You can increase logging verbosity by adjusting values in gogoc.conf.

Since I got connected after few tries, I was then able to ping and trace around

ping6 ipv6.google.com
traceroute6 ipv6.google.com

ip6tables firewall


Here is my ip6tables firewall config.

Save it for example to /home/admin/firewall6 and apply it by saying
sudo ip6tables-restore < /home/admin/firewall6

user@host:~$ cat /home/admin/firewall6

# Generated by ip6tables-save v1.4.10 on Thu Mar 22 17:55:32 2012
 *filter
 :INPUT DROP [7697:530851]
 :FORWARD DROP [53871:37157829]
 :OUTPUT ACCEPT [8129:2157811]
 #
 # == INPUT =====
 #
 # Allow anything on the local link
 -A INPUT -i lo -j ACCEPT
 #
 # Allow Link-Local addresses
 -A INPUT -s fe80::/10 -j ACCEPT
 #
 # Allow multicast
 -A INPUT -d ff00::/8 -j ACCEPT
 #
 # Allow ICMPv6 everywhere
 -I INPUT -p icmpv6 -j ACCEPT
 #
 # Allow established
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 #
 # Allow SSH
 -I INPUT -p tcp --dport 22 -j ACCEPT
 #
 # Log
 -A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables input denied: " --log-level 7
 #
 # == FORWARD =====
 #
 -A FORWARD -m state --state NEW -i eth0 -o tun -s <my_ipv6_prefix>/56 -j ACCEPT
 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A FORWARD -p tcp --dport 22 -j ACCEPT -I FORWARD -p icmpv6 -j ACCEPT
 #
 # Log
 -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "ip6tables forwarding denied: " --log-level 7
 COMMIT

Things in the rc.local


In order to make my connections come up and firewall rules to be applied after reloading the system, I put these in /etc/rc.local

mkdir /var/run/gogoc &&
gogoc &&
ip6tables-restore < /home/admin/firewall6

That mkdir -command is there because of the second issue I experienced.

Every time I rebooted my host, gogoc would not connect because of missing

/var/run/gogoc

This is my quick and very dirty fix to that. You may want to try if you get it rolling without such ridiculous trick.

Conclusion


Everything works now the way I was hoping. Client computers can access Internet hosts with both IPv4 and IPv6. The configurations on my Linux router persist over reloads. Client computers use for now only IPv4-based name server.

Sources
http://gogonet.gogo6.com/page/freenet6-ipv6-services
http://www.chronos-tachyon.net/reference/debian-ipv6-and-hurricane-electric
http://www.sixxs.net/wiki/IPv6_Firewalling

Advertisements