OpenWRT IPv6: Setup tunnel dengan AICCU
Sumber: https://www.sixxs.net/wiki/Aiccu/Installing_on_OpenWRT
Main topic page: Aiccu.
It is possible to maintain a dynamic AYIYA tunnel using the Aiccu client on a OpenWRT Router. The subnet can then be announced on the lan giving IPv6 connectivity to all compatible connected devices.
For this walk through we assume you have a basic install of OpenWRT Kamikaze installed and know how to connect to it using ssh, Linux directory transversal and vi.
Prerequisites
You may expect issues with OpenWRT Attitude Adjustment (12.09). The configuration files are missing and start up scripts are subject of discussion.
Possible alternatives are to stay with your working OpenWRT release and wait. Or you build your own workaround. Or use the current version Barrier Breaker 14.07.
All versions before Barrier Breaker 14.07
Out of the box, OpenWRT does not have any IPv6 utilities or kernel level support for IPv6. This can easily be solved by installing the necessary packages.
To install the packages, execute the following commands on your OpenWRT-box:
opkg update opkg install kmod-ipv6 opkg install kmod-ip6tables opkg install ip6tables opkg install ip opkg install kmod-tun opkg install aiccu opkg install radvd opkg install ntpclient
In order, the above packages are:
- Kernel support for IPv6
- Kernel support for iptables for IPv6 (Optional: Needed to create IPv6_Firewalling)
- iptables for IPv6 (Optional: See above)
- Utilities to manage the IP configuration
- Kernel support for Virtual Network Interface devices (tun) to create tunnels
- AICCU: Automatic IPv6 Connectivity Client Utility
- Router IPv6 Advertisement Daemon (Optional, not needed if you do not have a subnet, or if you use static IPv6 adresses)
- System clock requires synchronization for tunnel to stay up, so some ntp package is required. ntpclient is recommended.
If you run White Russian, be warned that that distribution contains an old aiccu and backports a broken one. If you want a working one for mipsel, you can get it here (see related blog post for more information).
In addition, the White Russian install-program is called ipkg instead of Kamikaze's opkg.
After installing the above packages:
reboot
Barrier Breaker 14.07 and later
Barrier Breaker and newer versions have native ipv6 support. Only one package needs to be installed later (aiccu). (See below for the instructions)
- Native IPv6-support with DHCPv6, an RA & DHCPv6-Server and an IPv6-firewall are installed and configured by default.
- Transitioning technologies like 6in4, 6rd, 6to4 or ds-lite can be installed using the packages with the same names.
- For WebUI-support install the package luci-proto-ipv6.
Set Time
If your system clock is not synchronized to network time, AICCU will exit with an error message (see syslog or 'readlog') as the time will be too far off when compared to the TIC server. Also, ntpclient will not correct your time if it is not close to correct.
Instead install 'rdate' and use that instead, that properly sets the clock directly instead of slowly changing it.
Use the following before starting AICCU to force the time to be set (and thus also network connectivity to work:
NTPSERVER=0.pool.ntp.org
while : ; do
rdate ${NTPSERVER}
[ $? = 0 ] && break
sleep 5
done
'ntpdate' can also be used, but that might fail setting the clock when the offset to the real time is too large, hence why 'rdate' is preferred.
Tunnel Configuration
White Russian
Edit /etc/aiccu.conf to include your login and what tunnel to bind to.
Sample Configuration:
# AICCU Configuration # # Login information (defaults: none) username ABC1-SIXXS password 1234 # # Interface names to use (default: aiccu) ipv6_interface sixxs # # The tunnel_id to use (default: none) # (only required when there are multiple tunnels in the list) tunnel_id T12345 # # Be verbose? (default: false) verbose false # # Daemonize? (default: true) # Set to false if you want to see any output # When true output goes to syslog daemonize true # # Automatic Login and Tunnel activation? automatic true # # Require TLS? # requiretls false # # PID File pidfile /var/run/aiccu.pid # # Add a default route (default: true) defaultroute true
Start aiccu and check the system logs for errors using the following.
aiccu start logread
If aiccu is pleased it will show in the log something along the lines of
Jul 18 13:47:51 (none) local7.info syslog: Succesfully retrieved tunnel information for T12345 Jul 18 13:47:51 (none) local7.info syslog: AICCU running as PID 1234 Jul 18 13:47:52 (none) local7.info syslog: [AYIYA-start] : Anything in Anything (draft-02) Jul 18 13:47:52 (none) local7.info syslog: [AYIYA-tun->tundev] : (Socket to TUN) started
Check that ipv6 is working by pinging sixxs.
ping6 sixxs.net ping6 2001:XXXX:XXXX:XXXX::1 ( The tunnel server ) ping6 2001:XXXX:XXXX:XXXX::2 ( your endpoint, the wrt54g router )
Note: do not reuse these addresses for router config, you need to use the addresses from a subnet in addition to the tunnel you have just set up
Kamikaze
Kamikaze uses /etc/config/aiccu for its configuration.
The first time you will have a file like:
config aiccu option username 'ABC1-SIXXS' option password '1234' option protocol option server option interface 'sixxs' option tunnel_id option requiretls '0' option defaultroute '1' option nat '1' option heartbeat '1'
Edit the file to your settings. Protocol is typically tic and server is tic.sixxs.net
In the command prompt, type:
/etc/init.d/aiccu start
The above command will start the aiccu-client by using /etc/config/aiccu as a basis for it's configuration. [The configuration is generated and stored in /tmp/run/aiccu-cfg######.conf. However, do not edit this file, since it is generated automatically by the /etc/init.d/aiccu script.]
You can verify that the tunnel started by executing:
logread
If aiccu is pleased it will show in the log something like:
Jul 18 13:47:51 (none) local7.info syslog: Succesfully retrieved tunnel information for T12345 Jul 18 13:47:51 (none) local7.info syslog: AICCU running as PID 1234
Check that ipv6 is working by pinging sixxs:
ping6 sixxs.net ping6 2001:XXXX:XXXX:XXXX::1 ping6 2001:XXXX:XXXX:XXXX::2
The tunnel will start automatically at every reboot, however, sometimes the tunnel may start too early. Therefore, you should edit /etc/init.d/aiccu and change the line:
START=50
to
START=80
Backfire
Backfire also uses /etc/config/aiccu for its configuration. After you install aiccu, edit the file to set your username and password. Note that the default protocol is tic and the default server is tic.sixxs.net, so you can leave these blank. Set the interface to sixxs.0 in order simplify the firewall setup (see below).
This is how your /etc/config/aiccu file should look like:
config aiccu option username 'ABC1-SIXXS' option password '1234' option protocol option server option interface 'sixxs.0' option tunnel_id option requiretls '0' option defaultroute '1' option nat '1' option heartbeat '1'
After editing the file, type in the command prompt:
/etc/init.d/aiccu start
The above command will start the aiccu-client by using /etc/config/aiccu as a basis for it's configuration. [The configuration is generated and stored in /tmp/run/aiccu-cfg######.conf. However, do not edit this file, since it is generated automatically by the /etc/init.d/aiccu script.]
You can verify that the tunnel started by executing:
logread
If aiccu is pleased it will show in the log something like:
Jul 18 13:47:51 (none) local7.info syslog: Succesfully retrieved tunnel information for T12345 Jul 18 13:47:51 (none) local7.info syslog: AICCU running as PID 1234
Check that ipv6 is working by pinging sixxs:
ping6 sixxs.net ping6 2001:XXXX:XXXX:XXXX::1 ping6 2001:XXXX:XXXX:XXXX::2
The tunnel will start automatically at every reboot. In Backfire, aiccu is correctly started after radvd, so there is no need to change the START parameter in /etc/init.d/aiccu.
Barrier Breaker
As of Barrier Breaker (14.07) RC1, AICCU is now integrated with netifd. This release of OpenWRT also sports native IPv6 support, so no extra software is needed for IPv6.
Install software dependencies:
opkg update opkg install aiccu
Edit the 'wan6' section in /etc/config/network to read as follows, filling the appropriate information from your tunnel information:
config interface 'wan6' # mandatory settings option proto 'aiccu' option username ' SIXXS user name/tunnelID ' option password ' TIC tunnel password ' # optional settings (but you should set these, comment out using #) option tunnelid ' ID of SIXXS tunnel ' option ip6prefix ' routed subnet prefix ' option requiretls 'true' # (false disables encryption for the authentication, that is a security risk) # optional #option server ' IP address or FQDN of TIC server ' #option ip6addr ' IP of this host on routes subnet ' #option heartbeat ' makebeats? 1 or 0 ' #option sourcerouting ' 1 or 0 ' #option defaultroute ' 1 or 0 ' #option verbose ' 1 or 0 '
Tell netifd to reload the configuration file:
/etc/init.d/network reload
Verify with logread that AICCU has been started and finally ping sixxs to check the connection.
ping6 sixxs.net
AICCU fails at boot
Due to DNS and time issues AICCU may fail to start at boot; see #17744
The following patch of /lib/netifd/proto/aiccu.sh adds a work around that can be applied till this issue has been fixed.
--- lib/netifd/proto/aiccu.sh 2014-08-08 12:20:06.000000000 +0200 +++ /lib/netifd/proto/aiccu.sh 2014-09-21 11:59:53.000000000 +0200 @@ -43,6 +43,16 @@ echo "daemonize true" >> "$CFGFILE" echo "pidfile $PIDFILE" >> "$CFGFILE" +# work-around for https://dev.openwrt.org/ticket/17744 + NTPSERVER=pool.ntp.org + + local try=0 + local max=10 + while [ $((++try)) -le $max ]; do + ntpd -qn -p pool.ntp.org >/dev/null 2>&1 && break + sleep 6 + done +# end of work-around + aiccu start "$CFGFILE" [ "$?" -ne 0 ] && {
If you have a diff time, maybe you need to try another ntp pool.
Check the pools at NTP.org
Change pool.ntp.org to another. Ex. 0.br.pool.ntp.org
Bleeding edge / trunk / Chaos Calmer
Chaos Calmer is the current development version, also called Bleeding Edge or trunk. Look at the instructions for Barrier Breaker or configure everything with the luci webinterface.
You need the following packages:
luci luci-proto-ipv6 aiccu
Then you an change the interface wan6 from dhcp to aiccu/sixxs and enter your login data.
Subnet Configuration
Note that the IPv6 router does not need to be on the same device as your IPv4 router. Traffic will be routed by your Sixxs IPv6 tunnel transparently through your IPv4 gatway. Therefore, your IPv6 router can be located internal to your existing gateway and firewall. For this reason, pay attention to this new exposure of the inside of your network and to the configuration of your ip6 traffic rules which will not be handled by your existing IPv4 iptables. (See ip6tables)
Routing (all versions up to 12.09)
Note: you need to use addresses from a subnet and enable it before you are able to utilize radvd, and it is not the same as the tunnel. Each tunnel has a separate /64 (or /48 if you have requested it) which is named "default routed subnet". You can use this prefix and set your router to have this ip address, <Subnet-Prefix>::'1/64 being a reasonable choice
To give connectivity to other hosts on your subnet, you first need to set the IPv6 address for your OpenWRT-box, which is now your router. We assume it has the postfix 1 for the examples below.
Edit /etc/config/network and add the following line under the correct interface:
option 'ip6addr' <Subnet-Prefix>::'1/64'
Here is part of an example config-file:
config 'interface' 'lan' option 'type' 'bridge' option 'ifname' 'eth0.0' option 'proto' 'static' option 'ipaddr' '192.168.10.1' option 'netmask' '255.255.255.0' option 'dns' '192.168.10.5' option 'defaultroute' '0' option 'peerdns' '0' option 'ip6addr' '2001:####:###::1/64'
Then you need to add / uncomment the following line at the bottom of /etc/sysctl.conf:
net.ipv6.conf.all.forwarding=1
Radvd
Radvd is how IPv6 advertises the existence of the router on your network. It accomplishes much of what DHCP does for IPv4. Without needing to be polled by devices, the radvd process advertises the IPv6 address of the router along with a prefix from which clients can self-generate their own IP assignments (originally by appending their MAC address, though that is no longer the only way.)
If you have been assigned a subnet such as a /48, you may be tempted to use it all for your network prefix, but take note that automatic address assignments by your network's client devices will only work if you advertise a /64 prefix, since they are trying to use their MAC address for the remaining 64 bits.
For details on the other radvd options, refer to the man page for radvd.conf.
White Russian
Edit /etc/radvd.conf to make radvd properly advertise the subnet.
(note br-lan, the configuration default is br0)
interface br-lan { AdvSendAdvert on; prefix <Subnet-Prefix>::/64 { AdvOnLink on; AdvAutonomous on; }; };
Kamikaze and Backfire
Kamikaze and Backfire use /etc/config/radvd, which lists options corresponding to those listed in the radvd.conf file shown above. Your interface and prefix section should look like this:
config interface option interface 'lan' option AdvSendAdvert 1 option AdvManagedFlag 0 option AdvOtherConfigFlag 0 list client '' option ignore 0 config prefix option interface 'lan' # If not specified, a non-link-local prefix of the interface is used list prefix '<Subnet-Prefix>::/64' option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 0
Make sure to set the ignore option to zero to enable radvd and set your prefix.
Finalize
Execute the following commands to configure these services to autostart after the next reboot of your router:
/etc/init.d/radvd enable /etc/init.d/aiccu enable
Then restart the router one last time to make everything take effect.
reboot
If everything is working correctly, then restarting the network adapter of a connected device should result in it assigning itself an IPv6 address on your subnet. If this does not happen, unplug the router, count to 30 and plug it back in to make sure computers on the LAN are not caching old settings. Do not worry if your devices show a router address different from your subnet and beginning with FE80. This is a link local address which also works just fine for reaching your router. You get one of these also. As long as you also show an IP address on the new subnet, you can know that the router can direct external traffic to your device.
Routing (Barrier Breaker 14.07 and later)
Note: you need to use addresses from a routed subnet and enable it before you are able to utilize odhcpd, and it is not the same as the tunnel. Each tunnel has a separate /64 (or /48 if you have requested it) which is named "default routed subnet". You can use this prefix and set your router to have this ip address, <Subnet-Prefix>::'1/64 being a reasonable choice. Note2: radvd is no longer used in Barrier Breaker 14.07
The subnet prefix has to be set in /etc/config/network for the tunnel device(see the instructions for tunnel setup):
config interface 'wan6' #(if you followed the example from above) ... option ip6prefix '2001:xxxx:xxxx:xxxx::1/64' ...
Be sure to use the routed prefix, not the tunnel prefix (sometimes only 1 character is different!). Afterwards, enable prefix delegation for your lan interface:
config interface lan option proto static option ip6assign 64 ...
This will assign a /64 from every available public prefix (including the routed one from the tunnel and per default also a ULA prefix which can be used for local routing purposes) Do not use option ip6addr! See this page for more options: Downstream configuration for LAN-Interfaces - OpenWRT Wiki
Finalize
Restart the router one last time to make everything take effect.
reboot
If everything is working correctly, then restarting the network adapter of a connected device should result in it assigning itself several IPv6 addresses, including one on your subnet. If this does not happen, unplug the router, count to 30 and plug it back in to make sure computers on the LAN are not caching old settings. Do not worry if your devices show a router address different from your subnet and beginning with FE80. This is a link local address which also works just fine for reaching your router. You get one of these also. As long as you also show an IP address on the new subnet, you can know that the router can direct external traffic to your device.
Firewalling (using OpenWrt firewall2 configuration)
Hint: This is tested with an SIXXS 6in4-hearbeat tunnel.
On newer releases of Kamikaze and Backfire, iptables and ip6tables can be configured using /etc/config/network.
Preparation
Before you apply any change create backups of your /etc/config/firewall and /etc/config/network by using
root@OpenWrt:~# uci export network > network.uci root@OpenWrt:~# uci export firewall > firewall.uci
In case of failure just do a reimport of the saved configuration files and reboot.
root@OpenWrt:~# uci import < network.uci root@OpenWrt:~# uci import < firewall.uci
Or apply any of your preferred configuration backup.
First Step
If you have a running configuration stop the aiccu tunnel first.
root@OpenWrt:~# /etc/init.d/aiccu stop
Create an additional interface wan6 in /etc/config/network and assign an VLAN Interface: "sixxs0".
config 'interface' 'wan6' option 'proto' 'static' option 'ifname' 'sixxs0' option 'auto' '1' option 'ip6addr' '2001:your:end:point::2' option 'send_rs' '0'
Hint: Set option auto to 1, this add wan6 (sixxs0) to zone wan6 and everything is working fine.
Second Step
Change the interface name in /etc/config/aiccu to sixxs0.
option username 'YOUR-SIXXS/T1234' option password 'password' option protocol 'tic' option server 'tic.sixxs.net' option interface 'sixxs0' option tunnel_id 'T1234' option requiretls '0' option defaultroute '1' option nat '1' option heartbeat '1'
Final Step
Adopt your /etc/config/firewall as shown below.
(Change it carefully in case you already have other ipv4 rules in place.)
config 'defaults' option 'syn_flood' '1' option 'input' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'REJECT' option 'drop_invalid' '1' .... your standard firewall config .... config 'include' option 'path' '/etc/firewall.user' config 'zone' option 'name' 'wan6' option 'output' 'ACCEPT' option 'network' 'wan6' option 'family' 'ipv6' option 'input' 'DROP' option 'forward' 'DROP' config 'forwarding' option 'dest' 'wan6' option 'src' 'lan' config 'rule' option 'name' 'RHO' option 'family' 'ipv6' option 'target' 'DROP' option 'extra' '-m rt --rt-type 0' option 'proto' 'all' option 'src' 'wan6' config 'rule' option 'name' 'RHO2' option 'family' 'ipv6' option 'target' 'DROP' option 'extra' '-m rt --rt-type 0' option 'proto' 'all' option 'src' 'wan6' option 'dest' 'lan' config 'rule' option 'target' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'REJECT' option 'name' 'Allow-Ping ipv6' option 'family' 'ipv6' option 'proto' 'icmp' option 'src' 'wan6' option 'limit' '1000/sec' list 'icmp_type' 'echo-request' list 'icmp_type' 'destination-unreachable' list 'icmp_type' 'packet-too-big' list 'icmp_type' 'time-exceeded' list 'icmp_type' 'bad-header' list 'icmp_type' 'unknown-header-type' list 'icmp_type' 'router-solicitation' list 'icmp_type' 'neighbour-solicitation' list 'icmp_type' 'echo-reply'
And restart everything
root@OpenWrt:~# /etc/init.d/network restart root@OpenWrt:~# /etc/init.d/firewall restart root@OpenWrt:~# /etc/init.d/aiccu start
Check if wan6 (sixxs0) is added to zone wan6 as shown below.
root@OpenWrt:~# logread | grep firewall Jan 20 17:11:09 OpenWrt user.info firewall: adding lan (br-lan) to zone lan Jan 20 17:11:09 OpenWrt user.info firewall: adding wan (eth0) to zone wan Jan 20 17:11:12 OpenWrt user.info firewall: adding wan6 (sixxs0) to zone wan6
Check also if aiccu and radvd are up and running.
Don't forget to scan your ipv6 firewall configuration with an external ipv6 firewall check.
If everything fails, restore your configuration as described above and follow the firewalling method described in the section Post Setup.
Post Setup
You can use the command ip6tables (iptables for IPv6) to setup IPv6 Firewalling.
For Kamikaze, the rules should go in the /etc/firewall.user. Please note, default kernel for OpenWRT does not support rt-matching, so you can not block RH0-packages.
Troubleshooting
Installation brcm-2.4
When you follow the instructions above for installation, you will get the following error when installing aiccu:
root # opkg install aiccu Collected errors: * Cannot find package aiccu.
In the current version of kamikaze 8.09.1 (aiccu_20070115-2.1_mipsel.ipk), there seems to be a dependency on a 2.6 kernel. (Cannot satisfy the following dependencies for aiccu: * kmod-sit *)
To get around this you can do the following:
cd /tmp wget http://downloads.openwrt.org/kamikaze/8.09.1/brcm-2.4/packages/aiccu_20070115-2.1_mipsel.ipk opkg -force-depends install aiccu_20070115-2.1_mipsel.ipk
You will get the following error message, which you can ignore:
Collected errors: * Warning: Cannot satisfy the following dependencies for aiccu: * kmod-sit *
Then continue to follow the instructions above.
Running processes
Look at your running processes with ps. You should see aiccu, radvd, and ntpclient. If any of these are missing, either they were not started, or there is some reason they stopped. Find out why and fix.
If your tunnel is active, ifconfig will show an interface named sixxs.0:
sixxs.0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet6 addr: 2001:..... UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280 Metric:1 ....
If you do not see it, try starting aiccu again. If this does not reappear in the ifconfig list, check logread for clues. Make sure your aiccu config file is correct.
Timing
If logread shows a message like:
May 31 12:15:29 OpenWrt local7.err syslog: The clock is off by 8577949 seconds, use NTP to sync it! May 31 12:15:29 OpenWrt local7.err syslog: Couldn't retrieve first tunnel for the above reason, aborting
This means the tunnel started but due to your system clock being unsynchronized, it immediately aborted as no valid heartbeat or crypto could then be used.
See the note above about using rdate to resolve this problem.
If the number of seconds off is a near multiple of 3600, your error is in hours and likely a result of improperly set timezone. Change the TZ setting and then set your clock again to the current time and try again.
DNS
If you can not successfully ping6 sixxs.net, try pinging the address numerically to assess if this is just a DNS problem.:
ping6 2001:838:1:1:210:dcff:fe20:7c7c
Routing
If you can ping6 www.sixxs.net from your router, and you can ping6 your router from your clients, but somehow the clients cannot ping6 www.sixxs.net, you appear to have an issue with your default route. Check out this forum post: OpenWRT Kamikaze routing problem (Some people solve the problem by ensuring that aiccu starts after radvd).
I spent most of the weekend fighting this, in my case the problem was that I had not bothered to get a subnet from sixxs.
For routing to/from the lan
Note: When using a SixXS tunnel (and probably others), only ::1 (the PoP) and ::2 (your endpoint) can be used as the rest is not routed! Therefore, you need to use a subnet and enable it before you are able to utilize radvd
With OpenWrt Attitude Adjustment 12.09-rc1 in my configuration, the default ipv6 gateway isn't set correct. My Solution was:
Check the ipv6 kernel routing table with ip -6 route
it was set to:
default via fe80::1 dev br-wan proto kernel metric 1024
I correct it by deleting the old defualt route and than add the correct one.
ip route del default via fe80::1 dev br-wan ip route del default via fe80::1 dev br-wan ip -6 route add default via 2001:4dd0:xxxx:yyyy::1
IPv6 Stack not found
Possibly from using a version of OpenWrt with Linux kernel 2.4 (e.g. brcm-2.4). Try brcm47xx if you can. Note that the kernel was held back for Broadcom because the wireless driver was not as stable in 2.6, so there is a tradeoff.
Do not use hotplug scripts!
(Especially in Backfire 10.03) Do not use the hotplug scripts for AICCU. Automatically restarting AICCU causes automatic blocking by the TIC server when the restart occurs too often.
References
- OpenWRT IPv6 Howto
- IPv6 Firewalling
- OpenWrt Project (Web interface must be installed from command line)
- X-Wrt OpenWrt with nice web interface pre-installed