OpenWRT IPv6: Setup tunnel dengan AICCU

From OnnoWiki
Jump to navigation Jump to search

Sumber: https://www.sixxs.net/wiki/Aiccu/Installing_on_OpenWRT



Main topic page: Aiccu.

It is possible to maintain a dynamic AYIYA tunnel using the Aiccu client on a OpenWRT Router. The subnet can then be announced on the lan giving IPv6 connectivity to all compatible connected devices.


For this walk through we assume you have a basic install of OpenWRT Kamikaze installed and know how to connect to it using ssh, Linux directory transversal and vi.

Prerequisites

You may expect issues with OpenWRT Attitude Adjustment (12.09). The configuration files are missing and start up scripts are subject of discussion.

Possible alternatives are to stay with your working OpenWRT release and wait. Or you build your own workaround. Or use the current version Barrier Breaker 14.07.

All versions before Barrier Breaker 14.07

Out of the box, OpenWRT does not have any IPv6 utilities or kernel level support for IPv6. This can easily be solved by installing the necessary packages.

To install the packages, execute the following commands on your OpenWRT-box:

opkg update
opkg install kmod-ipv6
opkg install kmod-ip6tables
opkg install ip6tables
opkg install ip
opkg install kmod-tun
opkg install aiccu
opkg install radvd
opkg install ntpclient

In order, the above packages are:

  • Kernel support for IPv6
  • Kernel support for iptables for IPv6 (Optional: Needed to create IPv6_Firewalling)
  • iptables for IPv6 (Optional: See above)
  • Utilities to manage the IP configuration
  • Kernel support for Virtual Network Interface devices (tun) to create tunnels
  • AICCU: Automatic IPv6 Connectivity Client Utility
  • Router IPv6 Advertisement Daemon (Optional, not needed if you do not have a subnet, or if you use static IPv6 adresses)
  • System clock requires synchronization for tunnel to stay up, so some ntp package is required. ntpclient is recommended.

If you run White Russian, be warned that that distribution contains an old aiccu and backports a broken one. If you want a working one for mipsel, you can get it here (see related blog post for more information).

In addition, the White Russian install-program is called ipkg instead of Kamikaze's opkg.

After installing the above packages:

reboot

Barrier Breaker 14.07 and later

Barrier Breaker and newer versions have native ipv6 support. Only one package needs to be installed later (aiccu). (See below for the instructions)

  • Native IPv6-support with DHCPv6, an RA & DHCPv6-Server and an IPv6-firewall are installed and configured by default.
  • Transitioning technologies like 6in4, 6rd, 6to4 or ds-lite can be installed using the packages with the same names.
  • For WebUI-support install the package luci-proto-ipv6.


Set Time

If your system clock is not synchronized to network time, AICCU will exit with an error message (see syslog or 'readlog') as the time will be too far off when compared to the TIC server. Also, ntpclient will not correct your time if it is not close to correct.

Instead install 'rdate' and use that instead, that properly sets the clock directly instead of slowly changing it.

Use the following before starting AICCU to force the time to be set (and thus also network connectivity to work:

  NTPSERVER=0.pool.ntp.org
  
  while : ; do
      rdate ${NTPSERVER}
      [ $? = 0 ] && break
      sleep 5
  done

'ntpdate' can also be used, but that might fail setting the clock when the offset to the real time is too large, hence why 'rdate' is preferred.

Tunnel Configuration

White Russian

Edit /etc/aiccu.conf to include your login and what tunnel to bind to.

Sample Configuration:

# AICCU Configuration
#
# Login information (defaults: none)
username ABC1-SIXXS
password 1234
#
# Interface names to use (default: aiccu)
ipv6_interface sixxs
#
# The tunnel_id to use (default: none)
# (only required when there are multiple tunnels in the list)
tunnel_id T12345
#
# Be verbose? (default: false)
verbose false
#
# Daemonize? (default: true)
# Set to false if you want to see any output
# When true output goes to syslog
daemonize true
#
# Automatic Login and Tunnel activation?
automatic true
#
# Require TLS?
#
requiretls false
#
# PID File
pidfile /var/run/aiccu.pid
#
# Add a default route (default: true)
defaultroute true

Start aiccu and check the system logs for errors using the following.

aiccu start
logread

If aiccu is pleased it will show in the log something along the lines of

Jul 18 13:47:51 (none) local7.info syslog: Succesfully retrieved tunnel information for T12345
Jul 18 13:47:51 (none) local7.info syslog: AICCU running as PID 1234
Jul 18 13:47:52 (none) local7.info syslog: [AYIYA-start] : Anything in Anything (draft-02)
Jul 18 13:47:52 (none) local7.info syslog: [AYIYA-tun->tundev] : (Socket to TUN) started

Check that ipv6 is working by pinging sixxs.

ping6 sixxs.net
ping6 2001:XXXX:XXXX:XXXX::1 ( The tunnel server )
ping6 2001:XXXX:XXXX:XXXX::2 ( your endpoint, the wrt54g router )
Note: do not reuse these addresses for router config, you need to use the addresses from a subnet in addition to the tunnel you have just set up

Kamikaze

Kamikaze uses /etc/config/aiccu for its configuration.

The first time you will have a file like:

config aiccu
       option username         'ABC1-SIXXS'
       option password         '1234'
       option protocol         
       option server           
       option interface        'sixxs'
       option tunnel_id        
       option requiretls       '0'
       option defaultroute     '1'
       option nat              '1'
       option heartbeat        '1'

Edit the file to your settings. Protocol is typically tic and server is tic.sixxs.net

In the command prompt, type:

/etc/init.d/aiccu start

The above command will start the aiccu-client by using /etc/config/aiccu as a basis for it's configuration. [The configuration is generated and stored in /tmp/run/aiccu-cfg######.conf. However, do not edit this file, since it is generated automatically by the /etc/init.d/aiccu script.]

You can verify that the tunnel started by executing:

logread

If aiccu is pleased it will show in the log something like:

Jul 18 13:47:51 (none) local7.info syslog: Succesfully retrieved tunnel information for T12345
Jul 18 13:47:51 (none) local7.info syslog: AICCU running as PID 1234

Check that ipv6 is working by pinging sixxs:

ping6 sixxs.net
ping6 2001:XXXX:XXXX:XXXX::1
ping6 2001:XXXX:XXXX:XXXX::2

The tunnel will start automatically at every reboot, however, sometimes the tunnel may start too early. Therefore, you should edit /etc/init.d/aiccu and change the line:

START=50

to

START=80

Backfire

Backfire also uses /etc/config/aiccu for its configuration. After you install aiccu, edit the file to set your username and password. Note that the default protocol is tic and the default server is tic.sixxs.net, so you can leave these blank. Set the interface to sixxs.0 in order simplify the firewall setup (see below).

This is how your /etc/config/aiccu file should look like:

config aiccu
       option username         'ABC1-SIXXS'
       option password         '1234'
       option protocol         
       option server           
       option interface        'sixxs.0'
       option tunnel_id        
       option requiretls       '0'
       option defaultroute     '1'
       option nat              '1'
       option heartbeat        '1'

After editing the file, type in the command prompt:

/etc/init.d/aiccu start

The above command will start the aiccu-client by using /etc/config/aiccu as a basis for it's configuration. [The configuration is generated and stored in /tmp/run/aiccu-cfg######.conf. However, do not edit this file, since it is generated automatically by the /etc/init.d/aiccu script.]

You can verify that the tunnel started by executing:

logread

If aiccu is pleased it will show in the log something like:

Jul 18 13:47:51 (none) local7.info syslog: Succesfully retrieved tunnel information for T12345
Jul 18 13:47:51 (none) local7.info syslog: AICCU running as PID 1234

Check that ipv6 is working by pinging sixxs:

ping6 sixxs.net
ping6 2001:XXXX:XXXX:XXXX::1
ping6 2001:XXXX:XXXX:XXXX::2

The tunnel will start automatically at every reboot. In Backfire, aiccu is correctly started after radvd, so there is no need to change the START parameter in /etc/init.d/aiccu.

Barrier Breaker

As of Barrier Breaker (14.07) RC1, AICCU is now integrated with netifd. This release of OpenWRT also sports native IPv6 support, so no extra software is needed for IPv6.

Install software dependencies:

opkg update
opkg install aiccu

Edit the 'wan6' section in /etc/config/network to read as follows, filling the appropriate information from your tunnel information:

config interface 'wan6'
       # mandatory settings
       option proto 'aiccu'
       option username ' SIXXS user name/tunnelID '
       option password ' TIC tunnel password '
       # optional settings (but you should set these, comment out using #)
       option tunnelid ' ID of SIXXS tunnel '
       option ip6prefix ' routed subnet prefix '
       option requiretls 'true'            # (false disables encryption for the authentication, that is a security risk)
       # optional
       #option server ' IP address or FQDN of TIC server '
       #option ip6addr ' IP of this host on routes subnet '
       #option heartbeat ' makebeats? 1 or 0 '
       #option sourcerouting ' 1 or 0 '
       #option defaultroute ' 1 or 0 '
       #option verbose ' 1 or 0 '

Tell netifd to reload the configuration file:

/etc/init.d/network reload

Verify with logread that AICCU has been started and finally ping sixxs to check the connection.

ping6 sixxs.net


AICCU fails at boot

Due to DNS and time issues AICCU may fail to start at boot; see #17744

The following patch of /lib/netifd/proto/aiccu.sh adds a work around that can be applied till this issue has been fixed.

--- lib/netifd/proto/aiccu.sh	2014-08-08 12:20:06.000000000 +0200
+++ /lib/netifd/proto/aiccu.sh	2014-09-21 11:59:53.000000000 +0200
@@ -43,6 +43,16 @@
	echo "daemonize true"	  >> "$CFGFILE"
	echo "pidfile $PIDFILE"   >> "$CFGFILE"
 
+# work-around for https://dev.openwrt.org/ticket/17744
+	NTPSERVER=pool.ntp.org
+ 
+	local try=0
+	local max=10
+	while [ $((++try)) -le $max ]; do
+		ntpd -qn -p pool.ntp.org >/dev/null 2>&1 && break
+		sleep 6
+	done
+# end of work-around
+
	aiccu start "$CFGFILE"

	[ "$?" -ne 0 ] && {

If you have a diff time, maybe you need to try another ntp pool.

Check the pools at NTP.org

Change pool.ntp.org to another. Ex. 0.br.pool.ntp.org

Bleeding edge / trunk / Chaos Calmer

Chaos Calmer is the current development version, also called Bleeding Edge or trunk. Look at the instructions for Barrier Breaker or configure everything with the luci webinterface.

You need the following packages:

luci
luci-proto-ipv6
aiccu

Then you an change the interface wan6 from dhcp to aiccu/sixxs and enter your login data.


Subnet Configuration

Note that the IPv6 router does not need to be on the same device as your IPv4 router. Traffic will be routed by your Sixxs IPv6 tunnel transparently through your IPv4 gatway. Therefore, your IPv6 router can be located internal to your existing gateway and firewall. For this reason, pay attention to this new exposure of the inside of your network and to the configuration of your ip6 traffic rules which will not be handled by your existing IPv4 iptables. (See ip6tables)


Routing (all versions up to 12.09)

Note: you need to use addresses from a subnet and enable it before you are able to utilize radvd, and it is not the same as the tunnel. Each tunnel has a separate /64 (or /48 if you have requested it) which is named "default routed subnet". You can use this prefix and set your router to have this ip address, <Subnet-Prefix>::'1/64 being a reasonable choice

To give connectivity to other hosts on your subnet, you first need to set the IPv6 address for your OpenWRT-box, which is now your router. We assume it has the postfix 1 for the examples below.

Edit /etc/config/network and add the following line under the correct interface:

option 'ip6addr' <Subnet-Prefix>::'1/64'

Here is part of an example config-file:

config 'interface' 'lan'
	option 'type' 'bridge'
	option 'ifname' 'eth0.0'
	option 'proto' 'static'
	option 'ipaddr' '192.168.10.1'
	option 'netmask' '255.255.255.0'
	option 'dns' '192.168.10.5'
	option 'defaultroute' '0'
	option 'peerdns' '0'
	option 'ip6addr' '2001:####:###::1/64'

Then you need to add / uncomment the following line at the bottom of /etc/sysctl.conf:

net.ipv6.conf.all.forwarding=1

Radvd

Radvd is how IPv6 advertises the existence of the router on your network. It accomplishes much of what DHCP does for IPv4. Without needing to be polled by devices, the radvd process advertises the IPv6 address of the router along with a prefix from which clients can self-generate their own IP assignments (originally by appending their MAC address, though that is no longer the only way.)

If you have been assigned a subnet such as a /48, you may be tempted to use it all for your network prefix, but take note that automatic address assignments by your network's client devices will only work if you advertise a /64 prefix, since they are trying to use their MAC address for the remaining 64 bits.

For details on the other radvd options, refer to the man page for radvd.conf.

White Russian

Edit /etc/radvd.conf to make radvd properly advertise the subnet.

(note br-lan, the configuration default is br0)

interface br-lan
{
       AdvSendAdvert on;
       prefix <Subnet-Prefix>::/64
       {
               AdvOnLink on;
               AdvAutonomous on;
       };
};

Kamikaze and Backfire

Kamikaze and Backfire use /etc/config/radvd, which lists options corresponding to those listed in the radvd.conf file shown above. Your interface and prefix section should look like this:

config interface
        option interface        'lan'
        option AdvSendAdvert    1
        option AdvManagedFlag   0
        option AdvOtherConfigFlag 0
        list client             ''
        option ignore           0

config prefix
        option interface        'lan'
        # If not specified, a non-link-local prefix of the interface is used
        list prefix             '<Subnet-Prefix>::/64'
        option AdvOnLink        1
        option AdvAutonomous    1
        option AdvRouterAddr    0
        option ignore           0

Make sure to set the ignore option to zero to enable radvd and set your prefix.

Finalize

Execute the following commands to configure these services to autostart after the next reboot of your router:

/etc/init.d/radvd enable
/etc/init.d/aiccu enable

Then restart the router one last time to make everything take effect.

reboot

If everything is working correctly, then restarting the network adapter of a connected device should result in it assigning itself an IPv6 address on your subnet. If this does not happen, unplug the router, count to 30 and plug it back in to make sure computers on the LAN are not caching old settings. Do not worry if your devices show a router address different from your subnet and beginning with FE80. This is a link local address which also works just fine for reaching your router. You get one of these also. As long as you also show an IP address on the new subnet, you can know that the router can direct external traffic to your device.

Routing (Barrier Breaker 14.07 and later)

Note: you need to use addresses from a routed subnet and enable it before you are able to utilize odhcpd, and it is not the same as the tunnel. Each tunnel has a separate /64 (or /48 if you have requested it) which is named "default routed subnet". You can use this prefix and set your router to have this ip address, <Subnet-Prefix>::'1/64 being a reasonable choice. Note2: radvd is no longer used in Barrier Breaker 14.07

The subnet prefix has to be set in /etc/config/network for the tunnel device(see the instructions for tunnel setup):

 
config interface 'wan6' #(if you followed the example from above)
        ...
        option ip6prefix '2001:xxxx:xxxx:xxxx::1/64'
        ...

Be sure to use the routed prefix, not the tunnel prefix (sometimes only 1 character is different!). Afterwards, enable prefix delegation for your lan interface:

config interface lan
        option proto    static
        option ip6assign 64
        ...

This will assign a /64 from every available public prefix (including the routed one from the tunnel and per default also a ULA prefix which can be used for local routing purposes) Do not use option ip6addr! See this page for more options: Downstream configuration for LAN-Interfaces - OpenWRT Wiki

Finalize

Restart the router one last time to make everything take effect.

reboot

If everything is working correctly, then restarting the network adapter of a connected device should result in it assigning itself several IPv6 addresses, including one on your subnet. If this does not happen, unplug the router, count to 30 and plug it back in to make sure computers on the LAN are not caching old settings. Do not worry if your devices show a router address different from your subnet and beginning with FE80. This is a link local address which also works just fine for reaching your router. You get one of these also. As long as you also show an IP address on the new subnet, you can know that the router can direct external traffic to your device.

Firewalling (using OpenWrt firewall2 configuration)

Hint: This is tested with an SIXXS 6in4-hearbeat tunnel.

On newer releases of Kamikaze and Backfire, iptables and ip6tables can be configured using /etc/config/network.

Preparation

Before you apply any change create backups of your /etc/config/firewall and /etc/config/network by using

root@OpenWrt:~# uci export network > network.uci
root@OpenWrt:~# uci export firewall > firewall.uci

In case of failure just do a reimport of the saved configuration files and reboot.

root@OpenWrt:~# uci import < network.uci
root@OpenWrt:~# uci import < firewall.uci

Or apply any of your preferred configuration backup.

First Step

If you have a running configuration stop the aiccu tunnel first.

 root@OpenWrt:~# /etc/init.d/aiccu stop

Create an additional interface wan6 in /etc/config/network and assign an VLAN Interface: "sixxs0".

config 'interface' 'wan6'
	option 'proto' 'static'
	option 'ifname' 'sixxs0'
	option 'auto'  '1' 
	option 'ip6addr' '2001:your:end:point::2'
	option 'send_rs' '0'

Hint: Set option auto to 1, this add wan6 (sixxs0) to zone wan6 and everything is working fine.

Second Step

Change the interface name in /etc/config/aiccu to sixxs0.

	option username         'YOUR-SIXXS/T1234'
	option password         'password'
	option protocol         'tic'
	option server           'tic.sixxs.net'
	option interface        'sixxs0'
	option tunnel_id        'T1234'
	option requiretls       '0'
	option defaultroute     '1'
	option nat              '1'
	option heartbeat        '1'

Final Step

Adopt your /etc/config/firewall as shown below.

(Change it carefully in case you already have other ipv4 rules in place.)

config 'defaults'
	option 'syn_flood' '1'
	option 'input' 'ACCEPT'
	option 'output' 'ACCEPT'
	option 'forward' 'REJECT'
	option 'drop_invalid' '1'
....
your standard firewall config 
.... 

config 'include'
	option 'path' '/etc/firewall.user'

config 'zone'
	option 'name' 'wan6'
	option 'output' 'ACCEPT'
	option 'network' 'wan6'
	option 'family' 'ipv6'
	option 'input' 'DROP'
	option 'forward' 'DROP'

config 'forwarding'
	option 'dest' 'wan6'
	option 'src' 'lan'

config 'rule'
       option 'name' 'RHO'
       option 'family' 'ipv6'
       option 'target' 'DROP'
       option 'extra' '-m rt --rt-type 0'
       option 'proto' 'all'
       option 'src' 'wan6'

config 'rule'
       option 'name' 'RHO2'
       option 'family' 'ipv6'
       option 'target' 'DROP'
       option 'extra' '-m rt --rt-type 0'
       option 'proto' 'all'
       option 'src' 'wan6'
       option 'dest' 'lan'

config 'rule'
	option 'target' 'ACCEPT'
	option 'output' 'ACCEPT'
	option 'forward' 'REJECT'
	option 'name' 'Allow-Ping ipv6'
	option 'family' 'ipv6'
	option 'proto' 'icmp'
	option 'src' 'wan6'
	option 'limit' '1000/sec'
	list 'icmp_type' 'echo-request'
	list 'icmp_type' 'destination-unreachable'
	list 'icmp_type' 'packet-too-big'
	list 'icmp_type' 'time-exceeded'
	list 'icmp_type' 'bad-header'
	list 'icmp_type' 'unknown-header-type'
	list 'icmp_type' 'router-solicitation'
	list 'icmp_type' 'neighbour-solicitation'
	list 'icmp_type' 'echo-reply' 

And restart everything

 root@OpenWrt:~# /etc/init.d/network restart

 root@OpenWrt:~# /etc/init.d/firewall restart

 root@OpenWrt:~# /etc/init.d/aiccu start

Check if wan6 (sixxs0) is added to zone wan6 as shown below.

root@OpenWrt:~# logread | grep firewall
Jan 20 17:11:09 OpenWrt user.info firewall: adding lan (br-lan) to zone lan
Jan 20 17:11:09 OpenWrt user.info firewall: adding wan (eth0) to zone wan
Jan 20 17:11:12 OpenWrt user.info firewall: adding wan6 (sixxs0) to zone wan6

Check also if aiccu and radvd are up and running.

Don't forget to scan your ipv6 firewall configuration with an external ipv6 firewall check.

If everything fails, restore your configuration as described above and follow the firewalling method described in the section Post Setup.

Post Setup

You can use the command ip6tables (iptables for IPv6) to setup IPv6 Firewalling.

For Kamikaze, the rules should go in the /etc/firewall.user. Please note, default kernel for OpenWRT does not support rt-matching, so you can not block RH0-packages.


Troubleshooting

Installation brcm-2.4

When you follow the instructions above for installation, you will get the following error when installing aiccu:

  root # opkg install aiccu
  Collected errors:
   * Cannot find package aiccu.

In the current version of kamikaze 8.09.1 (aiccu_20070115-2.1_mipsel.ipk), there seems to be a dependency on a 2.6 kernel. (Cannot satisfy the following dependencies for aiccu: * kmod-sit *)

To get around this you can do the following:

  cd /tmp
  wget http://downloads.openwrt.org/kamikaze/8.09.1/brcm-2.4/packages/aiccu_20070115-2.1_mipsel.ipk 
  opkg -force-depends install aiccu_20070115-2.1_mipsel.ipk

You will get the following error message, which you can ignore:

  Collected errors:
   * Warning: Cannot satisfy the following dependencies for aiccu:
      *  kmod-sit * 

Then continue to follow the instructions above.

Running processes

Look at your running processes with ps. You should see aiccu, radvd, and ntpclient. If any of these are missing, either they were not started, or there is some reason they stopped. Find out why and fix.

If your tunnel is active, ifconfig will show an interface named sixxs.0:

sixxs.0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet6 addr: 2001:.....
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1280  Metric:1
          ....

If you do not see it, try starting aiccu again. If this does not reappear in the ifconfig list, check logread for clues. Make sure your aiccu config file is correct.

Timing

If logread shows a message like:

May 31 12:15:29 OpenWrt local7.err syslog: The clock is off by 8577949 seconds, use NTP to sync it!
May 31 12:15:29 OpenWrt local7.err syslog: Couldn't retrieve first tunnel for the above reason, aborting

This means the tunnel started but due to your system clock being unsynchronized, it immediately aborted as no valid heartbeat or crypto could then be used.

See the note above about using rdate to resolve this problem.

If the number of seconds off is a near multiple of 3600, your error is in hours and likely a result of improperly set timezone. Change the TZ setting and then set your clock again to the current time and try again.

DNS

If you can not successfully ping6 sixxs.net, try pinging the address numerically to assess if this is just a DNS problem.:

ping6 2001:838:1:1:210:dcff:fe20:7c7c


Routing

If you can ping6 www.sixxs.net from your router, and you can ping6 your router from your clients, but somehow the clients cannot ping6 www.sixxs.net, you appear to have an issue with your default route. Check out this forum post: OpenWRT Kamikaze routing problem (Some people solve the problem by ensuring that aiccu starts after radvd).

I spent most of the weekend fighting this, in my case the problem was that I had not bothered to get a subnet from sixxs. For routing to/from the lan
Note: When using a SixXS tunnel (and probably others), only ::1 (the PoP) and ::2 (your endpoint) can be used as the rest is not routed! Therefore, you need to use a subnet and enable it before you are able to utilize radvd

With OpenWrt Attitude Adjustment 12.09-rc1 in my configuration, the default ipv6 gateway isn't set correct. My Solution was: Check the ipv6 kernel routing table with ip -6 route
it was set to:

default via fe80::1 dev br-wan  proto kernel  metric 1024

I correct it by deleting the old defualt route and than add the correct one.

ip route del default via fe80::1 dev br-wan
ip route del default via fe80::1 dev br-wan
ip -6 route add default via 2001:4dd0:xxxx:yyyy::1

IPv6 Stack not found

Possibly from using a version of OpenWrt with Linux kernel 2.4 (e.g. brcm-2.4). Try brcm47xx if you can. Note that the kernel was held back for Broadcom because the wireless driver was not as stable in 2.6, so there is a tradeoff.

Do not use hotplug scripts!

(Especially in Backfire 10.03) Do not use the hotplug scripts for AICCU. Automatically restarting AICCU causes automatic blocking by the TIC server when the restart occurs too often.

References


Referensi