Difference between revisions of "OpenVPN: IPv6 routed 2 LAN"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 1: | Line 1: | ||
| − | '''CATATAN:''' perintah '''iroute-ipv6''' tampaknya belum sempurna, belum memberikan effect internal routing untuk IPv6. | + | '''CATATAN:''' |
| + | * perintah '''iroute-ipv6''' tampaknya belum sempurna, belum memberikan effect internal routing untuk IPv6. | ||
| + | * solusi sementara terpaksa client NAT pada tun0 | ||
Revision as of 12:49, 18 February 2019
CATATAN:
- perintah iroute-ipv6 tampaknya belum sempurna, belum memberikan effect internal routing untuk IPv6.
- solusi sementara terpaksa client NAT pada tun0
Topology
LAN 1 ---------- HOST A ---------------- HOST B -------------- LAN 2
ovpn server ovpn client
2002::/64 2345::1/64 2345::2/64 2003::/64
HOST A OpenVPN Server
OS : Ubuntu 18.04 IP : 192.168.0.239/24 IP : 2345::1/64 LAN1 : 2002::/64
HOST B OpenVPN Client
OS : Ubuntu 18.04 IP : 2345::2/64 LAN2 : 2003::/64
Konfigurasi Server
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding echo 1 > /proc/sys/net/ipv4/conf/default/forwarding echo 1 > /proc/sys/net/ipv4/conf/tun0/forwarding echo 1 > /proc/sys/net/ipv4/conf/enp0s3/forwarding echo 1 > /proc/sys/net/ipv4/conf/enp0s8/forwarding echo 1 > /proc/sys/net/ipv6/conf/all/forwarding echo 1 > /proc/sys/net/ipv6/conf/default/forwarding echo 1 > /proc/sys/net/ipv6/conf/tun0/forwarding echo 1 > /proc/sys/net/ipv6/conf/enp0s3/forwarding echo 1 > /proc/sys/net/ipv6/conf/enp0s8/forwarding
atau
vi /etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=1
sysctl -p
ifconfig enp0s3 192.168.0.239 netmask 255.255.255.0 ifconfig enp0s8 10.10.10.1 netmask 255.255.255.0 ip addr add 2002::1/64 dev enp0s8
Tambahan di konfigurasi /etc/openvpn/server.conf
ifconfig 10.8.0.1 255.255.255.0 server 10.8.0.0 255.255.255.0 tun-ipv6 server-ipv6 2345::/64 push tun-ipv6 push "route-ipv6 2000::/3" route-ipv6 2003::/64 client-config-dir client
Tambahan di /etc/openvpn/client
File: client # tergantung username client.ovpn
ifconfig-push 10.8.0.2 255.255.255.0 # paksa IP static di client untuk memudahkan routing push "route 10.10.10.0 255.255.255.0" # paksa routing ke upstream iroute 10.10.20.0 255.255.255.0 # internal routing ke arah # iroute-ipv6 2003::/64
Konfigurasi Client Gateway
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding echo 1 > /proc/sys/net/ipv4/conf/default/forwarding echo 1 > /proc/sys/net/ipv4/conf/tun0/forwarding echo 1 > /proc/sys/net/ipv4/conf/enp0s3/forwarding echo 1 > /proc/sys/net/ipv4/conf/enp0s8/forwarding echo 1 > /proc/sys/net/ipv6/conf/all/forwarding echo 1 > /proc/sys/net/ipv6/conf/default/forwarding echo 1 > /proc/sys/net/ipv6/conf/tun0/forwarding echo 1 > /proc/sys/net/ipv6/conf/enp0s3/forwarding echo 1 > /proc/sys/net/ipv6/conf/enp0s8/forwarding
atau
vi /etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=1
sysctl -p
Firewall atau NAT
agar lebih aman menggunakan firewall (experimental)
ipt6tables -P FORWARD DROP ip6tables -A FORWARD -s 2003::/64 -d ::/0 -m comment --comment "allow outgoing traffic from local ipv6 range" -j ACCEPT ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "Accept established" -j ACCEPT ip6tables -A INPUT -i enp0s8 -j ACCEPT # # ijinkan akses tertentu ke internal ip6tables -A FORWARD -d 2003::c01d/64 -m comment --comment "let internet conrtol airco" -j ACCEPT
# Allow traffic initiated from VPN to access LAN ip6tables -I FORWARD -i tun0 -o enp0s8 -m conntrack --ctstate NEW -j ACCEPT # Allow traffic initiated from LAN to access "the world" ip6tables -I FORWARD -i enp0s8 -o tun0 -m conntrack --ctstate NEW -j ACCEPT # Allow established traffic to pass back and forth ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jika firewall juga gagal, tampaknya kita akan stuck dengan NAT
ip6tables -t nat -A POSTROUTING -s 2003::/64 -o tun0 -j MASQUERADE
Konfigurasi Interface
Konfigurasi interface
ifconfig enp0s3 192.168.0.237 netmask 255.255.255.0 ifconfig enp0s8 10.10.20.1 netmask 255.255.255.0 ip addr add 2003::1/64 dev enp0s8
Install radvd
Edit /etc/radvd.conf:
# file: /etc/radvd.conf
interface enp0s8
{
AdvSendAdvert on;
prefix 2003::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
Install
apt install radvd
TIDAK ADA Tambahan konfigurasi di client.ovpn.
Pastikan setup interface BENAR.
Pastikan setup routing BENAR.
ip route show ip -6 route show route -n
Referensi
- https://openoffice.nl/2018/04/05/ipv6-openvpn-part2/
- https://backreference.org/2009/11/15/openvpn-and-iroute/