IPv6 tunnel broker yourself using openvpn and 6to4

  • Tutorial

Do you want your devices (Windows \ Linux \ Android \ iOS) to start using IPv6, but your provider does not provide it yet? Do you have your own server \ VDS \ just a Linux computer with a permanent direct IPv4 (NOT IPv6) address or even your own openvpn server? Then perhaps this article will help you.
It is not for venerable network gurus, I just gathered a set of instructions in one place with the goal of distributing IPv6 to the masses. Although I will be grateful to all the venerable gurus who criticize me in the comments and point out errors. Since I am writing a post almost immediately after the system has worked. Everything can be infinitely far from ideal.

My new tablet, which does not want to receive IPv6 from a wifi router, not to mention the inability to use IPv6, working through 3G, prompted me to set up a similar system with my new tablet.

We will need the following tools:
  1. A host with linux and a direct, static IP address (any dedicated or virtual server will do). I have VPS on Xen with gentoo and my own kernel. However, I believe that I do not use anything non-standard, so it should work on popular binary distributions.
  2. The iproute2 package installed on the server. Verification through "ip --version".
  3. openvpn server. Openvpn version - should be> = 2.3, highly desirable 2.3.2 or later .
  4. openvpn client. There are versions for linux, windows , os x , android ( 1 , 2 ) and iOS . Version requirements are the same as the server.

We configure IPv6 on the server through 6to4.

To facilitate the transition to IPv6, 6to4 technology has been created: each IPv4 address in the corresponding subnet / 48 IPv6 addresses. More ...
Suppose your server IP: (took IP test.com). We go to 6to4.version6.net/?lang=en_GB , drive the IP, for example, We get the following settings:

Your IPv4 address is
Your 6to4 address is 2002: d040: 79a1 :: 2080: 6412: 1161
6to4 gateway address is

We only need a bold piece. This is our / 48 IPv6 subnet. You have two groups after 2002 in the address should be different! They encoded your IPv4.

We come up with an address on this subnet. For simplicity, you can use :: 2 (for some reason, glitches were noticed when using :: 1, can someone tell me why, or maybe it seemed to me), that is, 2002: d040: 79a1 :: 2 .

Create a tunnel (replacing IPv4 with your address):
ip tunnel add tun6to4 mode sit remote any local ttl 64
Raise the interface:
ip link set dev tun6to4 up
Set the IPv6 address that you thought up earlier:
ip -6 addr add 2002:d040:79a1::2/128 dev tun6to4
Set the default route ( - the general router for 6to4, do not change it!):
ip -6 route add 2000::/3 via :: dev tun6to4 metric 1
After that, our server should be able to work over IPv6. We check:
ping6 2001:ad0::1

In the gent, I saved all this by adding the following lines to /etc/conf.d/net (by creating the link net.lo-> net.tun6to4 and remembering to make rc-update add net.tun6to4 default):
iptunnel_tun6to4 = "mode sit remote any local ttl 64"
config_tun6to4 = "2002: d040: 79a1 :: 2"
routes_tun6to4 = "2000 :: / 3 via :: dev tun6to4 metric 1"
rc_net_tun6to4_need = "net. eth0 »

If the pings go, then step 1 has passed. If they don’t go, we think, we check whether we everywhere replaced what needs to be replaced with our data. If all else fails, we tell in detail what we did (indicating the IP server) in the comments, I will try to help. In a personal I do not help.

We configure openvpn for work with IPv6

How to configure openvpn has been written to me more than once. Including here. Use the search. Just in case, I bring my configs, cutting out private data.

port censored
proto udp
dev tun
ca vpn1 / ca.crt
cert vpn1 / server.crt
key vpn1 / server.key
dh vpn1 / dh2048.pem
server 10.censored
ifconfig-pool-persist ipp.txt
keepalive 10 60
comp- lzo adaptive
user nobody
group nobody
status openvpn-status.log

max-clients 30
tls-auth vpn1 / ta.key 0
chroot / var / chroot / openvpn

cipher AES-256-CBC
auth SHA512

local censored
management localhost 7505
client-config-dir ccd

dev tun
proto udp

remote censored censored
resolv-retry infinite


comp-lzo adaptive
verb 3

key-direction 1

cipher AES-256-CBC
auth SHA512

verify-x509-name 'C = RU, ST = RU, L = censored '



To distribute IPv6 via openvpn we come up with the number / 64 of the subnet. This is any number from 0 to FFFF. For example, 5. That is, in my case / 64, the subnet will look like this: 2002: d040: 79a1: 5 ::. We add the line in openvpn.conf on the server:
server-ipv6 2002:d040:79a1:5::/64
In principle, this line is the whole configuration of openvpn for IPv6. All that remains is to tell the openvpn server to tell clients the default route for IPv6. You can do this either globally in the server openvpn.conf or in the ccd file for each client using the line:
push "route-ipv6 2000::/3"
You must also specify the IPv6 DNS server for the clients. I use mine, you can use Google. In server-side openvpn.conf or in ccd:
push "dhcp-option DNS 2001:4860:4860::8888"

(re), start the server.
There is no need to change anything in the client’s config. We are connected to the server and should receive an IPv6 address. We look at the client:
ip -6 addr list
We see something like:
9: tun0: mtu 1500 qlen 100
inet6 2002: d040: 79a1: 5 :: 1005/64 scope global

Similarly, we look at the IPv6 address of the tun interface on the server, most likely it will end with :: 1 (2002: d040: 79a1: 5 :: 1).
We try to ping from the client to the server and back. If it responds, there is very little left.

We try to ping the Google DNS from the client: it
ping6 2001:4860:4860::8888
does not respond, since IPv6 forwarding must be enabled similarly to IPv4. We allow:
sysctl -w net.ipv6.conf.all.forwarding=1
And save the line in /etc/sysctl.conf: Pings should go from the client to Google and in general the opportunity to use IPv6 from the client should appear. For example, try opening ipv6.google.com in a browser . All? In no case!
net.ipv6.conf.all.forwarding = 1

The beauty of IPv6 is that all addresses are direct. Therefore, all your openvpn clients will be fully accessible from a large, dangerous Internet. Therefore, do not forget to configure the firewall on the server (ip6tables is used for IPv6). At least I immediately entered the following: We
cover the server itself:
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp! --tcp-flags FIN, SYN, RST, ACK SYN -j DROP
ip6tables -A INPUT -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
ip6tables -A INPUT -j DROP

We cover openvpn clients (it also registers on the server!)
ip6tables -A FORWARD -p tcp -m conntrack --ctstate NEW -m tcp! --tcp-flags FIN, SYN, RST, ACK SYN -j DROP
ip6tables -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
ip6tables -A FORWARD -i tun0 -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -j DROP

Well, that’s all. My Galaxy Tab 3 10.1 has gained access to IPv6. By the way, if anyone knows how to enable direct operation with IPv6 via WiFi on it (my router distributes it via radvd, I get everything, including a phone with cyanogenmod, but I don’t have a tablet with stock firmware :() - please tell me very much Thank you.

Send errors in private, all a good Friday and the weekend.

Also popular now: