moonglows DD-WRT User
Joined: 01 Mar 2016 Posts: 58
|
Posted: Tue Sep 27, 2016 5:00 Post subject: DD-WRT IPv6 + VPN Config How-to |
|
I found it a PITA to initially get IPv6 and VPN fully working so I figured it would be helpful to add steps in here to help anybody looking to get it setup.
I have the Linksys EA8500 currently on 30681 brainslayer build but this config has worked on builds from many months before when I initially cobbled this together.
End result is computers connecting to my network either locally or via openvpn have both a IPv4 and IPv6 address. For the config outlined below, when I connect a device via VPN, I usually route all V4 and V6 traffic for that device through the VPN.
IPv6
-----------
I didn't want to use my native V6 so I went to hurricane electric tunnel broker and got a /48. I then setup the DD-WRT IPv6 tab as the attachment shows. "HE" stands for hurricane electric and the last portion with the tunnel update url with the blanks are your login and the update key for that tunnel in HE.
OpenVPN
-----------
Generating certs/keys etc are out of scope of this tutorial but you can use this howto to generate:
1. Public Server Cert
2. CA Cert
3. Private Server Key
4. DH PEM
Once those are generated, put them into the DD-WRT OpenVPN UI including their prefix and suffix lines. As an example it would look like
Code: |
-----BEGIN DH PARAMETERS-----
info here
-----END DH PARAMETERS----- |
Add the config in the attachment. Feel free to change the Network line in the DD-WRT OpenVPN UI to anything that is un-used within your network, just be sure to take that into account when adding your firewall rules further below.
I then added "additional config" to the OpenVPN UI in the OpenVPN tab so I could connect to my router via udp or udp6 from my phone or laptop when traveling depending on if I'm on a IPv4 or IPv6 network.
Code: | # IPv4 Setup
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 192.168.1.0 255.255.255.0"
# IPv6 Setup
;proto tcp6-server
proto udp6
server-ipv6 2001:****:****:1::/64
push "route-ipv6 2001:****:****::/48"
push "route-ipv6 2000::/3" |
The first route line with 192.168.1.0 is your dd-wrt local network. If 192.168.1.1 is your router IP, enter 192.168.1.0 here. I don't suggest running 192.168.1.1 in general but I had to use an example for this tutorial.
The server-ipv6 is your routed /48 from HE. Note that I made it a /64 by adding a hextet :1 to it.
the first push route is again that same /48 from HE
Firewall
-----------
In DD-WRT administration->Commands tab, I added the following script to the firewall script. This is where most of the dd-wrt how-to's usually did not have much information for me. The first command is your "Client IPv6 Address" from HE. Not sure why IPv6 setup didn't auto add it as that is clearly one of the fields I entered into the IPv6 tab. The second command is the routed HE /48 with a ::1 at the end (again I wish this was auto added by ddwrt). The last 2 commands are the port that I run SSH on so I can connect to the router remotely via SSH if I wanted.
Code: | # Enable IPv6
/usr/sbin/ip addr add 2001:***********/64 dev ip6tun
/usr/sbin/ip addr add 2001:****:****::1/48 dev br0
/usr/sbin/ip route add ::/0 dev ip6tun
/usr/sbin/ip -f inet6 addr
# Allow OpenVPN through V6 Firewall
/usr/sbin/ip6tables -D INPUT -p tcp --dport 1194 -j ACCEPT
/usr/sbin/ip6tables -D INPUT -p udp --dport 1194 -j ACCEPT
/usr/sbin/ip6tables -I INPUT -p tcp --dport 1194 -j ACCEPT
/usr/sbin/ip6tables -I INPUT -p udp --dport 1194 -j ACCEPT
# Allow OpenVPN to route
/usr/sbin/iptables -t nat -D POSTROUTING -o tun2 -j MASQUERADE
/usr/sbin/iptables -D FORWARD -i br0 -o tun2 -j ACCEPT
/usr/sbin/iptables -D FORWARD -i tun2 -o br0 -j ACCEPT
/usr/sbin/iptables -t nat -D POSTROUTING -s 192.168.201.0/24 -o br0 -j MASQUERADE
/usr/sbin/iptables -t nat -D POSTROUTING -s 192.168.201.0/24 -j MASQUERADE
/usr/sbin/ip6tables -D FORWARD -i br0 -o tun2 -j ACCEPT
/usr/sbin/ip6tables -D FORWARD -i tun2 -o br0 -j ACCEPT
/usr/sbin/iptables -t nat -I POSTROUTING -o tun2 -j MASQUERADE
/usr/sbin/iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.201.0/24 -o br0 -j MASQUERADE
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.201.0/24 -j MASQUERADE
/usr/sbin/ip6tables -I FORWARD -i br0 -o tun2 -j ACCEPT
/usr/sbin/ip6tables -I FORWARD -i tun2 -o br0 -j ACCEPT
# Allow SSH through V6 Firewall
/usr/sbin/ip6tables -D INPUT -p tcp --dport ***** -j ACCEPT
/usr/sbin/ip6tables -I INPUT -p tcp --dport ***** -j ACCEPT |
Future
-----------
I haven't spent the time yet to get V6 QOS working to throttle normal network clients connected to the router. They can currently technically saturate my bandwidth.
V4 QOS works just fine for normal network clients. I haven't really tested V4/V6 QOS through openvpn but I'm not that worried about it. It probably has the same issues above where V4 works but v6 doesn't.
Last edited by moonglows on Tue Sep 27, 2016 6:01; edited 1 time in total |
|