Linux Networking – Add IPv6 /64 Block to Server Using Netplan

hostingipv6linux-networkingnetplanubuntu-18.04

I have read Adding a whole IPv6 /64 block to an network interface on debian
We want to make use of the AnyIP feature to add a whole IPv6 /64 subnet block to a web hosting server but using Netplan because we are on Ubuntu 18.04

Side note: a couple of experts have advised against using AnyIP to configure IPv6 so we will also look at alternative solutions like manually configuring a smaller number of IPs.

Our datacenter does already route the /64 to a single IP, for example

The range  2001:db8:1:10::0/64  is routed to the IP  2001:db8:1::1:10
The range  2001:db8:1:11::0/64  is routed to the IP  2001:db8:1::1:11

In Netplan I can configure single IPs this way

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      accept-ra: no
      addresses:
        - '2001:db8:1::1:10/48'
        - '2001:db8:1:10::0/64'
        - '2001:db8:1:10::1/64'
      gateway6: '2001:db8:1::1'

And this works. However I want to use the whole 2001:db8:1:10::/64 range on this server and I don't want to configure it in 18446744073709551616 lines.

Executing this command makes me able to ping all the /64 IPs from outside:

ip -6 route add local 2001:db8:1:10::/64 dev lo

Side note: a server daemon needs to support IP_FREEBIND to be able to bind to an IP which is not explicitly configured on an interface.

My question is: instead of having to execute ip -6 route add local .. after each reboot I would like to configure it the proper way inside the Netplan Yaml config.

Best Answer

Found a solution, but maybe someone knows a better one?

cat <<EOF > /usr/lib/networkd-dispatcher/routable.d/50-ipv6-block
#!/bin/sh
ip -6 route add local 2001:db8:1:10::/64 dev lo
exit 0
EOF

chmod 755 /usr/lib/networkd-dispatcher/routable.d/50-ipv6-block

To check if it works:

ip -6 route del local 2001:db8:1:10::/64
netplan apply
systemctl --no-pager status networkd-dispatcher.service
route -6 | grep 2001:db8:1:10::/64
ping6 -c2 2001:db8:1:10::1234

If you see a RTNETLINK answers: File exists this is because a route is added which already existed because of an earlier netplan apply

Server configuration

IPv6 addresses are based on the IPv4 part (the 1 in 10.8.0.1). The prefix and netmask are stored in /etc/openvpn/variables.

The next steps are made for setting up OpenVPN with encrypted IPv4/IPv6 connectivity to the Internet over a native IPv4 connection. RSA keys and tls-auth are used for authentication and MITM prevention.

/etc/openvpn/variables contains variables which are used for the up script (run on startup, after creation of tap0 device) and client-connect script (run after the client has authenticated).

# this prefix is handled out by the provider, replace it with your own prefix
prefix=2001:db8::abc
# netmask, 2001:db9::abc:0000 - 2001:db9::abc:FFFF
prefixlen=112

/etc/openvpn/server-clientconnect.sh is executed as root and makes sure that IPv6 is routed properly by adding the IPv6 address to the eth0 proxy. Because client-connect is called after OpenVPN switched to the user specified by the User setting, sudo is needed to give the script sufficient permissions to run as root. Of course, variables should be checked before using, the number should be between and including 2 ad 254. (1 is the gateway, 255 the broadcast address).

#!/bin/sh
. /etc/openvpn/variables
if [ -z "$ifconfig_pool_remote_ip" ]; then
        echo "Missing environment variable."
        exit 1
fi
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
        echo "Invalid IP part."
        exit 1
fi
hexipp=$(printf '%x' $ipp)
/sbin/ip -6 neigh add proxy $pfx:$hexipp dev eth0

To make this work, the user vpn should be allowed to run the script while preserving $ifconfig_pool_remote_ip which contains the remote network IPv4 address. Add the next lines to the sudoers file by executing sudo visudo and appending:

Defaults:vpn env_keep=ifconfig_pool_remote_ip
vpn ALL=NOPASSWD: /etc/openvpn/server-clientconnect.sh

/etc/openvpn/server-up.sh enables IPv4, IPv6 forwarding (eth0+tap0 did not work, it really had to be all) and neighbor proxy on eth0. It adds the gateway address to servers tap0 too.

#!/bin/sh
. /etc/openvpn/variables
/sbin/ip -6 addr add $pfx:1/$pfxlen dev $dev
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/eth0/proxy_ndp

Finally, the OpenVPN configuration file at /etc/openvpn/internet.conf:

proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
script-security 2
up /etc/openvpn/server-up.sh
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
# encrypt all traffic
push "redirect-gateway def1"
# keep the same IP addresses each time
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0
cipher BF-CBC
comp-lzo
# OpenVPN will switch to this user, it is also used for sudo
user vpn
group vpn
persist-key
persist-tun

For completeness, permissions and ownerships of files in /etc/openvpn:

drwx------  root root  .
-rw-------  root root  ca.crt
-rw-------  root root  dh1024.pem
drwx------  root root  easy-rsa      <-- left from creation of keys
-rw-------  root root  ipp.txt
-rwx------  root root  server-clientconnect.sh
-rw-------  root root  internet.conf
-rw-------  root root  variables
-rwx------  root root  server-up.sh
-rw-------  root root  server.crt
-rw-------  root root  server.key
-rw-------  root root  ta.key
-rwx------  root root  update-resolv-conf <-- this was installed by default

Firewall settings:

itpables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -i tap0 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -s 2001::db8::abc:0/112 -i tap0 -o eth0 -j ACCEPT

Configuration on client

/etc/openvpn/client.conf:

client
dev tap
proto udp
remote 178.21.112.251 1194
script-security 2
up /etc/openvpn/client-up.sh
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert home.crt
key home.key
ns-cert-type server
tls-auth ta.key 1
cipher BF-CBC
comp-lzo

ta.key and ca.key are the same files from the server. home.key and home.crt are files, created on the server.

client-up.sh adds the IPv6 address and route (based on IPv4 address):

#!/bin/sh
pfx='2001:db8::abc'
pfxlen=112
hexippart=`printf '%x' "$(echo $ifconfig_local | cut -d. -f4)"`
/sbin/ip -6 addr add $pfx:$hexippart/$pfxlen dev $dev
/sbin/ip -6 route add default via $pfx:1 dev $dev

The guide at http://www.ipsidixit.net/2010/03/24/239/ was very helpful and OpenVPN manual page is useful for information about various settings.

Linux – Virtual IPv6 Network between VirtualBox VMs

OK, it does work now.

The only thing missing, was a correct default route. I was adding static routes here and there, but there was no return route. Giving the first and last node a default gateway did the trick. The intermediate routers were correctly configured

That also means having net.ipv6.conf.all.forwarding = 1 for all intermediate systems (routers) [This was already done when I asked my question]

Best Answer

Related Solutions

OpenVPN – Setup with IPv4 and IPv6 Using Tap Device

Server configuration

Configuration on client

Linux – Virtual IPv6 Network between VirtualBox VMs

Related Topic