Title: OpenBSD as an IPv6 router

	Title: OpenBSD as an IPv6 router
	Author: Solène
	Date: 13 June 2019
	Tags: openbsd networking
	Description:

	*This blog post is an update (OpenBSD 6.5 at that time) of this very
	same
	article I published in June 2018. Due to rtadvd replaced by rad, this
	text
	was not useful anymore.*

	I subscribed to a VPN service from the french association Grifon
	([Grifon
	website[FR]](https://grifon.fr) to get an IPv6 access to the world and
	play
	with IPv6. I will not talk about the VPN service, it would be
	pointless.

	I now have an IPv6 prefix of 48 bits which can theorically have 2^80
	addresses.

	I would like my computers connected through the VPN to let others
	computers in
	my network to have IPv6 connectivity.

	On OpenBSD, this is very easy to do. If you want to provide IPv6 to
	Windows
	devices on your network, you will need one more.

	In my setup, I have a tun0 device which has the IPv6 access and re0
	which is my
	LAN network.

	First, configure IPv6 on your lan:

	# ifconfig re0 inet6 autoconf

	that's all, you can add a new line "inet6 autoconf" to your file
	`/etc/hostname.if` to get it at boot.

	Now, we have to allow IPv6 to be routed through the differents
	interfaces of the router.

	# sysctl net.inet6.ip6.forwarding=1

	This change can be made persistent across reboot by adding
	`net.inet6.ip6.forwarding=1` to the file `/etc/sysctl.conf`.


	### Automatic addressing

	Now we have to configure the daemon rad to advertise the we are
	routing,
	devices on the network should be able to get an IPv6 address from its
	advertisement.

	The minimal configuration of /etc/rad.conf is the following:

	interface re0 {
	prefix 2a00:5414:7311::/48
	}

	In this configuration file we only define the prefix available, this is
	equivalent to a dhcp addresses range. Others attributes could provide
	DNS
	servers to use for example, see rad.conf man page.

	Then enable the service at boot and start it:

	# rcctl enable rad
	# rcctl start rad


	### Tweaking resolv.conf

	By default OpenBSD will ask for IPv4 when resolving a hostname (see
	resolv.conf(5) for more explanations). So, you will never have IPv6
	traffic until you use a software which will request explicit IPv6
	connection or that the hostname is only defined with a AAAA field.

	# echo "family inet6 inet4" >> /etc/resolv.conf.tail

	The file resolv.conf.tail is appended at the end of resolv.conf
	when dhclient modifies the file resolv.conf.


	### Microsoft Windows

	If you have Windows systems on your network, they won't get addresses
	from rad. You will need to deploy dhcpv6 daemon.

	The configuration file for what we want to achieve here is pretty
	simple, it consists of telling what range we want to allow on DHCPv6
	and a DNS server. Create the file `/etc/dhcp6s.conf`:

	interface re0 {
	address-pool pool1 3600;
	};
	pool pool1 {
	range 2a00:5414:7311:1111::1000 to 2a00:5414:7311:1111::4000;
	};
	option domain-name-servers 2001:db8::35;

	Note that I added "1111" into the range because it should not be on
	the
	same network than the router. You can replace 1111 by what you want,
	even CAFE
	or 1337 if you want to bring some fun to network engineers.

	Now, you have to install and configure the service:

	# pkg_add wide-dhcpv6
	# touch /etc/dhcp6sctlkey
	# chmod 400 /etc/dhcp6sctlkey
	# echo SOME_RANDOM_CHARACTERS \| openssl enc -base64 >
	/etc/dhcp6sctlkey
	# echo "dhcp6s -c /etc/dhcp6s.conf re0" >> /etc/rc.local

	The openbsd package wide-dhcpv6 doesn't provide a rc file to
	start/stop the service so it must be started from a command line, a
	way to do it is to type the command in `/etc/rc.local` which is run at
	boot.

	The openssl command is needed for dhcpv6 to start, as it requires a
	base64 string as a secret key in the file /etc/dhcp6sctlkey.