Title: OpenBSD as an IPv6 router | |
Author: Solène | |
Date: 13 June 2019 | |
Tags: openbsd networking | |
Description: | |
*This blog post is an update (OpenBSD 6.5 at that time) of this very | |
same | |
article I published in June 2018. Due to rtadvd replaced by rad, this | |
text | |
was not useful anymore.* | |
I subscribed to a VPN service from the french association Grifon | |
([Grifon | |
website[FR]](https://grifon.fr) to get an IPv6 access to the world and | |
play | |
with IPv6. I will not talk about the VPN service, it would be | |
pointless. | |
I now have an IPv6 prefix of 48 bits which can theorically have 2^80 | |
addresses. | |
I would like my computers connected through the VPN to let others | |
computers in | |
my network to have IPv6 connectivity. | |
On OpenBSD, this is very easy to do. If you want to provide IPv6 to | |
Windows | |
devices on your network, you will need one more. | |
In my setup, I have a tun0 device which has the IPv6 access and re0 | |
which is my | |
LAN network. | |
First, configure IPv6 on your lan: | |
# ifconfig re0 inet6 autoconf | |
that's all, you can add a new line "inet6 autoconf" to your file | |
`/etc/hostname.if` to get it at boot. | |
Now, we have to allow IPv6 to be routed through the differents | |
interfaces of the router. | |
# sysctl net.inet6.ip6.forwarding=1 | |
This change can be made persistent across reboot by adding | |
`net.inet6.ip6.forwarding=1` to the file `/etc/sysctl.conf`. | |
### Automatic addressing | |
Now we have to configure the daemon **rad** to advertise the we are | |
routing, | |
devices on the network should be able to get an IPv6 address from its | |
advertisement. | |
The minimal configuration of **/etc/rad.conf** is the following: | |
interface re0 { | |
prefix 2a00:5414:7311::/48 | |
} | |
In this configuration file we only define the prefix available, this is | |
equivalent to a dhcp addresses range. Others attributes could provide | |
DNS | |
servers to use for example, see rad.conf man page. | |
Then enable the service at boot and start it: | |
# rcctl enable rad | |
# rcctl start rad | |
### Tweaking resolv.conf | |
By default OpenBSD will ask for IPv4 when resolving a hostname (see | |
resolv.conf(5) for more explanations). So, you will never have IPv6 | |
traffic until you use a software which will request explicit IPv6 | |
connection or that the hostname is only defined with a AAAA field. | |
# echo "family inet6 inet4" >> /etc/resolv.conf.tail | |
The file **resolv.conf.tail** is appended at the end of resolv.conf | |
when dhclient modifies the file **resolv.conf**. | |
### Microsoft Windows | |
If you have Windows systems on your network, they won't get addresses | |
from **rad**. You will need to deploy dhcpv6 daemon. | |
The configuration file for what we want to achieve here is pretty | |
simple, it consists of telling what range we want to allow on DHCPv6 | |
and a DNS server. Create the file `/etc/dhcp6s.conf`: | |
interface re0 { | |
address-pool pool1 3600; | |
}; | |
pool pool1 { | |
range 2a00:5414:7311:1111::1000 to 2a00:5414:7311:1111::4000; | |
}; | |
option domain-name-servers 2001:db8::35; | |
Note that I added "**1111**" into the range because it should not be on | |
the | |
same network than the router. You can replace 1111 by what you want, | |
even CAFE | |
or 1337 if you want to bring some fun to network engineers. | |
Now, you have to install and configure the service: | |
# pkg_add wide-dhcpv6 | |
# touch /etc/dhcp6sctlkey | |
# chmod 400 /etc/dhcp6sctlkey | |
# echo SOME_RANDOM_CHARACTERS | openssl enc -base64 > | |
/etc/dhcp6sctlkey | |
# echo "dhcp6s -c /etc/dhcp6s.conf re0" >> /etc/rc.local | |
The openbsd package wide-dhcpv6 doesn't provide a rc file to | |
start/stop the service so it must be started from a command line, a | |
way to do it is to type the command in `/etc/rc.local` which is run at | |
boot. | |
The openssl command is needed for dhcpv6 to start, as it requires a | |
base64 string as a secret key in the file */etc/dhcp6sctlkey*. |