How to setup a IPv6 UMTS connection with OpenVPN Created on 2007-06-08 v1.0 schreiner at clarinet dot u-strasbg dot fr ------------------------------------------------------------ As the time this document was written, UMTS operators do not offer an IPv6 connectivity with UMTS. Only an IPv4 connection is provided. In order to bring IPv6 to the device, a tunnel is needed in order to encapsulate the IPv6 traffic. This document explains how to setup an OpenVPN tunnel in order to get IPv6 on the device via UMTS. The schema below shows the architecture of this setup. UMTS Device OpenVPN Server ppp0 -------- Internet ----- public IPv4 | IPv4 | | | tap0 -------- L2 VPN ------- tap0 | Tunnel | | | br0 br0 IPv6 -------- IPv6 --------- IPv6 ---- radvd autoconf traffic static TOC --- 1. OpenVPN server setup a. Installation on Debian GNU/Linux b. OpenVPN keys generation c. OpenVPN configuration file setup c. Bridge d. Radvd 2. UMTS client setup a. PPP setup b. OpenVPN client configuration 1. OpenVPN server setup ----------------------- a. Installation on Debian GNU/Linux * Install the packages # apt-get install bridge-utils openssl liblzo1 openvpn b. OpenVPN keys generation * Go to the scripts directory # cd /usr/share/doc/openvpn/examples/easy-rsa * Edit variables for certificates generation : # vi vars # default variables for certificates and keys # /usr/share/doc/openvpn/examples/easy-rsa export D=/usr/share/doc/openvpn/examples/easy-rsa export KEY_CONFIG=$D/openssl.cnf export KEY_DIR=$D/keys export KEY_SIZE=1024 export KEY_COUNTRY=FR export KEY_PROVINCE=NA export KEY_CITY=Strasbourg export KEY_ORG="NEMO VPN" export KEY_EMAIL="schreiner@clarinet.u-strasbg.fr" # EOF * Load variables and prepare keys directory # source ./vars # mkdir keys # touch keys/index.txt # echo 01 > keys/serial * Generate keys for the vpn server. For example, choose openvpn-server for [SERVER NAME] # ./build-dh # ./build-ca # ./build-key-server [SERVER NAME] * Also generate keys for vpn clients, at least for one client ! For example, choose mr01 for [CLIENT NAME] # ./build-key [CLIENT NAME] * Generate the key to avoid "Man in the middle" attacks # openvpn --genkey --secret keys/ta.key * Move keys directory to OpenVPN configuration directory # mv keys /etc/openvpn/ c. OpenVPN configuration file setup * Edit the OpenVPN server configuration file # vi /etc/openvpn/openvpn.conf # /etc/openvpn/openvpn.conf # OpenVPN server configuration file with bridge mode # replace with your server IP local 130.79.48.22 port 1194 proto udp dev tap0 mode server tls-server tun-mtu 1500 mssfix persist-key persist-tun # Global key and certificates ca keys/ca.crt dh keys/dh1024.pem # Man in the Middle key protection tls-auth keys/ta.key # choose your server keys cert keys/openvpn-server.crt key keys/openvpn-server.key # we need to fill dummy IP address although we won't use them server-bridge 192.168.0.253 255.255.255.0 192.168.0.5 192.168.0.15 client-to-client keepalive 10 120 cipher BF-CBC comp-lzo max-clients 15 user nobody group nogroup # check if the log directory exist status /var/log/openvpn/status.log log-append /var/log/openvpn/openvpn.log verb 4 # EOF * Allow OpenVPN to start automatically # vi /etc/default/openvpn # /etc/default/openvpn # This is the configuration file for /etc/init.d/openvpn # # Start only these VPNs automatically via init script. # Allowed values are "all", "none" or space separated list of # names of the VPNs. If empty, "all" is assumed. # AUTOSTART="all" #AUTOSTART="none" #AUTOSTART="home office" # # Refresh interval (in seconds) of default status files # located in /var/run/openvpn.$NAME.status # Defaults to 10, 0 disables status file generation # #STATUSREFRESH=10 STATUSREFRESH=0 # EOF d. Bridge * Automatically mount the brige with tap interface # vi /etc/network/interfaces # /etc/network/interfaces # LAN interface auto br0 iface br0 inet static address 2001:660:4701:f008:ffff::1 netmask 64 pre-up /usr/sbin/openvpn --mktun --dev tap0 pre-up /sbin/ip link set tap0 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 tap0 post-down /usr/sbin/brctl delif br0 tap0 post-down /usr/sbin/brctl delbr br0 post-down /usr/sbin/openvpn --rmtun --dev tap0 # EOF e. Radvd * Edit radvd configuration : # vi /etc/radvd.conf # /etc/radvd.conf interface br0 { AdvSendAdvert on; MaxRtrAdvInterval 4; MinRtrAdvInterval 3; AdvIntervalOpt on; prefix 2001:660:4701:f008::/64 { AdvRouterAddr on; AdvOnLink on; AdvAutonomous on; }; }; # EOF * Launch or restart everything # /etc/init.d/networking restart # /etc/init.d/openvpn restart # /etc/init.d/radvd restart You are done with the OpenVPN server. Let's take a look to the UMTS client. 2. UMTS client setup ------------------- a. PPP setup * Edit the ppp configuration files : # vi /etc/ppp/peers/3G # /etc/ppp/peers/3G noauth name 3G persist usepeerdns noipx lcp-echo-interval 30 lcp-echo-failure 4 hide-password modem proxyarp asyncmap 0 crtscts connect "/usr/sbin/chat -v -f /etc/chatscripts/3G" /dev/ttyS1 115200 defaultroute noipdefault user "orange" remotename 3G ipparam 3G #EOF # vi /etc/ppp/options # /etc/ppp/options auth lock dump # EOF # vi /etc/chatscripts/3G # /etc/chatscripts/3G # This chatfile was generated by pppconfig 2.3.10. # Please do not delete any of the comments. Pppconfig needs them. # # ispauth chat # abortstring ABORT BUSY ABORT 'NO CARRIER' ABORT VOICE ABORT 'NO DIALTONE' ABORT 'NO DIAL TONE' ABORT 'NO ANSWER' ABORT DELAYED # modeminit '' ATZ # ispnumber OK AT+CMEE=1 OK \dAT+CGDCONT=1,"IP","internet-entreprise" OK \dATDT*99# # ispconnect CONNECT '' # prelogin # ispname # isppassword # postlogin # end of pppconfig stuff # EOF # vi /etc/ppp/chap-secrets # /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses \"orange\" * \"password\" # EOF * Test the UMTS connection # pppd call 3G or # pon 3G b. OpenVPN client configuration * Install the packages # apt-get install bridge-utils openssl liblzo1 openvpn * Import the keys # mkdir /etc/openvpn/keys # cd /etc/openvpn/keys * Import the keys you generate previously on the server (1.b) for your UMTS client. In our example, the client is called "mr01". You need to import in a secure way (SSH) the files : - ca.crt - ta.key - mr01.crt - mr01.key # scp admin@openvpnserver:/etc/openvpn/keys/ca.crt . # scp admin@openvpnserver:/etc/openvpn/keys/ta.key . # scp admin@openvpnserver:/etc/openvpn/keys/mr01.crt . # scp admin@openvpnserver:/etc/openvpn/keys/mr01.key . * Edit OpenVPN configuration file # vi /etc/openvpn/openvpn.conf # /etc/openvpn/openvpn.conf # OpenVPN client configuration file with bridge mode client dev tap0 proto udp remote 130.79.48.22 1194 resolv-retry infinite nobind tls-client persist-key persist-tun ca keys/ca.crt cert keys/mr01.crt key keys/mr01.key ns-cert-type server tls-auth keys/ta.key cipher BF-CBC comp-lzo verb 2 mute 5 #EOF * Allow OpenVPN to start automatically # vi /etc/default/openvpn # /etc/default/openvpn # This is the configuration file for /etc/init.d/openvpn # # Start only these VPNs automatically via init script. # Allowed values are "all", "none" or space separated list of # names of the VPNs. If empty, "all" is assumed. # AUTOSTART="all" #AUTOSTART="none" #AUTOSTART="home office" # # Refresh interval (in seconds) of default status files # located in /var/run/openvpn.$NAME.status # Defaults to 10, 0 disables status file generation # #STATUSREFRESH=10 STATUSREFRESH=0 # EOF * Start or refresh services # /etc/init.d/networking restart # /etc/init.d/openvpn restart * Check on the interfaces br0 if you have got an autoconfigured IPv6 address # ifconfig br0 br0 Lien encap:Ethernet HWaddr 7A:F4:CC:72:11:91 adr inet6: fe80::78f4:ccff:fe72:1191/64 Scope:Lien adr inet6: 2001:660:4701:f008:78f4:ccff:fe72:1191/64 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11 errors:0 dropped:0 overruns:0 frame:0 TX packets:17 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:0 RX bytes:2660 (2.5 KiB) TX bytes:1482 (1.4 KiB) * Congratulations, you do it ! ---------- References ---------- The OpenVPN Home Page http://openvpn.net/ A Tutorial for OpenVPN (french) http://www.nbs-system.com/dossiers/howto-openvpn2.html Another tutorial for OpenVPN http://www.shorewall.net/OPENVPN.html ------- Contact ------- Guillaume Schreiner schreiner at clarinet dot u-strasbg dot fr Nautilus6 Working Group LSIIT Lab. in University Louis Pasteur, France