IPv6 is no longer provided by external patches - all has been
integrated. Document that fact, point at the new configuration options,
and at potential caveats.
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1359113954-25768-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7305
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -1,97 +1,65 @@ |
1 |
+Since 2.3.0, OpenVPN officially supports IPv6, and all widely used |
|
2 |
+patches floating around for older versions have been integrated. |
|
3 |
+ |
|
1 | 4 |
IPv6 payload support |
2 | 5 |
-------------------- |
3 | 6 |
|
4 |
-Latest IPv6 payload support code and documentation can be found from here: |
|
7 |
+This is for "IPv6 inside OpenVPN", with server-pushed IPv6 configuration |
|
8 |
+on the client, and support for IPv6 configuration on the tun/tap interface |
|
9 |
+from within the openvpn config. |
|
10 |
+ |
|
11 |
+The code in 2.3.0 supersedes the IPv6 payload patches from Gert Doering, |
|
12 |
+formerly located at http://www.greenie.net/ipv6/openvpn.html |
|
13 |
+ |
|
5 | 14 |
|
6 |
- http://www.greenie.net/ipv6/openvpn.html |
|
15 |
+The following options have been added to handle IPv6 configuration, |
|
16 |
+analogous to their IPv4 counterparts (--server <-> --server-ipv6, etc.) |
|
7 | 17 |
|
8 |
-For TODO list, see TODO.IPv6. |
|
18 |
+ - server-ipv6 |
|
19 |
+ - ifconfig-ipv6 |
|
20 |
+ - ifconfig-ipv6-pool |
|
21 |
+ - ifconfig-ipv6-push |
|
22 |
+ - route-ipv6 |
|
23 |
+ - iroute-ipv6 |
|
9 | 24 |
|
10 |
-Gert Doering, 31.12.2009 |
|
25 |
+see "man openvpn" for details how they are used. |
|
11 | 26 |
|
12 | 27 |
|
13 | 28 |
|
14 | 29 |
IPv6 transport support |
15 | 30 |
---------------------- |
16 | 31 |
|
17 |
-[ Last updated: 25-Mar-2011. ] |
|
18 |
- |
|
19 |
-OpenVPN-2.1 over UDP6/TCP6 README for ipv6-0.4.x patch releases: |
|
20 |
-( --udp6 and --tcp6-{client,server} ) |
|
21 |
- |
|
22 |
-* Availability |
|
23 |
- Source code under GPLv2 from http://github.com/jjo/openvpn-ipv6 |
|
24 |
- |
|
25 |
- Distro ready repos/packages: |
|
26 |
- o Debian sid official repo, by Alberto Gonzalez Iniesta, |
|
27 |
- starting from openvpn_2.1~rc20-2 |
|
28 |
- o Gentoo official portage tree, by Marcel Pennewiss: |
|
29 |
- - https://bugs.gentoo.org/show_bug.cgi?id=287896 |
|
30 |
- o Ubuntu package, by Bernhard Schmidt: |
|
31 |
- - https://launchpad.net/~berni/+archive/ipv6/+packages |
|
32 |
- o Freetz.org, milestone freetz-1.2 |
|
33 |
- - http://trac.freetz.org/milestone/freetz-1.2 |
|
34 |
- |
|
35 |
-* Status: |
|
36 |
- o OK: |
|
37 |
- - upd6,tcp6: GNU/Linux, win32, openbsd-4.7, freebsd-8.1 |
|
38 |
- - udp4->upd6,tcp4->tcp6 (ipv4/6 mapped): GNU/Linux |
|
39 |
- (gives a warning on local!=remote proto matching) |
|
40 |
- o NOT: |
|
41 |
- - win32: tcp4->tcp6 (ipv4/6 mapped) fails w/connection refused |
|
42 |
- o NOT tested: |
|
43 |
- - mgmt console |
|
44 |
- |
|
45 |
-* Build setup: |
|
46 |
- ./configure --enable-ipv6 (by default) |
|
47 |
- |
|
48 |
-* Usage: |
|
49 |
- For IPv6 just specify "-p upd6" an proper IPv6 hostnames, adapting the example |
|
50 |
- from man page ... |
|
51 |
- |
|
52 |
- On may: |
|
53 |
- openvpn --proto udp6 --remote <june_IPv6_addr> --dev tun1 \ |
|
54 |
- --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key |
|
55 |
- |
|
56 |
- On june: |
|
57 |
- openvpn --proto udp6 --remote <may_IPv6_addr> --dev tun1 \ |
|
58 |
- --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key |
|
59 |
- |
|
60 |
- Same for --proto tcp6-client, tcp6-server. |
|
61 |
- |
|
62 |
-* Main code changes summary: |
|
63 |
- - socket.h: New struct openvpn_sockaddr type that holds sockaddrs and pktinfo, |
|
64 |
- (here I omitted #ifdef USE_PF_xxxx, see socket.h ) |
|
65 |
- |
|
66 |
- struct openvpn_sockaddr { |
|
67 |
- union { |
|
68 |
- struct sockaddr sa; |
|
69 |
- struct sockaddr_in in; |
|
70 |
- struct sockaddr_in6 in6; |
|
71 |
- } addr; |
|
72 |
- }; |
|
73 |
- |
|
74 |
- struct link_socket_addr |
|
75 |
- { |
|
76 |
- struct openvpn_sockaddr local; |
|
77 |
- struct openvpn_sockaddr remote; |
|
78 |
- struct openvpn_sockaddr actual; |
|
79 |
- }; |
|
80 |
- |
|
81 |
- PRO: allows simple type overloading: local.addr.sa, local.addr.in, local.addr.in6 ... etc |
|
82 |
- (also local.pi.in and local.pi.in6) |
|
83 |
- |
|
84 |
- - several function prototypes moved from sockaddr_in to openvpn_sockaddr |
|
85 |
- - several new sockaddr functions needed to "generalize" AF_xxxx operations: |
|
86 |
- addr_copy(), addr_zero(), ...etc |
|
87 |
- proto_is_udp(), proto_is_dgram(), proto_is_net() |
|
88 |
- |
|
89 |
-* For TODO list, see TODO.IPv6 |
|
90 |
- |
|
91 |
-JuanJo Ciarlante jjo () google () com ............................ |
|
92 |
-: : |
|
93 |
-. Linux IP Aliasing author . |
|
94 |
-. Modular algo (AES et all) support for FreeSWAN/OpenSWAN author . |
|
95 |
-. OpenVPN over IPv6 support . |
|
96 |
-:...... plus other scattered free software bits in the wild ...: |
|
32 |
+This is to enable OpenVPN peers or client/servers to talk to each other |
|
33 |
+over an IPv6 network ("OpenVPN over IPv6"). |
|
34 |
+ |
|
35 |
+The code in 2.3.0 supersedes the IPv6 transport patches from JuanJo Ciarlante, |
|
36 |
+formerly located at http://github.com/jjo/openvpn-ipv6 |
|
37 |
+ |
|
38 |
+ |
|
39 |
+Use the following options to select IPv6 transport: |
|
40 |
+ |
|
41 |
+ --proto udp6 |
|
42 |
+ --proto tcp6-client |
|
43 |
+ --proto tcp6-server |
|
44 |
+ --proto tcp6 --client / --proto tcp6 --server |
|
45 |
+ |
|
46 |
+On systems that permit IPv4 connections on IPv6 sockets (Linux by |
|
47 |
+default, FreeBSD and NetBSD if you turn off the "v6only" sysctl by |
|
48 |
+running "sysctl -w net.inet6.ip6.v6only=0"), an OpenVPN server can |
|
49 |
+handle IPv4 connections on the IPv6 socket as well, making it a true |
|
50 |
+dual-stacked server. |
|
51 |
+ |
|
52 |
+On other systems, as of 2.3.0, you need to run separate server instances |
|
53 |
+for IPv4 and IPv6. |
|
54 |
+ |
|
55 |
+The client side code is not really "dual-stacked" yet, as it does not |
|
56 |
+automatically try both address families when connecting to a dual-stacked |
|
57 |
+server. For now, you can achieve this with <connection> stanzas in your |
|
58 |
+openvpn config: |
|
59 |
+ |
|
60 |
+ <connection> |
|
61 |
+ remote my.dual.stack.server 1194 udp6 |
|
62 |
+ </connection> |
|
63 |
+ <connection> |
|
64 |
+ remote my.dual.stack.server 1194 udp |
|
65 |
+ </connection> |