Title: OpenBSD as an IPv6 router
Author: Solène
Date: 13 June 2019
Tags: openbsd networking
Description:
*This blog post is an update (OpenBSD 6.5 at that time) of this very
same
article I published in June 2018. Due to rtadvd replaced by rad, this
text
was not useful anymore.*
I subscribed to a VPN service from the french association Grifon
([Grifon
website[FR]](https://grifon.fr) to get an IPv6 access to the world and
play
with IPv6. I will not talk about the VPN service, it would be
pointless.
I now have an IPv6 prefix of 48 bits which can theorically have 2^80
addresses.
I would like my computers connected through the VPN to let others
computers in
my network to have IPv6 connectivity.
On OpenBSD, this is very easy to do. If you want to provide IPv6 to
Windows
devices on your network, you will need one more.
In my setup, I have a tun0 device which has the IPv6 access and re0
which is my
LAN network.
First, configure IPv6 on your lan:
# ifconfig re0 inet6 autoconf
that's all, you can add a new line "inet6 autoconf" to your file
`/etc/hostname.if` to get it at boot.
Now, we have to allow IPv6 to be routed through the differents
interfaces of the router.
# sysctl net.inet6.ip6.forwarding=1
This change can be made persistent across reboot by adding
`net.inet6.ip6.forwarding=1` to the file `/etc/sysctl.conf`.
### Automatic addressing
Now we have to configure the daemon **rad** to advertise the we are
routing,
devices on the network should be able to get an IPv6 address from its
advertisement.
The minimal configuration of **/etc/rad.conf** is the following:
interface re0 {
prefix 2a00:5414:7311::/48
}
In this configuration file we only define the prefix available, this is
equivalent to a dhcp addresses range. Others attributes could provide
DNS
servers to use for example, see rad.conf man page.
Then enable the service at boot and start it:
# rcctl enable rad
# rcctl start rad
### Tweaking resolv.conf
By default OpenBSD will ask for IPv4 when resolving a hostname (see
resolv.conf(5) for more explanations). So, you will never have IPv6
traffic until you use a software which will request explicit IPv6
connection or that the hostname is only defined with a AAAA field.
# echo "family inet6 inet4" >> /etc/resolv.conf.tail
The file **resolv.conf.tail** is appended at the end of resolv.conf
when dhclient modifies the file **resolv.conf**.
### Microsoft Windows
If you have Windows systems on your network, they won't get addresses
from **rad**. You will need to deploy dhcpv6 daemon.
The configuration file for what we want to achieve here is pretty
simple, it consists of telling what range we want to allow on DHCPv6
and a DNS server. Create the file `/etc/dhcp6s.conf`:
interface re0 {
address-pool pool1 3600;
};
pool pool1 {
range 2a00:5414:7311:1111::1000 to 2a00:5414:7311:1111::4000;
};
option domain-name-servers 2001:db8::35;
Note that I added "**1111**" into the range because it should not be on
the
same network than the router. You can replace 1111 by what you want,
even CAFE
or 1337 if you want to bring some fun to network engineers.
Now, you have to install and configure the service:
# pkg_add wide-dhcpv6
# touch /etc/dhcp6sctlkey
# chmod 400 /etc/dhcp6sctlkey
# echo SOME_RANDOM_CHARACTERS | openssl enc -base64 >
/etc/dhcp6sctlkey
# echo "dhcp6s -c /etc/dhcp6s.conf re0" >> /etc/rc.local
The openbsd package wide-dhcpv6 doesn't provide a rc file to
start/stop the service so it must be started from a command line, a
way to do it is to type the command in `/etc/rc.local` which is run at
boot.
The openssl command is needed for dhcpv6 to start, as it requires a
base64 string as a secret key in the file */etc/dhcp6sctlkey*.