Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
3 octobre 2013 4 03 /10 /octobre /2013 02:18

This post will explain how to setup a PPTP server that is able to transport both IPv4 and IPv6, using Raspbian as the server, and how to setup a Debian or Windows 8 client.

( The setup is the same for Debian or Ubuntu as the server ).

VPN 4 : Debian PPTP Server w/ IPv4 and IPV6

The tunnel will use the 10.0.0.0/8 IPv4 private address range and the 2001:db8:0:10::/64 IPv6 global unicast address range.

 

Tested using :

PPTP Server : RASPBIAN version June 2014

PPTP Client : Debian 7.5 and Windows 8

 

Last Edited July 1 2014

 

1. PPTP Server setup

The main difficulty is about the radvd service : We need radvd, for IPv6 default gateway advertising to the client. But if the radvd service is running before the tunnel is up, it will spill false router-advertisements to other interfaces, misleading other network clients. ( Is this a radvd bug ?! ).

The solution is to have the radvd service removed from autostart, and activated once the tunnel is up. Likewise, it is stopped when the tunnel is down.

The solution presented here is simple, but only support one IPv6 connection. See Part 4 for solutions that support multiple simultaneous clients.

 

We first update our server :

sudo apt-get update

sudo apt-get upgrade

 

We make sure the pptp server is set with static IPs. We'll be using here :

192.168.1.40 for IPv4

2001:db8:0:1::40 for IPv6

 

We reboot the OS :

sudo reboot

 

We install the pptp server :

sudo apt-get install pptpd

 

We edit the pptp server configuration :

sudo nano /etc/pptpd.conf
We uncomment the localip and remoteip lines and change them to :

-------------------------------------------------------------------------------------
localip 10.0.0.1
remoteip 10.0.0.10-14
-------------------------------------------------------------------------------------

 

We setup the pptp server options :

sudo nano /etc/ppp/pptpd-options

We uncomment the ms-dns lines and change them our DNS choice :
---------------------------------------------------------------------------------------
ms-dns 208.67.222.222
ms-dns 208.67.220.220
---------------------------------------------------------------------------------------
In this example, we use OpenDNS’s servers.

We enable IPv6 by adding to the end :
---------------------------------------------------------------------------------------
ipv6 ::1,::2
----------------
-----------------------------------------------------------------------

 

 

We create users and passwords , using this syntax :

user<tab>*<tab>password<tab>*

sudo nano /etc/ppp/chap-secrets

--------------------------------------------------------------------------------------
john    *    secret1      *

tom     *    secret2      *
--------------------------------------------------------------------------------------

 

We adjust the ipv4 MTU :

sudo nano /etc/ppp/ip-up

( We add this line to the end of the file ) :
----------------------------------------------------------------------------------------
ifconfig $1 mtu 1400
----------------------------------------------------------------------------------------

 

We enable IPv4 and IPv6 forwarding :

sudo nano /etc/sysctl.conf

( we uncomment IPv4 and IPv6 forwarding ) :
-----------------------------------------------------------------------------------------
net.ipv4.ip_forward=1

net.ipv6.conf.all.forwarding=1

-----------------------------------------------------------------------------------------
 

we apply the networking changes :

sudo sysctl -p

 

we finally create IPv4 NAT, to allow IPv4 clients full connectivity :

sudo iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.40
sudo iptables-save

 

We create a NAT boot-time script :

sudo bash -c "iptables-save > /etc/iptables.conf"
sudo nano /etc/network/if-pre-up.d/iptables
-------------------------------------------------------------------------------------------
#!/bin/sh
iptables-restore < /etc/iptables.conf
-------------------------------------------------------------------------------------------

sudo chmod +x /etc/network/if-pre-up.d/iptables

 


IPv6 Specifics

 

We install radvd :

sudo apt-get install radvd

 

We edit radvd.conf :

sudo nano /etc/radvd.conf
---------------------------------------------------------------------------------------------

interface ppp0 {
AdvSendAdvert on;
AdvDefaultPreference high;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2001:db8:0:10::/64 {
AdvOnLink on;
AdvAutonomous on;
};
RDNSS 2620:0:ccc::2 2620:0:ccd::2 {
};
};

 

---------------------------------------------------------------------------------------------

( We'll be using OpenDNS IPv6 addresses. You may use Google Public DNS, Comodo Secure DNS, ... )

we stop radvd, and remove it from boot-time autostart :

sudo service radvd stop

sudo update-rc.d -f radvd remove

 

We create the PPTP server tunnel up / tunnel down IPv6 RADVD scripts :

sudo nano /etc/ppp/ipv6-up.d/radvd
---------------------------------------------------------------------------------------------
#!/bin/bash
sudo ip -6 addr add 2001:db8:0:10::1/64 dev ppp0
sudo service radvd start
exit 0
---------------------------------------------------------------------------------------------
sudo chmod 755 /etc/ppp/ipv6-up.d/radvd

sudo nano /etc/ppp/ipv6-down.d/radvd
---------------------------------------------------------------------------------------------
#!/bin/bash
sudo pkill radvd
exit 0
----------------------------------------------------------------------------------------------
sudo chmod 755 /etc/ppp/ipv6-down.d/radvd

 


 we restart the pptp server :

/etc/init.d/pptpd restart

 

Local network IPv6 routing / Internet Gateway setup

Whereas IPv4 is using NAT, and thus doesn't need any special routing care, IPv6 does need some static IPv6 routes on the local network of the PPTP Server, for the 2001:db8:0:10::/64 network to be reachable.

Likewise, some port forwarding is needed on the Internet Gateway to allow Wan access of the PPTP server.

See Part 5 : Network IPv6 Routing, for the required IPv6 static routes for different network topologies, and a port forwarding exemple.

 

 

2. PPTP Client Setup

Windows 8

The Windows 8 PPTP client supports PPTP transport of IPv4 and IPv6 natively. Nothing special to setup here.

The VPN IPv4 DNS addresses get setup OK. The only glitch is the lack of Windows support for RDNSS, thus no VPN IPv6 DNS addresses set. Static IPv6 DNS needed here.

 

Debian 7.5

 

As the network manager doesn't allow to setup PPTP transport of IPv6, we will have to setup and up/down the tunnel manually. It is actually very simple.

 

We update the Debian client, and install the pptp-linux package :

sudo apt-get update

sudo apt-get upgrade

sudo apt-get install pptp-linux

 

we install the rdnss listener, needed as we're not using the network manager :

sudo apt-get install rdnssd

 

We set our user and password :

We create users and passwords , using this syntax :

user<tab>*<tab>password<tab>*

sudo leafpad /etc/ppp/chap-secrets

--------------------------------------------------------------------------------------
john    *    secret1      *

--------------------------------------------------------------------------------------

 

We create a config file for the tunnel, that we'll name MYVPN :

sudo leafpad /etc/ppp/peers/MYVPN

--------------------------------------------------------------------------------------

pty "pptp 192.168.1.40 --nolaunchpppd"
name john
remotename PPTP
require-mppe-128
require-mschap-v2
usepeerdns
noauth
file /etc/ppp/options.pptp
ipparam MYVPN

---------------------------------------------------------------------------------------

 

We enable IPv6 in the pptp client options by adding to the end :

sudo leafpad /etc/ppp/options.pptp

---------------------------------------------------------------------------------------
+ipv6
ipv6cp-accept-local
ipv6cp-use-ipaddr

---------------------------------------------------------------------------------------

 

 

We create a script for client to have the default route replaced when teh tunnel is up :
sudo leafpad /etc/ppp/ip-up.d/MYVPN
----------------------------------------------------------------------------------------------
#!/bin/sh

sudo ip route change default via 10.0.0.1 dev ppp0

----------------------------------------------------------------------------------------------
sudo chmod +x /etc/ppp/ip-up.d/MYVPN

 

We create a script for client to replace default route when the tunnel is down.

( replace eth1 with your interface name ) :
sudo leafpad /etc/ppp/ip-down.d/MYVPN
----------------------------------------------------------------------------------------------
#!/bin/sh

#sudo ip route del default
sudo ip route add default via 192.168.1.1 dev eth1
----------------------------------------------------------------------------------------------
sudo chmod +x /etc/ppp/ip-down.d/MYVPN

 

You may have to use scripts for the IPv6 tunnel up/down too. As an example, althrough my tunnel RAs ( Router Advertisements ) have a priority set to high, they get unpreferred because of a strange metric 1 route to the default gateway ( under investigation ... ).

So I use this to get rid of it :

sudo leafpad /etc/ppp/ipv6-up.d/MYVPN

---------------------------------------------------------------------------------------------------------------

#!/bin/sh

sudo ip route del default via fe80::8cde:48ff:fe00:0080 dev eth1  proto static  metric 1

sudo service rdnssd restart

---------------------------------------------------------------------------------------------------------------

sudo chmod +x /etc/ppp/ipv6-up.d/MYVPN

 

So do the debugging of your personal situation, using :

ip -6 route show

 

Tunnel start/stop

The tunnel is up'ed and down'ed using these commands :

to create the tunnel :

sudo pon MYVPN

to delete the tunnel :

sudo poff MYVPN

To troubleshoot tunnel creation problems, use this debug syntax :

sudo pon MYVPN debug dump logfd 2 nodetach

 

4. Multiple simultaneous clients with IPv6 support

The problem with multiple clients comes from the fact that each client creates a distinct ppp interface ( ppp0, ppp1, ppp2 ). Thus, the server script that starts radvd must be aware of the ppp interface used, requiring some scripting.

source 1

source 2

 

5. Network IPv6 Routing

Let's quickly check the IPv6 extra network routing needs, depending on the topology, for some different scenarios. Remember to adapt your client Scripts, depending on the topology.

 

Case 1 : client on the same LAN as the PPTP Server

This is the simplest case. I detail it to outline the need for Internet Gateway to have a static route to the 2001:db8:0:10::/64 network ( the tunnel IPv6 network ) via 2001:db8:0:1::40 ( the PPTP server ) :

VPN 4 : Debian PPTP Server w/ IPv4 and IPV6
VPN 4 : Debian PPTP Server w/ IPv4 and IPV6

Case 2 : client goes LAN-WAN through a local router

VPN 4 : Debian PPTP Server w/ IPv4 and IPV6

Nothing more to do, as the client only has and IPv4 connection with the PPTP server. It remains the need for a route for the Internet Gateway :

2001:db8:0:10::/64 through 2001:db8:0:1::40

 

 

Case 3 : Client goes Wan-Lan through a local Router

 

VPN 4 : Debian PPTP Server w/ IPv4 and IPV6

Here we have three IPv6 static routes needed :

Internet Gateway                                    2001:db8:0:10::/64 through 2001:db8:0:1::40

                                                               2001:db8:0:2::/64 through 2001:db8:0:1::40

 

DIR 626-L                                               2001:db8:0:10::/64 through 2001:db8:0:2::40

 

Case 4 : Client uses Wan Access

 

VPN 4 : Debian PPTP Server w/ IPv4 and IPV6

Nothing complicated here. We need a static route :

Internet Gateway 2001:db8:0:10::/64 through 2001:db8:0:1::40

and a port forwarding :

Internet Gateway TCP 1723 forwarded to 182.168.1.40 port 1723

VPN 4 : Debian PPTP Server w/ IPv4 and IPV6

Partager cet article

Repost 0
Published by computer outlines - dans vpn ipv6
commenter cet article

commentaires

Sameul 18/10/2014 00:09

Hey,
first of all thank you for this awsome guide i needed exectly this one. but now to my problem, i set up the server exactly u done but it doesnt work. maybe the problem is that i dont have static IPv6, its dynamic. so when i enable "net.ipv6.conf.all.forwarding=1" my public ipv6 disappears. i dont know why this is happening but it sould be the first step to solve for my own pptp server.

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens