OpenVPN配置下发IPv6地址

本文发布于 ,内容可能和实际情况存在出入。如果文章存在错误欢迎指正,我会根据情况对文章进行修改或做隐藏处理

这两天新买了一台VPS,发现上面给了一段v6地址,因此决定折腾一下,在VPN里配置IPv6
注意:由于OpenVPN在国内受到封锁,因此本文可能仅适用于海外人士

本文基于Debian 11

1、安装OpenVPN、iptables、ipset和ndppd

$ apt update
$ apt install openvpn iptables ipset ndppd=0.2.5-6

2、分割获得的IPv6地址段

这里假设主机商分给了你一段IPv6地址,且你的VPS的IP地址也在段内。如果VPS的IP不在分配的段内可以跳过
由于OpenVPN网卡(tun0)需要独占一个IPv6段,会和同样在段内的主网卡(eth0)冲突,因此需要分割成两个不重叠的IP段

例如从主机商处获得了一下/64段:

2001:XXXX:XXXX::/64

VPS本身使用IP地址:

2001:XXXX:XXXX::1/64

则可以将其分割成2个/65的IP段:

2001:XXXX:XXXX::/65
2001:XXXX:XXXX:8000::/65

因为强迫症,见不得VPN的v6地址空间比v4大浪费一堆地址,因此给v6也分配8位的主机位:

2001:XXXX:XXXX:8000::/120

(反正OpenVPN分配也是从1开始顺序分配,客户端没得选)

至于VPS本身当然就直接给一个IP了:

2001:XXXX:XXXX::1/128

3、修改VPS自身IPv6掩码

这里偷个懒直接关了cloud-init的network配置下发,然后直接改配置文件了
这样会导致VPS的IP发生变更时无法自动下发到OS内,需要VNC进去手动更改IP

$ vim /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
network: {config: disabled}

$ vim /etc/network/interfaces.d/50-cloud-init
iface eth0 inet6 static
    # address 2001:XXXX:XXXX::1/64
    address 2001:XXXX:XXXX::1/128  # 掩码修改为128
    gateway fe80::1

$ ip addr flush eth0 && systemctl restart networking

4、配置OpenVPN

$ vim /etc/openvpn/server.conf
...
server-ipv6 2001:XXXX:XXXX:8000::/120
push "route-ipv6 2000::/3"
push "route-metric 2000"
push "dhcp-option DNS 2606:4700::1111"
push "dhcp-option DNS 2001:4860:4860::8888"
##证书、IPv4以及其他部分网上很多,这里就不贴了
...

$ systemctl enable openvpn@server
$ systemctl start openvpn@server

5、配置sysctl

$ vim /etc/sysctl.conf
net.core.rmem_max = 2500000
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv4.tcp_fastopen = 3
net.ipv4.conf.all.proxy_arp = 1
net.ipv6.conf.all.proxy_ndp = 1
net.ipv6.conf.default.proxy_ndp = 1
net.ipv6.conf.eth0.proxy_ndp = 1
net.ipv6.conf.tun0.proxy_ndp = 1
##排查的时候加了一大堆,里面应该有很多没用的项,懒得找了

$ sysctl -p

6、配置ndppd

按理说只要用ip neigh配置ndp proxy就可以用了,但是我这里配置完只好用了一两个小时就崩了
没办法,只能用ndppd回复一个假的response了

$ vim /etc/ndppd.conf
proxy eth0 {
  router no
  rule 2001:XXXX:XXXX:8000::/120 {
    static
  }
}

$ vim /lib/systemd/system/ndppd.service
[Unit]
Description=NDP Proxy Daemon
After=network.target

[Service]
User=root
ExecStart=/usr/sbin/ndppd -p /var/run/ndppd/ndppd.pid
Type=simple
PIDFile=/var/run/ndppd/ndppd.pid

[Install]
WantedBy=multi-user.target

$ systemctl daemon-reload
$ systemctl enable ndppd
$ systemctl start ndppd

7、配置ip6tables

$ ip6tables -t nat -F
$ ip6tables -t nat -X
$ ip6tables -t mangle -F
$ ip6tables -t mangle -X
$ ip6tables -F
$ ip6tables -X
$ ip6tables -A INPUT -i lo -j ACCEPT
$ ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
$ ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
$ ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT
$ ip6tables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ ip6tables -A FORWARD -i eth0 -o tun0 -m state --state NEW -j DROP  # 禁止从互联网访问OpenVPN客户机
$ ip6tables -A FORWARD -i tun0 -o eth0 -j ACCEPT
$ ip6tables -P FORWARD ACCEPT
$ ip6tables -P INPUT DROP
$ ip6tables -P OUTPUT ACCEPT
##需要开端口的话可以自行加个规则

8、(可选)强制某些服务走IPv4

由于所在的网络环境到Microsoft 365有专线,走VPN是一件很浪费的事情
因此可以用ip6tables强制REJECT所有去往365的v6地址的请求,迫使OS回退到IPv4

$ ipset create m365 hash:net family inet6
$ ipset add m365 2603:1006::/40
$ ipset add m365 2603:1006:1400::/40
$ ipset add m365 2603:1006:2000::/48
$ ipset add m365 2603:1007:200::/48
$ ipset add m365 2603:1016::/36
$ ipset add m365 2603:1016:1400::/48
$ ipset add m365 2603:1016:2400::/40
$ ipset add m365 2603:1017::/48
$ ipset add m365 2603:1026::/36
$ ipset add m365 2603:1026:2400::/40
$ ipset add m365 2603:1026:3000::/48
$ ipset add m365 2603:1027::/47
$ ipset add m365 2603:1036::/36
$ ipset add m365 2603:1036:2400::/40
$ ipset add m365 2603:1036:3000::/48
$ ipset add m365 2603:1037::/47
$ ipset add m365 2603:1046::/36
$ ipset add m365 2603:1046:1400::/40
$ ipset add m365 2603:1046:2000::/48
$ ipset add m365 2603:1047::/47
$ ipset add m365 2603:1056::/36
$ ipset add m365 2603:1056:1400::/40
$ ipset add m365 2603:1056:2000::/48
$ ipset add m365 2603:1057::/48
$ ipset add m365 2603:1057:2::/48
$ ipset add m365 2603:1061:1300::/40
$ ipset add m365 2603:1063::/39
$ ipset add m365 2603:1063:2000::/38
$ ipset add m365 2620:1ec:4::152/127
$ ipset add m365 2620:1ec:4::192/128
$ ipset add m365 2620:1ec:6::/48
$ ipset add m365 2620:1ec:c::10/127
$ ipset add m365 2620:1ec:c::15/128
$ ipset add m365 2620:1ec:d::10/127
$ ipset add m365 2620:1ec:40::/42
$ ipset add m365 2620:1ec:8f0::/46
$ ipset add m365 2620:1ec:8f8::/46
$ ipset add m365 2620:1ec:8fc::6
$ ipset add m365 2620:1ec:900::/46
$ ipset add m365 2620:1ec:908::/46
$ ipset add m365 2620:1ec:a92::152/127
$ ipset add m365 2620:1ec:a92::171
$ ipset add m365 2620:1ec:a92::192
$ ipset add m365 2a01:111:200a:a::/64
$ ipset add m365 2a01:111:2035:8::/64
$ ipset add m365 2a01:111:f100:2000::a83e:3019/128
$ ipset add m365 2a01:111:f100:2002::8975:2d79/128
$ ipset add m365 2a01:111:f100:2002::8975:2da8/128
$ ipset add m365 2a01:111:f100:7000::6fdd:6cd5/128
$ ipset add m365 2a01:111:f100:a004::bfeb:88cf/128
$ ipset add m365 2a01:111:f400::/48
$ ipset add m365 2a01:111:f402::/47
$ ipset add m365 2a01:111:f406:1::/64
$ ipset add m365 2a01:111:f406:c00::/64
$ ipset add m365 2a01:111:f406:1004::/64
$ ipset add m365 2a01:111:f406:1805::/64
$ ipset add m365 2a01:111:f406:3404::/64
$ ipset add m365 2a01:111:f406:8000::/64
$ ipset add m365 2a01:111:f406:8801::/64
$ ipset add m365 2a01:111:f406:a003::/64
$ ip6tables -I FORWARD -i tun0 -o eth0 -m set --match-set m365 dst -j REJECT --reject-with icmp6-adm-prohibited

最后在client配置文件内对M365的v4地址段做bypass即可

最后,客户端连接上就可以用了

标签: ipv6, ip6tables, ndp, ndppd, openvpn, vpn

添加新评论