OpenVPN IPv6 Tunnel Broker Guide.pdf

(261 KB) Pobierz
JOIN Homepage −− Howto: OpenVPN IPv6 Tunnel Broker Guide
JOIN IPv6 Projekt Westfälische Wilhelms−Universität Münster
813354006.050.png
JOIN Homepage −− Howto: OpenVPN IPv6 Tunnel Broker Guide
Table of Contents
OpenVPN IPv6 Tunnel Broker Guide ...................................................................................1
Table of Contents. .......................................................................................................1
1. Introduction. .............................................................................................................1
2. Definition of the term "tunnel broker". ......................................................................1
3. Tunnel broker clients. ...............................................................................................3
4. Installation of tunnel broker components .................................................................4
4.1. Installation of OpenSSL CA. ............................................................................4
4.2. Installation of OpenVPN server. ......................................................................7
4.3. Installation of user database. ..........................................................................7
5. Functionality of tunnel broker and its components. ..................................................7
5.1. OpenSSL CA. ..................................................................................................7
5.2. OpenVPN server. ............................................................................................8
6. Routing configuration. ..............................................................................................9
7. Sample server configuration. .................................................................................11
8. Sample subnet client configuration. .......................................................................12
9. Management. .........................................................................................................13
10. Client user guide. .................................................................................................15
11. Appendix. .............................................................................................................15
OpenVPN−IPv6−Tunnelbroker−Guide. ...............................................................................16
Inhaltsverzeichnis.. ....................................................................................................16
1. Einleitung. ..............................................................................................................16
2. Definition des Begriffs "Tunnelbroker". ..................................................................16
3. Tunnelbroker−Klienten. ..........................................................................................18
4. Installation der Tunnelbroker−Komponenten. ........................................................19
4.1. Installation der OpenSSL−CA. ......................................................................19
4.2. Installation des OpenVPN−Servers. ..............................................................22
4.3. Installation der Nutzerdatenbank.. .................................................................22
5.1. OpenSSL−CA. ...............................................................................................23
5.2. OpenVPN−Server. ........................................................................................24
6. Routing−Konfiguration. ...........................................................................................24
7. Beispielkonfiguration für einen Server. ..................................................................26
8. Beispielkonfiguration für einen Klienten. ................................................................28
9. Management. .........................................................................................................29
10. Klienten−User−Guide. ..........................................................................................31
11. Anhang. ................................................................................................................31
i
813354006.057.png 813354006.058.png 813354006.059.png 813354006.001.png 813354006.002.png 813354006.003.png 813354006.004.png 813354006.005.png 813354006.006.png 813354006.007.png 813354006.008.png 813354006.009.png 813354006.010.png 813354006.011.png 813354006.012.png 813354006.013.png 813354006.014.png 813354006.015.png 813354006.016.png 813354006.017.png 813354006.018.png 813354006.019.png 813354006.020.png 813354006.021.png 813354006.022.png 813354006.023.png 813354006.024.png 813354006.025.png 813354006.026.png 813354006.027.png 813354006.028.png 813354006.029.png 813354006.030.png 813354006.031.png 813354006.032.png
 
OpenVPN IPv6 Tunnel Broker Guide
Copyright © 2004 by Christian Strauf
Acknowledgements go to people from the University of Erlangen for inspiring us with the
idea to use OpenVPN for a tunnel broker service. Thank you, guys, it works like a charm!
Table of Contents:
1.
2.
3.
4.
1.
à
2.
3.
5.
1.
2.
6.
7.
8.
9.
10.
11.
1. Introduction
This document describes the process of setting up an OpenVPN based IPv6 tunnel broker to
enable ISP−independent IPv6 connectivity that is authenticated, secure, stable, and IPv4
source−address independent. It provides an insight into necessary configurations, gives an
overview over administrative tasks and possible caveats.
Important notice for Client users: This document deals with the construction of a whole
tunnel broker. For instructions on how to install the client software, please read the
Back to top
2. Definition of the term "tunnel broker"
OpenVPN IPv6 Tunnel Broker Guide
1
813354006.033.png 813354006.034.png 813354006.035.png 813354006.036.png 813354006.037.png 813354006.038.png 813354006.039.png 813354006.040.png 813354006.041.png 813354006.042.png 813354006.043.png 813354006.044.png 813354006.045.png 813354006.046.png 813354006.047.png 813354006.048.png 813354006.049.png 813354006.051.png 813354006.052.png 813354006.053.png
 
JOIN Homepage −− Howto: OpenVPN IPv6 Tunnel Broker Guide
Fig.: Schema of a typical tunnel broker
There are many different definitions of the term "tunnel broker". To clarify what this term
means in the context of this document, it is necessary to summarise the tasks that an
OpenVPN−based tunnel broker should fulfil:
· manage a set of X.509 certificates and keys and a certification authority (CA)
provide IPv6 connectivity to a subscribed client
· check authorisation of a client
· assign a fixed IPv6 prefix to each client (either /64 or /128 for a single address)
· adjust routing according to prefix−/address−assignment
· on subscription of a new client, create client configuration for server and as archive
file for client
·
·
handle subscription information
To handle all of the above tasks, the tunnel broker needs to consist at least of the following
components:
· OpenSSL certification authority (CA)
OpenVPN server(s)
· client database
· dedicated router for clients (is identical to OpenVPN server)
· IPv6 infrastructure to route IPv6 traffic to and from clients
·
To visualise the interaction of these components, take a look at the following figure.
Fig.: Interaction of tunnel broker components
The components in detail may look like this:
OpenVPN IPv6 Tunnel Broker Guide
2
813354006.054.png
JOIN Homepage −− Howto: OpenVPN IPv6 Tunnel Broker Guide
·
OpenVPN server: powerful Linux or *BSD PC with latest OpenVPN software (at the
time of writing of this document, this is a version that is more recent than 1.6_rc2);
JOIN utilise a Linux server for their installation
OpenSSL CA: may be any kind of machine with an OpenSSL installation which
provides the openssl −binary to create X.509 keys and certificates
·
·
Client database: almost any form of database for holding information about clients
ranging from simple text file to dedicated database systems
·
Dedicated IPv6 router: normally the same Linux or *BSD machine that runs the
OpenVPN server; routes need to be adjusted on that particular machine
·
IPv6 infrastructure: your institution's IPv6 backbone
The above components form what we call a "tunnel broker" for the remainder of this
document. It is clear that for the sake of scalability, many of the services (e.g. the OpenVPN
server) may be spread across numerous different servers. This is not difficult to achieve and
can easily be implemented.
Back to top
3. Tunnel broker clients
A very important part of a tunnel broker are −− obviously −− the tunnel broker clients. To
understand what functionality a tunnel broker needs to implement, it is necessary to have a
look at the different types of clients that need to be connected to the tunnel broker.
First of all, one needs to identify the network topology that a potential client will most likely
reside in. It is assumed that any tunnel broker client only has native global IPv4 connectivity
and no global IPv6 connectivity. From a practical viewpoint, having global IPv6 connectivity
additionally to the tunnel broker IPv6 connectivity is possible. However, this scenario is not a
standard scenario where an IPv6 tunnel broker would be employed. Additionally, effects that
are imposed by having two types of global connectivity still need to be investigated. No
serious problems are to be expected but tests have not yet been conducted to verify this.
One differentiates between two types of clients that reside in two different network
topologies for this particular OpenVPN IPv6 tunnel broker:
· Subnet client: a client that will be assigned a /64 prefix and that may act as a router
for a subnet where it may announce this /64 prefix to other hosts that use the client
as their default router
Hermit client: a lone client that will be assigned a /128 address
·
3. Tunnel broker clients
3
813354006.055.png 813354006.056.png
 

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin