IPv6/VPNs

From BitFolk
Jump to navigation Jump to search

This page lists some of the techonologies you can use to create VPNs that utilize IPv6.

Using tincd

tincd 1.0.16 is the current version in the CentOS repository, and should also be available using apt-get on Debian. Configurations are stored in /etc/tinc. If you want to run multiple VPN tunnels you can created "named instances" by utilising a folder structure, i.e. /etc/tinc/<instance-name&bt; Tinc directs traffic to named "peers", which are static or dynamic remote host:port combinations of remote tinc daemons. The Linux TUN/TAP driver is required to operate tinc, and is enabled by default, but it doesn't hurt to have 

/sbin/modprobe tun

in your /etc/rc.local file.

Step 1. Create the basic config file

Move to /etc/tinc or /etc/tinc/instance-name, as appropriate. Create a file tinc.conf; a sample is below: 

Name = tegan
ConnectTo = susan
Interface = susan
Device = /dev/net/tun
BindToAddress = 212.13.195.XXX
Port = XXXXX
#Forwarding = kernel
#Mode = switch

Name is the peer-name of your host, e.g. your DNS name. Note that non-alphanumeric characters are best avoided in naming in tinc.

ConnectTo tells tinc to initiate a connection to the remote peer, which we'll define later. If the remote end is dynamic and you don't know its IP, don't add this line.

Interface is optional, and will give your VPN virtual interface a nice name instead of tun0 or such-like. If you have other loopback interfaces or multiple VPNs, this is especially useful.

The Device line indicates the type of interface to use, and tun seems to work best.

BindToAddress and Port indicate the address of your endpoint. If your endpoint is a dynamic IP, just use Port. be sure to allow traffic through on iptables to and from your peer!

Finally, the Forwarding and Mode options control the operation of the tunnel. Kernel forwarding is useful if you are operating multiple tunnels, or you have dynamic routing that is changing the kernel route table, as it forces all VPN received packets to the kernel for distribution. Switch mode is required if the topology at each end is not permanently fixed for instance if you (host A) have two remote hosts B and C in a triangular VPN, and dynamic or fallback routing - on link A-B, C would not normally need to use it, but if one the two links on C fails, C might route through A to get to B, or C might route through B to get to A, so C couldn't be fixed at either the A or B end of the link. If you did add it the topology of either end, packets originating at the wrong end get dropped in router mode.


Create the folder /etc/tinc/hosts or /etc/tinc/instance-name/hosts, as appropriate. This will enable the host encryption certificate to be put in the correct place, in the next step.

Step 2. Generate encryption keys

The next step is to generate an X.509 private key and corresponding certificate. Tinc makes this easy with the --generate-keys (short form: -K): 

tincd [-n instance-name] -K

This will by default generate private key in /etc/tinc/rsa_key.priv (mode 600) and the public certificate in

Retrieved from "https://tools.bitfolk.com/w/index.php?title=IPv6/VPNs&oldid=331"