About the author

My name is Solène Rapenne. I like learning and sharing experiences about IT stuff. Hobbies: '(BSD OpenBSD h+ Lisp cmdline gaming internet-stuff Crossbow). I love % and lambda characters. OpenBSD developer solene@.

Contact : solene on Freenode or solene+www at dataswamp dot org

OpenBSD as an IPv6 router

Written by Solène, on 06 June 2018.
Tags: #openbsd63 #openbsd #network

Yesterday I subscribed to a VPN service from the french association Grifon (Grifon website[FR] | gopher://grifon.fr) to get an IPv6 access to the world and play with IPv6. I will not talk about the VPN service in this article, it would be pointless.

So, I have an IPv6 prefix of 48 bytes which mean I can have a lot of addresses (I did some maths and found 655362 addresses but I am not sure about this).

Now, I would like my computer connected through the VPN to let others computers in my network to have IPv6 connectivity.

On OpenBSD, this only requires a few services, if you want to provide IPv6 to Windows devices on your network, you will need one more.

First, configure IPv6 on your lan

# ifconfig em0 inet6 autoconf

that’s all, you can add a new line “inet6 autoconf” to your file /etc/hostname.if to get it at boot.

Now, we have to allow IPv6 to be routed through the differents interfaces of the router.

# sysctl net.inet6.ip6.forwarding=1

This change can be made persistent across reboot by adding net.inet6.ip6.forwarding=1 to the file /etc/sysctl.conf.

Now we have to configure the daemon rtadvd to advertise the we are routing, devices on the network should be able to get an IPv6 address from its advertisement.

The minimal configuration of /etc/rtadvd.conf is the following:

em0:\
   :addr="2a00:5414:7311::":prefixlen#48:

In this configuration file, you have to type your IPv6 prefix in the addr field, and the prefix length in prefixlen. Others attributes could provide DNS servers to use for example.

Then enable the service at boot and start it:

# rcctl enable rtadvd
# rcctl set rtadvd flags em0
# rcctl start rtadvd

Tweaking resolv.conf

By default OpenBSD will ask for IPv4 when resolving a hostname (see syslog.conf(5) for more explanations). So, you will never have IPv6 traffic until you use a software which will request explicit IPv6 connection or that the hostname is only defined with a AAAA field.

# echo "family inet6 inet" >> /etc/resolv.conf.tail

The file resolv.conf.tail is appended at the end of resolv.conf when dhclient modifies the file resolv.conf.

Microsoft Windows

If you have Windows systems on your network, they won’t get addresses from rtadvd. You will need to deploy dhcpv6 daemon.

The configuration file for what we want to achieve here is pretty simple, it consists of telling what range we want to allow on DHCPv6 and a DNS server. Create the file /etc/dhcp6s.conf:

interface em0 {
    address-pool pool1 3600;
};
pool pool1 {
    range 2a00:5414:7311:1111::1000 to 2a00:5414:7311:1111::4000;
};
option domain-name-servers 2001:db8::35;

Note that I added “1111” into the range because it should not be on the same network than the router.

Now, you have to install and configure the service:

# pkg_add wide-dhcpv6
# echo SOME_RANDOM_CHARACTERS | openssl enc -base64 > /etc/dhcp6sctlkey
# chmod 400 /etc/dhcp6sctlkey
# echo "dhcp6s -c /etc/dhcp6s.conf  em0" >> /etc/rc.local

The openbsd package wide-dhcpv6 doesn’t provide a rc file to start/stop the service so it must be started from a command line, a way to do it is to type the command in /etc/rc.local which is run at boot. The openssl part is mandatory for dhcpv6 to start, it requires a base64 string as a secret key in the file /etc/dhcp6sctlkey.