Re: Tunnelling IPv4 over IPv6 for GitHub access?

2015-11-03 Thread Michael Gmelin 
On Mon, 2 Nov 2015 19:29:39 -0800
Craig Rodrigues  wrote:

> On Mon, Nov 2, 2015 at 3:50 PM, Michael Gmelin 
> wrote:
> >
> >
> >
> > On Mon, 2 Nov 2015 14:04:18 -0800
> >
> > ikvjwd.com once offered a service using haproxy, you can find their
> > configuration here:
> >
> >
> https://github.com/rcsheets/ikvjwd/commit/58979dcaf42fbbd9203067a6ba4629ba01469120
> >
> 
> We were using ikvjwd.com, but that service did not seem to be very
> reliable.
> 
> 
> >
> > Another way to tunnel all IPv4 traffic is set up an OpenVPN server
> > on a dual stack machine and route your client IPv4 traffic over it
> > (that approach is actually very easy to accomplish, stable and will
> > work with any service).
> >
> 
> Can you point me to some docs for how to do this?  This could work
> for me.
> 
> I have two separate networks that are connected:
> 
> +--+   +--+
> |  |   |  |
> |  |   |  |
> |Dual  +-> |   IPv6   |
> |stack |   |   only   |
> |  |   |  |
> +--+   +--+
> 
> 
> My machine is in the IPv6 only network, but it has access to
> a dual stack network.  I still need to run my stuff which accesses
> GitHub in the IPv6 only network.

Basic guide for a point to point connection (this assumes that the
client machine on your IPv6 only network still has an IPv4 stack in
the kernel - also, if all you want is proxying one website [github
http], setting up a proxy might make more sense):

Install and enable openvpn on both machines

pkg install openvpn
setrc openvpn_enable=YES

Example config side A (client):

Fixed tunnel interface in rc.conf (so you can use tun8 in firewall
rules 

cloned_interfaces="tun8"
ifconfig_tun8="inet 10.10.10.1 10.10.10.2"

/usr/local/etc/openvpn.conf:

tls-client
dev tun8
verb 3
remote hostnameOrIpv6AddressToConnectTo 1294
proto udp6
ca   /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/client.crt
key  /usr/local/etc/openvpn/client.key
tls-auth /usr/local/etc/openvpn/ta.key 1

ifconfig 10.10.10.1 10.10.10.2

# add IPv4 networks you want to route over the tunnel
# you can also use static routed in rc.conf instead
# or push the routes from the server side:
route 141.1.1.0 255.255.255.0

keepalive 10 60
ping-timer-rem
user nobody
group nobody
persist-key
persist-tun
daemon

tun-mtu-extra 6

Example server side B (dual stack in your case):

Fixed tunnel interface in rc.conf (so you can use tun8 in firewall
rules 

cloned_interfaces="tun8"
ifconfig_tun8="inet 10.10.10.2 10.10.10.1"

/usr/local/etc/openvpn.conf:


tls-server
dev tun8
verb 3
local IpV6AddressToListenTo
port 1294
proto udp6
ca   /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/server.crt
key  /usr/local/etc/openvpn/server.key
dh   /usr/local/etc/openvpn/dh4096.pem
tls-auth /usr/local/etc/openvpn/ta.key 0

ifconfig 10.10.10.2 10.10.10.1
# routes to send the other direction (optional)
# ...

keepalive 10 60
ping-timer-rem
user nobody
group nobody
persist-key
persist-tun
daemon

tun-mtu-extra 6



tun-mtu-extra was required in my setup, you might not need it.

tls-auth is optional (it allows openvpn to hide, which you probably
won't need on your local network).

If you don't want to create a set of certificates and/or security is
secondary, you can save yourself the work of creating all the
certificates and replace it with a static shared secret. In this case
ca cert key can be removed and replaced with "secret filename".
filename is generated using "openvpn --genkey --secret filename".

You then need some firewall rule to NAT the traffic that comes over the
tunnel on the server side.

If you have multiple clients, it's better to switch to an address pool
(e.g. server 10.8.0.0 255.255.255.0). In that case I would recommend to
push all relevant routes to the client (push "route ip netmask" in the
server config) and not bother to use a fixed tunnel interface on
the client side (so no entry in rc.conf and change "tun8" to "tun" in
the client configuration).

It's really not as complicated as my description makes it look like :p

You can find plenty of examples on openvpn.net, including a long
example configuration that details all options:
https://openvpn.net/index.php/open-source/documentation/howto.html#examples

There are plenty of howtos out there. I've been using this for a few
years now to circumvent a broken DS-LITE gateway outbound and allow
IPv4 connectivity inbound, it's stable and performs well.

- Michael


-- 
Michael Gmelin
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Tunnelling IPv4 over IPv6 for GitHub access?

2015-11-02 Thread Craig Rodrigues 
Hi,

I have some machines which are on an IPv6 only network.
It works great and I can access most things on the IPv6 Internet
that I need like Google ( [2607:f8b0:4004:808::1014]) , Facebook
([2a03:2880:1010:df05:face:b00c:0:2]), CNN ( [2620:100:e000::8001]), etc.

However, the one thing I cannot access is GitHub, which does not
support IPv6 ().

Is there a way that I can tunnel IPv4 over an IPv6 network?

I read this blog post:
http://www.aisecure.net/2013/02/03/tunneling-ipv4-over-ipv6-vpn/
and wasn't sure if this was an approach that I could use.

--
Craig
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Tunnelling IPv4 over IPv6 for GitHub access?

2015-11-02 Thread Yonas Yanfa 

On 11/02/2015 17:04, Craig Rodrigues wrote:

Hi,

I have some machines which are on an IPv6 only network.
It works great and I can access most things on the IPv6 Internet
that I need like Google ( [2607:f8b0:4004:808::1014]) , Facebook
([2a03:2880:1010:df05:face:b00c:0:2]), CNN ( [2620:100:e000::8001]), etc.

However, the one thing I cannot access is GitHub, which does not
support IPv6 ().

Is there a way that I can tunnel IPv4 over an IPv6 network?

I read this blog post:
http://www.aisecure.net/2013/02/03/tunneling-ipv4-over-ipv6-vpn/
and wasn't sure if this was an approach that I could use.

--
Craig
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"


Weird how such a geek central place like GitHub doesn't support IPv6 o_O.

I'm unfamiliarity with tunnelling IPv4 over IPv6, but I'm curious if the 
guide you found on aisecure.net worked for you? I would give it a shot 
if you haven't tried them yet. It was written only a few years ago 
(2013), so it could still work.


Cheers,
Yonas

--

Yonas Yanfa
In Love With Open Source
Drupal  :: GitHub 
 :: Mozilla 
 :: iPhone 


fizk.net | yo...@fizk.net

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Tunnelling IPv4 over IPv6 for GitHub access?

2015-11-02 Thread Mark Martinec 

Craig Rodrigues wrote:


I have some machines which are on an IPv6 only network.
It works great and I can access most things on the IPv6 Internet
that I need like Google ( [2607:f8b0:4004:808::1014]) , Facebook
([2a03:2880:1010:df05:face:b00c:0:2]), CNN ( [2620:100:e000::8001]), 
etc.


However, the one thing I cannot access is GitHub, which does not
support IPv6 ().

Is there a way that I can tunnel IPv4 over an IPv6 network?

I read this blog post:
http://www.aisecure.net/2013/02/03/tunneling-ipv4-over-ipv6-vpn/
and wasn't sure if this was an approach that I could use.


I don't see how a tunnel encapsulation would help here - you need to
translate between protocol families, as your client side is IPv6-only.

If all the traffic is HTTP then a web proxy like squid running
on a dual-stacked host would suffice. Otherwise a NAT64 (with DNS64)
is needed, like implemented in OpenBSD's pf (but not available
in FreeBSD's pf).

  Mark
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Tunnelling IPv4 over IPv6 for GitHub access?

2015-11-02 Thread Michael Gmelin 


On Mon, 2 Nov 2015 14:04:18 -0800
Craig Rodrigues  wrote:

> Hi,
> 
> I have some machines which are on an IPv6 only network.
> It works great and I can access most things on the IPv6 Internet
> that I need like Google ( [2607:f8b0:4004:808::1014]) , Facebook
> ([2a03:2880:1010:df05:face:b00c:0:2]), CNN ( [2620:100:e000::8001]),
> etc.
> 
> However, the one thing I cannot access is GitHub, which does not
> support IPv6 ().
> 
> Is there a way that I can tunnel IPv4 over an IPv6 network?
> 
> I read this blog post:
> http://www.aisecure.net/2013/02/03/tunneling-ipv4-over-ipv6-vpn/
> and wasn't sure if this was an approach that I could use.

ikvjwd.com once offered a service using haproxy, you can find their
configuration here:

https://github.com/rcsheets/ikvjwd/commit/58979dcaf42fbbd9203067a6ba4629ba01469120

Another way to tunnel all IPv4 traffic is set up an OpenVPN server on
a dual stack machine and route your client IPv4 traffic over it (that
approach is actually very easy to accomplish, stable and will work
with any service).

- Michael

> 
> --
> Craig
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to
> "freebsd-current-unsubscr...@freebsd.org"



-- 
Michael Gmelin
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Tunnelling IPv4 over IPv6 for GitHub access?

2015-11-02 Thread Craig Rodrigues 
On Mon, Nov 2, 2015 at 3:50 PM, Michael Gmelin  wrote:
>
>
>
> On Mon, 2 Nov 2015 14:04:18 -0800
>
> ikvjwd.com once offered a service using haproxy, you can find their
> configuration here:
>
>
https://github.com/rcsheets/ikvjwd/commit/58979dcaf42fbbd9203067a6ba4629ba01469120
>

We were using ikvjwd.com, but that service did not seem to be very reliable.


>
> Another way to tunnel all IPv4 traffic is set up an OpenVPN server on
> a dual stack machine and route your client IPv4 traffic over it (that
> approach is actually very easy to accomplish, stable and will work
> with any service).
>

Can you point me to some docs for how to do this?  This could work for me.

I have two separate networks that are connected:

+--+   +--+
|  |   |  |
|  |   |  |
|Dual  +-> |   IPv6   |
|stack |   |   only   |
|  |   |  |
+--+   +--+


My machine is in the IPv6 only network, but it has access to
a dual stack network.  I still need to run my stuff which accesses
GitHub in the IPv6 only network.

--
Craig
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"