Test IPv6 over openvpn

profile/manifests/openvpn/client.pp

@@ -4,6 +4,7 @@
 
 class profile::openvpn::client (
   Array   $routes   = [],
+  Array   $routes6  = [],
   String  $proto    = 'tcp-client',
   Boolean $isserver = false,
   String  $key      = $::profile::openvpn::params::key,
@@ -11,6 +12,7 @@ class profile::openvpn::client (
   Integer $port     = $::profile::openvpn::params::port,
   String  $keyfile  = $::profile::openvpn::params::keyfile,
   String  $ifrange  = $::profile::openvpn::params::ifrange,
+  String  $ifrange6 = $::profile::openvpn::params::ifrange6,
   String  $cipher   = $::profile::openvpn::params::cipher,
   String  $auth     = $::profile::openvpn::params::auth,
   String  $logfile  = $::profile::openvpn::params::logfile,

profile/manifests/openvpn/params.pp

@@ -7,6 +7,7 @@ class profile::openvpn::params (
   Integer $port     = 11011,
   String  $keyfile  = '/etc/openvpn/secret.key',
   String  $ifrange  = '192.168.221',
+  String  $ifrange6 = 'fd5d:12c9:4221',
   String  $cipher   = 'AES-128-CBC',
   String  $auth     = 'SHA256',
   String  $logfile  = '/var/log/openvpn.log',

profile/manifests/openvpn/server.pp

@@ -3,6 +3,7 @@
 #
 class profile::openvpn::server (
   String  $publicip,
+  String  $publicip6,
   String  $proto    = 'tcp-server',
   Boolean $isserver = true,
   String  $key      = $::profile::openvpn::params::key,
@@ -10,6 +11,7 @@ class profile::openvpn::server (
   Integer $port     = $::profile::openvpn::params::port,
   String  $keyfile  = $::profile::openvpn::params::keyfile,
   String  $ifrange  = $::profile::openvpn::params::ifrange,
+  String  $ifrange6 = $::profile::openvpn::params::ifrange6,
   String  $cipher   = $::profile::openvpn::params::cipher,
   String  $auth     = $::profile::openvpn::params::auth,
   String  $logfile  = $::profile::openvpn::params::logfile,
@@ -39,31 +41,52 @@ class profile::openvpn::server (
   -> File['/etc/openvpn/server.conf']
 
   # The network config bit
-  sysctl { 'net.ipv4.ip_forward': value => '1' }
+  sysctl {
+    'net.ipv4.ip_forward':
+      value => '1';
+    'net.ipv6.conf.all.forwarding':
+      value => '1';
+    }
 
-  firewall { '100 DNAT to tunnel':
-    table       => 'nat',
-    chain       => 'PREROUTING',
-    proto       => 'all',
-    jump        => 'DNAT',
-    destination => $publicip,
-    todest      => "${ifrange}.10",
+  firewall {
+    default:
+      table => 'nat',
+      chain => 'PREROUTING',
+      proto => 'all',
+      jump  => 'DNAT';
+    '100 DNAT to tunnel':
+      destination => $publicip,
+      todest      => "${ifrange}.10";
+    '100 DNAT to tunnel v6':
+      destination => $publicip6,
+      todest      => "${ifrange6}::10",
+      provider    => 'ip6tables';
   }
 
-  firewall { '100 SNAT to internet':
-    table    => 'nat',
-    chain    => 'POSTROUTING',
-    proto    => 'all',
-    jump     => 'SNAT',
-    source   => "${ifrange}.10",
-    outiface => '! tun+',
-    tosource => $publicip,
+  firewall {
+    default:
+      table    => 'nat',
+      chain    => 'POSTROUTING',
+      proto    => 'all',
+      jump     => 'SNAT',
+      outiface => '! tun+';
+    '100 SNAT to internet':
+      source   => "${ifrange}.10",
+      tosource => $publicip;
+    '100 SNAT to internet v6':
+      source   => "${ifrange6}::10",
+      tosource => $publicip6,
+      provider => 'ip6tables';
   }
 
-  firewall { '110 forward related and established':
-    chain   => 'FORWARD',
-    ctstate => ['RELATED', 'ESTABLISHED'],
-    proto   => 'all',
-    action  => 'accept',
+  firewall {
+    default:
+      chain   => 'FORWARD',
+      ctstate => ['RELATED', 'ESTABLISHED'],
+      proto   => 'all',
+      action  => 'accept';
+    '110 forward related and established':;
+    '110 forward related and established v6':
+      provider => 'ip6tables';
   }
 }

profile/templates/openvpn.conf.erb

@@ -15,12 +15,17 @@ log-append       <%= @logfile %>
 verb             3
 <% if @isserver -%>
 ifconfig         <%= @ifrange %>.11 <%= @ifrange %>.10
+ifconfig-ipv6    <%= @ifrange6 %>::11 <%= @ifrange6 %>::10
 local            <%= @srvip %>
 <% else -%>
 ifconfig         <%= @ifrange %>.10 <%= @ifrange %>.11
+ifconfig-ipv6    <%= @ifrange6 %>::10 <%= @ifrange6 %>::11
 remote           <%= @srvip %>
 redirect-gateway local
 <% @routes.each do |route| -%>
 route            <%= route %>
 <% end -%>
+<% @routes6.each do |route| -%>
+route-ipv6       <%= route %>
+<% end -%>
 <% end -%>