search

puxxustc / muon

A fast stateless VPN with simple obfuscation
GNU General Public License v3.0
123 stars 40 forks source link

How to config the server and client to use IPv6? #12

Closed valkjsaaa closed 7 years ago

valkjsaaa commented 7 years ago

The server and client config only shows IPv4. I wonder how should we config it to user IPv6 between server and client?

Thanks!

puxxustc commented 7 years ago

use address6 to set IPv6 address

valkjsaaa commented 7 years ago

If it's possible, could you give me a rough example?

Thanks!

valkjsaaa commented 7 years ago

BTW, here are my current config, I just found out that although the client can ping server but it cannot ping another server. Any idea what is wrong?

Thanks!

server.conf:

# muon server config

# user to set privilege to
user=root

# server or client
mode=server

# server address
server=0.0.0.0

# server port
port=12000-12999

# secret key for crypto
#   run `dd if=/dev/random bs=1 count=9 | md5sum' to create one
key=abcde #password

# TUN device name, tunX for linux, utunX for darwin
tunif=vpn0

# MTU of TUN device
#   Ethernet: 1500 - 20(IPv4, or 40 for IPv6) - 8(UDP) - 18(muon)
#   PPPoE: 1492 - 20(IPv4, or 40 for IPv6) - 8(UDP) - 18(muon)
mtu=1434

# IPv4 address of TUN device, CIDR notation
address=10.10.10.0/31

# IPv6 address of TUN device, CIDR notation
address6=

# enable NAT or not
nat=yes

# delay
delay=5

client.conf

# muon client config

# user to set privilege to
user=root

# server or client
mode=client

# server address
server=a.b.c.d #server ipv4 address

# server port
port=12000-12999

# secret key for crypto
#   run `dd if=/dev/random bs=1 count=9 | md5sum' to create one
key=abcde #password

# TUN device name, tunX for linux, utunX for darwin
tunif=vpn0

# MTU of TUN device
#   Ethernet: 1500 - 20(IPv4, or 40 for IPv6) - 8(UDP) - 18(muon)
#   PPPoE: 1492 - 20(IPv4, or 40 for IPv6) - 8(UDP) - 18(muon)
mtu=1434

# IPv4 address of TUN device, CIDR notation
address=10.10.10.1/31

# IPv6 address of TUN device, CIDR notation
address6=

# IPv4 address of remote peer (darwin only)
peer=10.10.10.0

# add route or not
route=no

# delay
delay=5

The ping result:

➜  ~ ping -I vpn0 10.10.10.0
PING 10.10.10.0 (10.10.10.0) from 10.10.10.1 vpn0: 56(84) bytes of data.
64 bytes from 10.10.10.0: icmp_seq=1 ttl=64 time=187 ms
64 bytes from 10.10.10.0: icmp_seq=2 ttl=64 time=186 ms
64 bytes from 10.10.10.0: icmp_seq=3 ttl=64 time=183 ms
64 bytes from 10.10.10.0: icmp_seq=4 ttl=64 time=182 ms
^C
--- 10.10.10.0 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 182.821/184.903/187.325/1.924 ms
➜  ~ ping -I vpn0 8.8.4.4
PING 8.8.4.4 (8.8.4.4) from 10.10.10.1 vpn0: 56(84) bytes of data.
^C
--- 8.8.4.4 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3052ms
puxxustc commented 7 years ago

server: address6=fd00::/127, client: address6=fd00::1/127

You need to setup iptables to enable NAT on th server.

valkjsaaa commented 7 years ago

I think I already set up the iptables on the server. Is there any entry missing?

➜  ~ iptables -L -v
iptables -t nat -L -v
iptables -t mangle -L -v
Chain INPUT (policy ACCEPT 155 packets, 43770 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   30  2520 ACCEPT     all  --  any    any     10.10.10.0/30        anywhere
   30  2520 ACCEPT     all  --  any    any     anywhere             10.10.10.0/30

Chain OUTPUT (policy ACCEPT 167 packets, 56292 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain PREROUTING (policy ACCEPT 67 packets, 20233 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 66 packets, 20149 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    84 MASQUERADE  all  --  any    any     10.10.10.0/30        anywhere
Chain PREROUTING (policy ACCEPT 217 packets, 48914 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 157 packets, 43874 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 60 packets, 5040 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TCPMSS     tcp  --  any    any     10.10.10.0/30        anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp  --  any    any     anywhere             10.10.10.0/30        tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 180 packets, 59628 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 240 packets, 64668 bytes)
 pkts bytes target     prot opt in     out     source               destination
puxxustc commented 7 years ago

You need enable ip forward: sudo sysctl -w net.ipv4.ip_forward=1

valkjsaaa commented 7 years ago

I think I already set up the ip forward. From the iptable packet count, it seems like that ping packet is forwarded out but never received any inbound packet (or no inbound packed is matched with those rules). Any suggestions?

puxxustc commented 7 years ago

Use tcpdump to see how packets going.