IPv6 Tunnel over https

choletzke · October 11, 2016, 6:56pm

Hi,

i have a problem with TCP 443 and tunnel over ipv6 with mikrotik.
ovpn or sstp and all other methods work only with ipv4. Only my raspberry
will provide for me a solution to become a tunnel from china to europe.

i think that metarouter openwrt will work to, but the world need a native
ipv6 tunnel support over https like TCP 443. When will router os provide
this service? or have anyone other solution for this. ipsec gre ipip work
over other protocols that are blocked in hotels etc…

thanks for solutions and answers

Splash · October 12, 2016, 3:27pm

I am not 100% sure what you are asking, but if its about creating an IPv6 tunnel over IPv4 then…

What you are looking for is a 6to4 tunnel which you can create once you have enabled Ipv6 on the router. You can obtain a free tunnel broker account from Hurricane Electric @ https://tunnelbroker.net

Example Config:

/interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no local-address=x.x.x.x mtu=1280 name=sit1 remote-address=y.y.y.y
/ipv6 route add comment="" disabled=no distance=1 dst-address=2000::/3 gateway=2001:1234:1234:1234:1 scope=30 target-scope=10
/ipv6 address add address=2001:1234:1234:1234::2/64 advertise=no disabled=no eui-64=no interface=sit1

You will need a static IP, or set up the Mikrotik to update the Tunnel IP when its IP changes. There are scripts available for that using their API.

TCP 443 is HTTPS…

ZeroByte · October 12, 2016, 3:39pm

He wants IPv6 support in OVPN / SSTP

Currently, the clients for dial-out VPN connections don’t support an IPv6 address for the remote host.

There are some static tunnel interface types which support IPv6:
IPIPv6
GREv6
EoIPv6

However these aren’t encrypted by default (I suppose an IPv6 IPSec SA could be built as well) and require both ends to be static IP addresses and pre-configured. OP wants to be able to use road warrior VPN functionality, but over IPv6.

I agree that this should be done.

Splash · October 12, 2016, 3:43pm

Ahh ok, thanks for the explanation

choletzke · October 12, 2016, 3:44pm

Exactly i need IPv6 support for OVPN/SSTP. IPIPv6,GREv6 or EoIPv6 have
other Protocols and not running over 443 https.

ivanfm · October 15, 2016, 8:09pm

I’m using IPV6 on SSTP VPN with mikrotik.

The server does not pull the address for client, but if you configure static address and routes the ipv6 traffic goes fine.

Will be very nice if mikrotik get the IP from radius and pull to the client.

choletzke · October 16, 2016, 9:54pm

Can you give me a quick config for this over Sstp

ivanfm · October 18, 2016, 6:35pm

Create your SSTP VPN as documented here :
http://wiki.mikrotik.com/wiki/Manual:Interface/SSTP

on client add static ip on the interface and the route
/ipv6 address add interface=CLIENT_VPN_INTERFACE address=CLIENT_IPV6_ADDRESS advertise=no
/ipv6 route add dst-address=THE_ADRESSESS_TO_ROUTE gateway=CLIENT_VPN_INTERFACE

On vpn server create manually the routes or let radius to send Framed-IPv6-Prefix with the network address that should be routed to the client.
Using the attribute on radius the server route will be created correctly.

choletzke · October 20, 2016, 6:50pm

/interface sstp-client add connect-to=“no ipv6 support” hmmm