tinc IPv6 VPN router on a Raspberry Pi – part three
Jan 18th, 2015 by Anders Kringstad

As promised in my last post about the tinc IPv6 VPN router on Raspberry Pi I’ll provide cut-and-paste setup instructions to get the setup off the ground. I have used Ubuntu 14.04.l LTS to create this howto, but most other Debian-based distributions will work for this, and most other distributions also carry the tinc package.

Prepared requirements to complete this howto is:
a) One installed virtual or physical server with dualstack IPv4 and IPv6 connectivity to the Internet without port filtering. (Must be added after installation is done).
b) Static IPv6 addressing with atleast one static address (eth0) and two /64 networks routed to this address.
c) An Raspberry Pi with an Raspbian installed.
d) The Nordic Semiconductor (Bluetooth Smart) Raspbian 6LoWPAN-enabled 3.17.4+-release Linux kernel image package downloadable from their devzone site (direct download link: here)

Note: Please replace the IPv4 and IPv6 example networking with your own networks as needed in the following configuration examples. To get this working you need to know that the eth0 interface of the router has the IPv6 address 2001:0db8:85a3:a1a1::1/64 facing the Internet and the IPv6 network 2001:0db8:85a3:ef00::/56 routed to it. The virtual interface running the v6router has the /56 prefix routed to it locally and does the routing for it’s clients on the “inside” of this interface virtually.

On your server carry out the following steps to get tinc installed and ready for action:

aptitude install tinc
echo "v6router" >> /etc/tinc/nets.boot
mkdir -p /etc/tinc/v6router/hosts
cd /etc/tinc/v6router
cat <<EOT >> /etc/tinc/v6router/tinc.conf
Name = v6router
Mode = switch
cat <<EOT >> /etc/tinc/v6router/tinc-up
# Enable tinc - add things
ip link set $INTERFACE up
ip -6 addr add 2001:0db8:85a3:ef00::1/64 dev \$INTERFACE
ip -6 route add 2001:0db8:85a3:ef00::/56 dev \$INTERFACE

# Static routing table - five client networks
ip -6 route add 2001:0db8:85a3:ef11::/64 via 2001:0db8:85a3::11
ip -6 route add 2001:0db8:85a3:ef12::/64 via 2001:0db8:85a3::12
ip -6 route add 2001:0db8:85a3:ef13::/64 via 2001:0db8:85a3::13
ip -6 route add 2001:0db8:85a3:ef14::/64 via 2001:0db8:85a3::14
ip -6 route add 2001:0db8:85a3:ef15::/64 via 2001:0db8:85a3::15
chmod +x /etc/tinc/v6router/tinc-up
cat <<EOT >> /etc/tinc/v6router/tinc-down
# Disable tinc - remove things

# Static routing table - remove routes for clients
ip -6 route del 2001:0db8:85a3:ef11::/64 via 2001:0db8:85a3::11
ip -6 route del 2001:0db8:85a3:ef12::/64 via 2001:0db8:85a3::12
ip -6 route del 2001:0db8:85a3:ef13::/64 via 2001:0db8:85a3::13
ip -6 route del 2001:0db8:85a3:ef14::/64 via 2001:0db8:85a3::14
ip -6 route del 2001:0db8:85a3:ef15::/64 via 2001:0db8:85a3::15

# Disable tinc - remove routes and interface
ip -6 route del 2001:0db8:85a3:ef00::/56 dev \$INTERFACE
ip -6 addr del 2001:0db8:85a3:ef00::1/64 dev \$INTERFACE
ip -6 link set \$INTERFACE down
chmod +x /etc/tinc/v6router/tinc-down
cat <<EOT >> /etc/tinc/v6router/hosts/v6router
Address =
Subnet = 2001:0db8:85a3:ef00::1/128
tincd -n v6router -K4096
echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.conf

Now, we should repeat this process on the Raspberry Pi, slightly modified, as we should not set up as much networking here as on the central router. Here are the commands to copy-and-paste for your Pi after logging in as root (yes, we require Internet access for this):

apt-get install tinc
mkdir -p /etc/tinc/v6router/hosts
cd /etc/tinc/v6router
cat <<EOT >> /etc/tinc/v6router/tinc.conf
Name = node-one
Mode = switch
ConnectTo = v6router
cat <<EOT >> /etc/tinc/v6router/tinc-up
ip link set \$INTERFACE up
ip -6 addr add 2001:0db8:85a3::11/64 dev \$INTERFACE
ip -6 route add default via 2001:0db8:85a3::1 dev v6router
chmod +x /etc/tinc/v6router/tinc-up
cat <<EOT >> /etc/tinc/v6router/tinc-down
ip -6 route del default via 2001:0db8:85a3::1
ip -6 addr del 2001:0db8:85a3::11/64 dev \$INTERFACE
ip -6 link set \$INTERFACE down
chmod +x /etc/tinc/v6router/tinc-down
cat <<EOT >> /etc/tinc/v6router/hosts/node-one
Subnet = 2001:0db8:85a3::11/128
tincd -n node-one -K2048

You now need to copy the file /etc/tinc/v6router/hosts/v6router from your central server to the node-one Raspberry Pi and place the contents of it in the exactly same file on the Pi. Then copy the contents of the file /etc/tinc/v6router/hosts/node-one from your Raspberry Pi to the same file on the central server.

If you would like your Raspberry Pi to automatically connect to the v6router on power-on you should add one more set of commands to it:

cat <<EOT >> /etc/tinc/nets.boot

You should now reboot your v6router server and make sure that it displays a virtual interface named v6router when done, it should look something like this:

v6router Link encap:Ethernet HWaddr c0:ff:ee:c0:ff:ee
         inet6 addr: fe80::50c0:35ff:eec0:ffee/64 Scope:Link
         inet6 addr: 2001:0db8:85a3::1/64 Scope:Global
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:500
         RX bytes:0 (0 MB) TX bytes:0 (0 MB)

Now reboot your Raspberry Pi and see if it’ll respond back to you with a ping on it’s IPv6 address. If you get a ping reply you are set for the last part that we’ll do in part four: – Getting the Raspberry Pi to connect devices on it’s local network with the routed IPv6 subnet.

Re: Who governs the Internet?
May 26th, 2011 by Anders Kringstad

Diplo Foundation: Internet Governance anno 2004©
After posting my previous ramblings on the subject of Internet Governance (IG) I’ve been quite busy in my head, thinking about where I stand on this subject and how best to define the various aspects of IG within the so-called «Nordic model» that applies to Government, Business and Citizen of Iceland, Norway, Sweden, Finland and Denmark (the Nordic countries). This time, I’m exploring parts of IG in the Nordics, as seen from Norway.

First of all, I’m not so sure that the Internet are seen in the same way in the Nordic region as a whole. I might be wrong, but Finland seem to be ahead of both Norway and Sweden, with Iceland and Denmark fast approaching from behind. Internet access is written into law as a citizen right in Finland and Sweden but not in the other countries (yet). With the United Nations pushing to make basic Internet access a human right (2003) and a renewal of this as a ‘fundamental right’ at the 2005 World Summit of the Information Society (WSIS) in Tunis, more countries are bound to make basic Internet access law for it’s citizen. In all the Nordic countries 80-95% of the population have access to the Internet on a daily basis if they wish to; at home, work/school or at Internet cafés, by cellphone et.c.

The WSIS Working Group (WG) on Internet Governance (WGIG), set up by the Secretary-General of the United Nations, after the first part of the WSIS in Geneva (2003) were asked to “investigate and make proposals for action, as appropriate, on the governance of the Internet by 2005″. Three defined issues represented the different objectives of the WG. One of these, “Develop a working definition of Internet Governance” are found in the report delivered by the WG:

“Internet governance is the development and application by Governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programs that shape the evolution and use of the Internet”[1]

In Norway the Government have for the past three-four years, to a degree, tried handed down the task of governing/policing the Internet from a juridical view, to private sector law companies and Internet providers, who for their part, are hard working not to become the ‘Norwegian Internet Police’ (NIP). I think that with the recent changes in policy and proposed laws in Norway we are likely to see a private sector NIP emerging quite quickly as providers of online services and access to Internet resources are required by law to police their users activities.

Let’s start with the part where many governments faulty  ‘Govern’ as ‘limiting access’:
As a technical somewhat technically oriented and policy-interested person I find it a bit hard to see a central governmental control of the Internet in Norway happen in a way that will hinder unwanted activities by citizens. The fact that it’ll be harder for ordinary citizen to carry out perfectly legal online activity and just as simple as before to do online criminal activity it’s enticing to see how many politicians of the western world see it as their job to implement digital restrictions on their subjects.

The ‘strike first’ policies with technical/digital hindering of negatively charged activities should certainly not be adopted in such a civilised country as ours? (Many people ask themselves this as the European Union have adapted the directive of data retention (“Directive 2006/24/EC”) Well?
Seen from a political view there is nothing wrong with creating digital walls that will hinder your subjects to do things not permitted by law. There’s only one problem here: We do not build such walls in our offline, physical society. There is no wall outside a nursery that will hinder a unscrupulous  individual taking pictures of the kids there. Nor is there someone taking notice on how many residence doors you approach, walk by or enter, and wish to use this information to decide if you’re a likely criminal.
Seen from a business view there is equally nothing wrong with having digital security in place and do a (technical part now, folks) package inspection on a content level (DPI) to make sure no corporate secrets are leaked. As long as this digital security is automatic, non-identifying of employees it’s for most people employed, ok. As many companies today have a set of rules for the use of computers and how to act online, what to access et.c. when representing the company/at work a little line or two about package inspection are probably being entered into the next rewrite of those rules.
I believe that it’s at work people are most likely to meet a page that tells them that ‘this part of the Internet is closed to you due to company policy’. This part of corporate culture and Information Security is a tipping point in peoples view of restriction of access. Regardless of company, there’s two camps here: Permissive or restrictive access. Restrictive access is of course the part with that incriminating page that tells you that /this/ is not something you should be doing at work. Working with permissive policies leaves the choices to the user, under the knowledge that the company might very well log their access, should something criminal happen down the road.
Seen from a residential view there is certainly something wrong with a paid-for Internet connection being monitored and logged for ‘future reference’ should something occur in your neighbourhood, or origin from the residential Internet connection that is not in line with local law. This rocks the very clear, and so far, unmovable principle that we are all equal to the law and are seen as innocent unless proven guilty.

So? Back to the main issue eh?
Who governs the Internet? It is clear through the definition by the WGIG[1] that the Internet is governed by a set of multi-stakeholders from three main parties, namely Government (G), Business (B) and Citizen (C). Within these there are a number of sub-representations such as Residential (R), Non-Governmental Organisations (NGO), Religious communities (R)
However, there is, even today, not a clear view of how to make sure that we are all equally treated in the scope of the Internet as a vital and more and more important part of our life. There have recently been great strides towards creating common ground for all, and this is certainly an evolving work on this, currently at the e-G8 and the G8-forum in France.

Right now I only see one thing as rock solid: As the Internet evolves the way it is governed will also evolve. What once was a academic research project have certainly come a long way since the 1960ies.

[1] Working definition of Internet Governance, published in the report from the Working Group on Internet Governance (WGIG), 2005, page 4

Norway’s largest newspaper enables IPv6!
Sep 20th, 2010 by Anders Kringstad

I was pleased this morning when I through IRC learned that Norway’s largest newspaper have enabled IPv6 at their domain, Not that I read VG much, but the fact that there is a push forward with IPv6 in the media sector is great, since it’s only about 8-9 months until there are no more IPv4 addresses left.

Here at work we’re doing lot’s of fun stuff with IPv6, and are currently actively pushing forward with dualstack implementations for our customers.

But today, we end with a delicious traceroute to VG via IPv6:

traceroute to (2a02:c0:1010::16) from 2a02:2c8:1:42::4, 30 hops max, 16 byte packets
1 (2a02:2c8:1:400::1)  0.271 ms  0.245 ms  0.232 ms
2  2a01:560:207::1 (2a01:560:207::1)  0.597 ms  0.485 ms  0.491 ms
3 (2001:7f8:12:1::3:9029)  8.733 ms  8.914 ms  8.61 ms
4  2a02:c0:1000:2::3 (2a02:c0:1000:2::3)  9.015 ms  9.207 ms  10.083 ms
5  2a02:c0:1010::16 (2a02:c0:1010::16)  8.637 ms  8.774 ms  8.709 ms

»  Substance:WordPress   »  Style:Ahren Ahimsa