Skip to content

rejsmont/UStun

1 Branch0 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

author
u0078517
Implemented RETURN target
Aug 2, 2012
4c6c9e6 · Aug 2, 2012

History

13 Commits
incs
incs
Aug 2, 2012
ufw
ufw
Aug 2, 2012
.gitignore
.gitignore
Aug 2, 2012
COPYING
COPYING
Aug 1, 2012
Makefile
Makefile
Aug 1, 2012
README.md
README.md
Aug 2, 2012
clist.c
clist.c
Aug 1, 2012
commands.c
commands.c
Aug 2, 2012
common.c
common.c
Aug 1, 2012
ctrl.c
ctrl.c
Aug 2, 2012
filter.c
filter.c
Aug 2, 2012
inout.c
inout.c
Aug 1, 2012
logger.c
logger.c
Aug 1, 2012
state.c
state.c
Aug 1, 2012
us6tables.c
us6tables.c
Aug 2, 2012
usctrl.c
usctrl.c
Aug 2, 2012
ustun.c
ustun.c
Aug 2, 2012

Repository files navigation

UStun

This is a user-space IPv6 tunnel with ip6tables-compatible user-space firewall that runs on OpenVZ/Virtuozzo guests. The project is a continuation of Luca Bertoncello's ustun (http://www.lucabert.de/ipv6/?lang=en) with some improvements including:

  • Ability to run and control multiple tunnel instances on a single host
  • Stateful firewall shared across all running tunnels, aiming to be fully compatible with ip6tables (WIP)

Config files allowing to run stateful ufw-based firewall on OpenVZ/Virtuozzo guests are in ufw folder, together with a script emulating ip6tables-restore functionality.

To use the tunnel and firewall (with UFW on Ubuntu):

  • make
  • copy ustun, usctrl, us6tables and ufw/us6tables-restore to /usr/local/sbin
  • relink /sbin/ip6tables to /usr/local/sbin/us6tables
  • relink /sbin/ip6tables-restore to /usr/local/sbin/us6tables-restore
  • relink /sbin/ip6tables-save to /bin/true - WARNING - this will disable ip6tables-save as ufw does not require it
  • backup after6.rules and before6.rules in /etc/ufw
  • copy after6.rules and before6.rules to /etc/ufw
  • disable ufw logging (sudo ufw logging off) - ip6tables -m limit is not supported yet

NOTE: Some of the rules have slightly different syntax. See /usr/local/sbin/us6tables-restore for info on how ip6tables rules are rewritten.

To create tunnel interface add the following to /etc/network/interfaces:

iface NAME_CHANGEME inet6 static
    address    IPv6_ADDR_CHANGEME
    netmask    NETMASK_CHANGEME
    pre-up     /usr/local/sbin/ustun -n NAME_CHANGEME -r REMOTE_END -l LOCAL_END -m tunnelbroker -p /run/ustun-NAME_CHANGEME.pid
    post-up    /sbin/ip -6 addr add MORE_IPs_CHANGEME dev NAME_CHANGEME
    pre-down   /sbin/ip -6 addr del MORE_IPs_CHANGEME dev NAME_CHANGEME
    post-up    /sbin/ip -6 route add ::/0 dev NAME_CHANGEME
    post-down  /bin/kill `cat /run/ustun-NAME_CHANGEME.pid` > /dev/null 2>&1 || /bin/true
    mtu        1480

WARNING: Most OpenVZ/Virtuozzo hosts overwrite /etc/network/interfaces upon reboot. It's best to put your tunnel interface into /etc/network/interfaces.ipv6 and add the following to /etc/rc.local:

cat /etc/network/interfaces.ipv6 >> /etc/network/interfaces
ifup NAME_CHANGEME

NOTE: You can have multiple tunnels running. They will share the firewall rules, but can be controlled via usctrl separately.

To get info about your tunnel, use:

usctrl -p `cat /run/ustun-NAME_CHANGEME.pid` -i

Providing PID (option -p or --pid) to usctrl is mandatory!

About

User space IPv6 tunnel with firewall

Resources

Readme

License

GPL-2.0 license
Activity

Stars

12 stars

Watchers

3 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages