...
The Linux kernel can't do this, or at least can't for every IP in your /64 without manually specifying each. Luckily there is a nice little project on GitHub called ndppd that can do this for you.
Your distribution may have a package.
Code Block | ||
---|---|---|
| ||
apt install ndppd |
If your distro doesn't have the package: Install gcc, g++, and make on your gateway and then:
Code Block |
---|
git clone https://github.com/DanielAdolfsson/ndppd cd ndppd make sudo make install |
Your distribution may have a package. Check before doing the build.
Now you'll want to copy ndppd ndpd.conf-dist from the ndppd source tree to /etc/ndppd.conf and edit it. We just had to edit the prefix under their example rule entry:
...
That tells nndpd to answer NDP requests for the entire /80 from which we'll be assigning IPv6 addresses to our devices. Obviously you will need to change that IP prefix to your own.
Then you'll There is a handy program to help you with ip subnetting: apt install ipcalc
The rule should use the static
or iface
option. We saw some flakiness with auto
.
Then you'll want to start nndpd and tell it to start on boot. It doesn't come with init/systemd scripts so we just did this:
Code Block |
---|
sudosystemctl start chmodndppd a+x /etc/rc.local |
Then edited /etc/rc.local to add:
Code Block |
---|
/usr/local/sbin/ndppd -d |
Running that command with sudo will start nndpd manually.
systemctl enable ndppd |
Once nndpd is running try ping6 ipv6.google.com again from one of your devices. For us it worked right away!
Congratulations! You now have a global IPv6 address for every device on your virtual network.
Step 4f: IPv6 Security (optional)
...
Code Block |
---|
curl -4 ifconfig.co
curl -6 ifconfig.co |
Should return your ZeroTier gateway addresses.
Step 4f: IPv6 Security (optional)
This configuration gives every device on your ZeroTier network a real globally reachable IPv6 address. This is wonderful but also possibly a little bit dangerous.
...
Code Block | ||
---|---|---|
| ||
*filter :INPUT ACCEPTDROP [0:0] :FORWARD DROP [0:0] -A FORWARD -i zt+ -s 2001:19f0:6001:01a6::/64 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT :OUTPUT ACCEPT [0:0] COMMIT |
...
Code Block | ||||
---|---|---|---|---|
| ||||
*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] -A FORWARD -i $ZT_IFACE -o $WAN_IFACE -j ACCEPT -A FORWARD -i $WAN_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT :OUTPUT ACCEPT [0:0] COMMIT |
FreeBSD
The allowDefault=1
setting on FreeBSD clients can't work. See this github issue for a work-around https://github.com/zerotier/ZeroTierOne/issues/580.
We've disable the Allow Default setting on FreeBSD starting on versions newer than 1.10.6 until we can find a solution.
Related articles
Filter by label (Content by label) | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...