Install Tayga - HackMD

${toc} # Install Tayga ```sh apt update apt install -y tayga ``` # Configure sysctl / ensure IPv4 and IPv6 forwarding is enabled For Tayga to work properly, you must have both IPv4 and IPv6 forwarding enabled. Since the NAT64 server will also function effectively like a router, the sysctl config that's generated below will: - Disables most IPv6 router advertisement settings (SLAAC) - Disables the main `accept_ra` switch - Disables accepting default route advertisements - Disables interface IPv6 auto-configuration - Enables accepting MTU size advertisements, since MTU is very important - Disables IPv4/v6 redirects - Adjusts the IPv6 MTU for the primary interface to match the VPN's MTU (1420 for wireguard). ## Manually enable forwarding ```sh # Not necessary, but you may wish to run the below commands to enable IPv4 / IPv6 forwarding immediately. sudo sysctl -w net.ipv6.conf.all.forwarding=1 sudo sysctl -w net.ipv4.conf.all.forwarding=1 sudo sysctl -w net.ipv4.ip_forward=1 ``` ## Generating a sysctl config (`95-privexnet.conf`) ```sh # DEFAULT_IFACE should be set to the name of your PRIMARY INTERFACE, i.e. the one # with the server's public IPv4/v6 address(es). # IFACE_MTU should be set to match your VPN's MTU. For wireguard, this is typically 1420 DEFAULT_IFACE="eth0" IFACE_MTU="1420" sudo tee /etc/sysctl.d/95-privexnet.conf <<EOF ######### # Privex SYSCTL Config Options ######### # Enable IP forwarding for IPv4 and IPv6 net.ipv6.conf.all.forwarding=1 net.ipv4.conf.all.forwarding=1 net.ipv6.conf.${DEFAULT_IFACE}.forwarding=1 net.ipv4.conf.${DEFAULT_IFACE}.forwarding=1 net.ipv4.ip_forward=1 #### # Disable IPv6 router advertisements that could potentially cause problems #### # Main "accept router advertisements" flag - affects all other RA settings net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.${DEFAULT_IFACE}.accept_ra=0 # DO NOT accept advertisements for default router net.ipv6.conf.all.accept_ra_defrtr=0 net.ipv6.conf.${DEFAULT_IFACE}.accept_ra_defrtr=0 # DO NOT attempt to auto-configure via SLAAC or RA's net.ipv6.conf.all.autoconf=0 net.ipv6.conf.${DEFAULT_IFACE}.autoconf=0 # ACCEPT MTU advertisements from RA's - since MTU is very important net.ipv6.conf.all.accept_ra_mtu=1 net.ipv6.conf.${DEFAULT_IFACE}.accept_ra_mtu=1 #### # Misc. Network Settings #### # do not accept redirects net.ipv6.conf.all.accept_redirects=0 net.ipv4.conf.all.accept_redirects=0 net.ipv6.conf.eth0.accept_redirects=0 net.ipv4.conf.eth0.accept_redirects=0 # adjust default iface to use same MTU as wireguard for IPv6 net.ipv6.conf.${DEFAULT_IFACE}.mtu=${IFACE_MTU} EOF ``` ## Importing / reloading the sysctl configs ```sh # Load all sysctl configs sudo sysctl -p # Ensure sysctl actually read the privexnet config by specifying it sudo sysctl -p /etc/sysctl.d/95-privexnet.conf ``` ------------- # Configuration Files ## default/tayga `/etc/default/tayga` ```sh # Defaults for tayga initscript # sourced by /etc/init.d/tayga # installed at /etc/default/tayga by the maintainer scripts # Change this to "yes" to enable tayga RUN="yes" # Configure interface and set the routes up CONFIGURE_IFACE="yes" # Configure NAT44 for the private IPv4 range CONFIGURE_NAT44="yes" # Additional options that are passed to the Daemon. DAEMON_OPTS="" # IPv4 address to assign to the NAT64 tunnel device IPV4_TUN_ADDR="192.168.255.1" # IPv6 address to assign to the NAT64 tunnel device IPV6_TUN_ADDR="2a07:e01:ffff::2" ``` ## tayga.conf `/etc/tayga.conf` ```c tun-device nat64 # Tayga's IPv4 address (doesn't really matter) ipv4-addr 192.168.255.1 # Tayga's IPv6 address (to be routed to) ipv6-addr 2a07:e01:ffff::2 # V6 Prefix to use for the IPv4 internet prefix 64:ff9b::/96 dynamic-pool 192.168.0.0/16 data-dir /var/spool/tayga ``` ## Networking Config `/etc/netplan/50-cloud-init.yml` ```yml network: version: 2 ethernets: # eth0 = Public Internet adapter # Must have IPv4, but doesn't require IPv6 eth0: addresses: - 185.130.44.60/27 gateway4: 185.130.44.33 accept-ra: no match: macaddress: 1a:76:89:d4:09:b1 nameservers: &id001 addresses: - 2a07:e00::333 - 8.8.4.4 - 1.1.1.1 search: - privex.bz set-name: eth0 # eth1 - NAT64 IPv6 Gateway Adapter # Should have both a "public" IPv6 address (::1), used for accessing the server # and the "gateway" IPv6 (::2) used for routing the NAT64 prefix into eth1: addresses: - 2a07:e01:ffff::1/64 - 2a07:e01:ffff::2/64 gateway6: 2a07:e01:ffff::f match: macaddress: a6:08:61:c3:e5:e1 nameservers: *id001 set-name: eth1 ``` # Enabling and starting Tayga ```sh systemctl enable tayga systemctl restart tayga ``` # Adding routes ## Cisco ```sh ipv6 route 64:FF9B::/96 2A07:E01:FFFF::1 name NAT64 ipv6 route 64:FF9B::/96 2a07:e02:10ff::2 name NAT64-CA ``` ## Linux CLI ```sh ip -6 route add 64:ff9b::/96 via 2a07:e02:10ff::2 dev br0 metric 10 pref high ip -6 route add 64:FF9B::/96 via 2a07:e00::64:64 dev eth0 ``` ## Netplan NOTE: On our Vultr regions, the route should be added to `/etc/netplan/30-bridge.yaml` ```yml routes: # 64:ff9b::/96 via 2a07:e02:10ff::2 dev br0 metric 10 pref high - to: 64:ff9b::/96 via: 2a07:e02:10ff::2 metric: 10 ```