VPN

We have an OpenVPN server that connects our IPv6 gateway at DCG to other nodes. This allows nodes to access the IPv6 Internet with our provider independent address space. Routing is done with Babel.

Be aware that, although authentication happens over TLS, the tunnel itself is unencrypted. This is because encryption would not add meaningful security in this case (other parts of the network path are unencrypted), might provide a false sense of security and only adds overhead. Yes, we do use WPA2 on our wireless backbone links, but that is only to prevent unauthorized use.

OpenVPN client configuration:

client
nobind
dev tap
user nobody
group nogroup

remote openvpn.dcg.amsw.nl

# Secure the control channel with TLS
ca /etc/ssl/certs/ca-certificates.crt
verify-x509-name 'CN=openvpn.dcg.amsw.nl' subject

# Authenticate with username and password
auth-user-pass auth.txt

# Disable crypto on the data channel       
ncp-disable
cipher none
auth none

# Persist keys and TUN/TAP device across restarts
persist-key
persist-tun

If that works, check if the tap0 interface is up. It only needs an IPv6 link-local address. Now advertise your IPv6 subnet(s) with Babel by adding this to your bird6.conf:

protocol babel {
    interface "tap0" {
        type wired;
    };
}