Friday, April 14, 2017

Using ULAs for VPNs

by Craig Miller

War of the Worlds
It has taken me some time to warm up to the idea of using ULAs (Unque Local Addresses), as it initially seemed like we were heading down the same private address problems that we have in IPv4. And I can't see ULA and not think of the sound the Martians made in H.G. Well's War of the Worlds.

But I have found a few really good reasons to use ULAs:

  • DNS stability: ISP is constantly changing GUA (Global Unique Address) PA (Provider-aggregatable) prefixes, and you have servers on your network that you would like to use DNS (Domain Name Service) to make life easier
  • Security: You have servers on your network which don't need internet access, but you want to access them via IPv6
  • VPN: Creating a VPN (Virtual Private Network) across several sites, all sharing the same ULA prefix (the 48 bit prefix).

ULAs made easy

It is this last use case, I'd like to discuss a bit more in this blog. According to RFC 4193, one should generate a 40 bit random hex number which is appended to FD, e.g. fd84:ac67:c214::/48. Fortunately, there are convenient tools on the internet to help with this, such as the Unique Local IPv6 Generator. 

However, if one is to create a VPN of several sites, the routing is much easier if a common ULA /48 prefix is used. With some address planning it is quite easy to give each site a /56 or 255 prefixes per site. In the following example, a hub and spoke topology is used, but with a small number of nodes, a mesh topology could be employed.
VPN using fd01:db8:9::/48 ULA prefix
ULAs also effectively eliminate the IPv4 Duplicate address problem. A common problem when using IPv4 is accessing a corporate RFC 1918 network, such as from a hotel which is also using the network. Routing is confused, and packets don't make it to the corporate network. Because ULAs have randomized 40 bits of the prefix, as per RFC 4193, the likelihood of duplicate subnets is a extremely low.

Because IPv6 uses multiple addresses, each site will have different GUA prefixes, and in fact, could be different ISPs. The PA (Provider Agregatable) GUA Prefixes can even change without changing the VPN setup. This is equivalent to the old IPv4 split-tunnel, where internet access doesn't have to be back-hauled to a central site, which results in faster internet access.

OpenWrt and IPv6 VPNs

OpenWrt supports OpenVPN, where the VPN links can be setup to use underlying IPv4 or IPv6 for transport. In addition, OpenWrt also supports ip6neigh, a DNS solution for IPv6 on home routers, with each site having a unique user-defined top domain name (typically .lan, but it is configurable).

Don't fear the ULAs

So don't fear the UUULLLAAs, ULAs are good for creating stability in a address-changing IPv6 world.

* Photo Credit: