8

Trying to find the OpenVPN configuration which suits my needs I made this script to help myself during the installation on a CentOS system. My server config file actually looks like this:

port 1194 proto udp dev tun user nobody group nobody persist-key persist-tun keepalive 10 120 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 10.8.0.1" push "dhcp-options DNS 2a04:52c0:101:xxx::1" push "redirect-gateway def1 bypass-dhcp" crl-verify crl.pem ca ca.crt cert server.crt key server.key tls-auth tls-auth.key 0 dh dh4096.pem auth SHA256 cipher AES-256-CBC tls-server tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 status openvpn.log verb 4

It actually works perfectly, but as I rented a server @ liteserver.nl and they gave me a /64 subnet, I was trying to configure OpenVPN server to give one IPv6 address to each client to access the internet with a dedicated IP. So I followed the instructions on this page to setup IPv6 for internal usage. And that page contains instructions for a server with a public IPv6 which is 2001:db8:0:abc::100/64 and a routed IPv6 subnet (which I think is probably what liteserver.nl gave me) which is 2001:db8:0:123::/64. Paying no attention about the sample addresses difference I configured my server with a public IPv6 (2a04:52c0:101:xxx::100/64) and I gave to the OpenVPN clients the whole subnet they gave me ( 2a04:52c0:101:xxx::/64), here's how my server.conf actually looks like:

port 1194 proto udp dev tun user nobody group nobody persist-key persist-tun keepalive 10 120 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 10.8.0.1" push "dhcp-options DNS 2a04:52c0:101:xxx::1" push "redirect-gateway def1 bypass-dhcp" crl-verify crl.pem ca ca.crt cert server.crt key server.key tls-auth tls-auth.key 0 dh dh4096.pem auth SHA256 cipher AES-256-CBC tls-server tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 status openvpn.log verb 4 server-ipv6 2a04:52c0:101:xxx::/64 tun-ipv6 push tun-ipv6 ifconfig-ipv6 2a04:52c0:101:xxx::1 2a04:52c0:101:xxx::2 push "route-ipv6 2a04:52c0:101:xxx::/64" push "route-ipv6 2000::/3"

So as IPv4 connectivity works, IPv6 are assigned correctly, but I cannot access the internet using IPv6 (according to test-ipv6.com ) I'm asking myself if I need two /64 subnets (one for the private OpenVPN network and one for the VPN server itself, so for outgoing connections) to correctly configure this or if I missed something...anyway what I'd like to get is a VPN server with private IPv4 and IPv6 connectivity and with a public IPv4 and one or more IPv6 address(es). Please tell me if that's possible and how to do that. I'm really hoping that someone could help me.

Thanks in advance.

Improve this question
5
  • +1 For incrementing exit codes in your script.. :) Commented Aug 25, 2017 at 15:44
  • I've never tried using OpenVPN IPv6 pushing options, but you have another way: use tap in layer 2 and distribute routes and network adapter settings via DHCP. I've never tried it either though. It works fine with v4. Commented Aug 25, 2017 at 16:20
  • @MichalSokolowski First of all, thanks for your answer. I though about that, but I would like to achieve this using only OpenVPN if possible...I read that OpenVPN is now fully supporting IPv6, so there must be a way. Anyway, again, thanks for interestment. Commented Aug 26, 2017 at 11:18
  • @MichalSokolowski I would also really prefer tun rather than tap. Commented Aug 26, 2017 at 11:22
  • 1
    Having 2 /64 subnets is the best option, if that's available I'd go that route, you're config looks fine otherwise, jacobdevans.com/ipv6-openvpn-tunneling-with-asus-merlinwrt More on splitting a single /64 into (2) /65's community.openvpn.net/openvpn/wiki/… Commented Aug 28, 2017 at 12:47

2 Answers 2

Reset to default
5

I think you need to proxy NDP requests to your public IPv6 addresses. I haven't tested this personally, but this is the theory:

Your ISP will send traffic for your whole IPv6 network (2a04:52c0:101:xxx::/64) to your server. This means that, when someone on the Internet tries to connect to an IP address inside that network, the traffic will be sent to your server, expecting it knows how to handle it.

Your server has an address in that network (2a04:52c0:101:xxx::100). When it receives traffic to another address, it ignores it, because it's not an address that it can identify with. So, the traffic that goes to the devices that get an IP address from that network assigned by OpenVPN stops dead on your server.

To make your server realize that it has to get that traffic and sent it "down" through OpenVPN, you have two options: use a different IPv6 network for your OpenVPN clients (so traditional routing works) or proxy the traffic to your current network. The first is the best option, but your ISP may not assign you more than one /64; the latter is NDP proxying, akin to ARP proxying in IPv4.

Using NDP proxying, your server will get the traffic for addresses not its own and resend it to the clients with that same IP address connected through OpenVPN. You will have to do this for every IP address in your network that belongs to an OpenVPN client.

There are other answers in the StackExchange network that cover this in detail:

Please, check those answers for a more thorough explanation.

Improve this answer
7
  • So I have to configure standard private IPv6 networking inside the VPN (with a random IPv6 subnet?), the whole public /64 subnet to my VPN host and then redirect all IPv6 requests from inside the VPN to my public interface? Commented Aug 26, 2017 at 10:47
  • 1
    Please put the main information in your answer. If the link gets broken, your answer won't be that helpful anymore. Commented Aug 26, 2017 at 10:48
  • @gf_ I think it would be useful, as I don't know where to look with the current link. Commented Aug 26, 2017 at 11:20
  • I've edited my answer to elaborate a little more. Please, ask if you need more help. Commented Aug 28, 2017 at 12:03
  • @rsuarez Many many thanks for your answer. I think that NDP proxying is not what I was looking for as I have to add a rule for each address. So as my ISP does not provide me a second subnet I have to find another way. So can I setup the public subnet to my public interface and a random ipv6 subnet for private ipv6 networking inside the VPN? Commented Aug 28, 2017 at 14:01
0

The solution is very simple (though it took 6 hours to figure it out). Manual is here: Splitting a single routable IPv6 netblock

  1. Remove existing ipv6: ifconfig eth0 inet6 del 2a04:52c0:101:xxx::x/64
  2. Add the same inet6 with /65 prefix: ifconfig eth0 inet6 add 2a04:52c0:101:xxx::x/65
  3. Change the line in your config to: server-ipv6 2a04:52c0:101:xxx:8000::/65
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.