| 85 | |
| 86 | |
| 87 | == Splitting a single routable IPv6 netblock == |
| 88 | |
| 89 | Otherwise, there is a way out. Typically /64 IPv6 netblocks are assigned, leaving a large address space. For an OpenVPN setup, this address space can be broken in 2, /65-prefix parts, the first being assigned to the physical network interface, and the second to the VPN. **Warning** operating netblocks smaller than /64 might break some network features. |
| 90 | |
| 91 | **Avoid** this setup if you are using any of: |
| 92 | |
| 93 | * SLAAC. If you are using SLAAC and have no way around, ask your ISP for permission to use static address assignment on your VPN server. |
| 94 | * IPv6 Multicast - RFC3306 |
| 95 | * Cryptographically Generated Address - CGA - RFC3972 |
| 96 | * NAT64 - RFC6052 |
| 97 | * IPv6-to-IPv6 Network Prefix Translation - NPTv6 - RFC6296 |
| 98 | * Identifier-Locator Network Protocol - ILNP - RFC6741 |
| 99 | * Multihoming Shim Protocol for IPv6 - shim6 - RFC5533 |
| 100 | |
| 101 | See this [http://tools.ietf.org/html/draft-carpenter-6man-why64-00 Internet Draft] for details. |
| 102 | |
| 103 | === Split netblock configuration === |
| 104 | |
| 105 | Get the original IPv6 netblock on your OpenVPN server; let's assume it's |
| 106 | {{{ |
| 107 | 2001:db8:123::/64 |
| 108 | }}} |
| 109 | |
| 110 | 1. check that your NIC uses no addresses in the upper /65 block (in this case, addresses greater than 2001:db8:123:8000::/65). If you do, you can't use this setup until you eliminate those. |
| 111 | 1. re-assign the new restricted netblock – lower part. The command for this depends on your OS. For example, in **FreeBSD**: |
| 112 | {{{ |
| 113 | ### check this on your OS! |
| 114 | # ifconfig igb0 inet6 2001:db8:123::/64 -alias |
| 115 | # ifconfig igb0 inet6 2001:db8:123::/65 |
| 116 | ### |
| 117 | ### re-assign the other aliases previously set under the /64 block |
| 118 | # ifconfig igb0 inet6 2001:db8:123::dead/128 alias |
| 119 | # ifconfig igb0 inet6 2001:db8:123::ea:beef/128 alias |
| 120 | # ... |
| 121 | }}} |
| 122 | 1. assign the higher part of the restricted netblock to OpenVPN. Add |
| 123 | {{{ |
| 124 | # add this line |
| 125 | server-ipv6 2001:db8:123:8000::/65 |
| 126 | }}} |
| 127 | 1. restart the VPN |
| 128 | |
| 129 | You can do this also if your assigned IPv6 netblock is already shorter than /64, e.g. /112 . Just perform the same steps and compute the base address of the upper subnet: the lower starts with the last bit in the netmask set to 0, the upper starts with it set to 1. |