Version 3 (modified by 10 years ago) (diff) | ,
---|
Table of Contents
IPv6 in OpenVPN
This page describes IPv6 support in OpenVPN.
Overview
Starting officially in the 2.3.0 release, OpenVPN supports IPv6 inside the tunnel, and can optionally be configured with IPv6 as a transport protocol for the tunneled data. There were some unofficial developer patches for the 2.2.x series that added partial IPv6 support (Debian in particular chose to integrate these patches into some of their builds.)
Providing IPv6 inside the tunnel
This section walks through providing IPv6 connectivity inside the tunnel; this will discuss a routed setup; a bridged (dev tap) setup is not recommended in general, and users doing so are presumably advanced enough to know what they're doing.
Requirements
A few things must be met in order to use IPv6:
- An existing and functional OpenVPN configuration (use the official howto if you don't yet have this.)
- A routed IPv6 network block that will reach the host configured as the OpenVPN server
- Both client and server must support IPv6; most modern systems these-days include this support already
Details: IPv6 routed block
In a routed setup, you cannot use your on-link network; you must use a unique routed network range, just like when routing with IPv4. Most ISPs should have a facility to obtain a routed block on request, or sometimes provided as part of DHCPv6-PD; these concepts are outside the scope of this document. Speak to your ISP or use other IPv6 learning resources for further information.
It is recommended to use a /64 for your OpenVPN subnet. While OpenVPN can happily use smaller networks (such as a /112) this is not compatible with the 2.2.x dev-patches that f.ex Debian uses. Thus a /64 is the preferred choice for an OpenVPN IPv6 allocation.
In this document, we'll assume you have the following from the OpenVPN server's viewpoint:
- The OpenVPN server has an IPv6 IP of 2001:db8:abc::100/64 on its LAN interface
- The following block is routed to the OpenVPN server host: 2001:db8:123::/64
Additional OpenVPN config
There are 2 ways to add IPv6 addressing and pool options to the server, similar to what OpenVPN supports for IPv4: using a helper-directive, and by expanding the helper-directive. The expansion is required if you do not wish to use the automatic values the helper-directive supplies. Clients who use --client
or --pull
will get the tun-ipv6
directive and addressing from the pool pushed as a result.
Config stanza using the helper
Add the following to a functioning OpenVPN config:
server-ipv6 2001:db8:123::/64
Config stanza with expanded directives
Add the following to a functioning OpenVPN config:
tun-ipv6 push tun-ipv6 ifconfig-ipv6 2001:db8:123::1/64 2001:db8:123::0/64 ifconfig-ipv6-pool 2001:db8:123::101/64
Note by PaulM: the above results in openvpn complaining that ipfconfig-ipv6 contains invalid addresses - the netmasks are not needed/wanted, so this is what you have to use:
tun-ipv6 push tun-ipv6 ifconfig-ipv6 2001:db8:123::1 2001:db8:123::2 ifconfig-ipv6-pool 2001:db8:123::8000/64
Pushing IPv6 routes
Pushing routes over the tunnel works much like it does in IPv4, but you use --push "route-ipv6 NETWORK/CIDR"
Using the addressing examples shown above, if you wanted to expose the server-side network of 2001:db8:abc::/64, you could use:
push "route-ipv6 2001:db8:abc::/64"
To redirect all Internet-bound traffic, use the current allocated public IP space like this:
push "route-ipv6 2000::/3"