Version 3 (modified by speculatrix, 8 years ago) (diff)

ipv6-config was probably wrong

IPv6 in OpenVPN

This page describes IPv6 support in OpenVPN.


Starting officially in the 2.3.0 release, OpenVPN supports IPv6 inside the tunnel, and can optionally be configured with IPv6 as a transport protocol for the tunneled data. There were some unofficial developer patches for the 2.2.x series that added partial IPv6 support (Debian in particular chose to integrate these patches into some of their builds.)

Providing IPv6 inside the tunnel

This section walks through providing IPv6 connectivity inside the tunnel; this will discuss a routed setup; a bridged (dev tap) setup is not recommended in general, and users doing so are presumably advanced enough to know what they're doing.


A few things must be met in order to use IPv6:

  • An existing and functional OpenVPN configuration (use the official howto if you don't yet have this.)
  • A routed IPv6 network block that will reach the host configured as the OpenVPN server
  • Both client and server must support IPv6; most modern systems these-days include this support already

Details: IPv6 routed block

In a routed setup, you cannot use your on-link network; you must use a unique routed network range, just like when routing with IPv4. Most ISPs should have a facility to obtain a routed block on request, or sometimes provided as part of DHCPv6-PD; these concepts are outside the scope of this document. Speak to your ISP or use other IPv6 learning resources for further information.

It is recommended to use a /64 for your OpenVPN subnet. While OpenVPN can happily use smaller networks (such as a /112) this is not compatible with the 2.2.x dev-patches that f.ex Debian uses. Thus a /64 is the preferred choice for an OpenVPN IPv6 allocation.

In this document, we'll assume you have the following from the OpenVPN server's viewpoint:

  • The OpenVPN server has an IPv6 IP of 2001:db8:abc::100/64 on its LAN interface
  • The following block is routed to the OpenVPN server host: 2001:db8:123::/64

Additional OpenVPN config

There are 2 ways to add IPv6 addressing and pool options to the server, similar to what OpenVPN supports for IPv4: using a helper-directive, and by expanding the helper-directive. The expansion is required if you do not wish to use the automatic values the helper-directive supplies. Clients who use --client or --pull will get the tun-ipv6 directive and addressing from the pool pushed as a result.

Config stanza using the helper

Add the following to a functioning OpenVPN config:

server-ipv6 2001:db8:123::/64

Config stanza with expanded directives

Add the following to a functioning OpenVPN config:

push tun-ipv6
ifconfig-ipv6 2001:db8:123::1/64 2001:db8:123::0/64
ifconfig-ipv6-pool 2001:db8:123::101/64

Note by PaulM: the above results in openvpn complaining that ipfconfig-ipv6 contains invalid addresses - the netmasks are not needed/wanted, so this is what you have to use:

push tun-ipv6
ifconfig-ipv6 2001:db8:123::1 2001:db8:123::2
ifconfig-ipv6-pool 2001:db8:123::8000/64

Pushing IPv6 routes

Pushing routes over the tunnel works much like it does in IPv4, but you use --push "route-ipv6 NETWORK/CIDR"

Using the addressing examples shown above, if you wanted to expose the server-side network of 2001:db8:abc::/64, you could use:

push "route-ipv6 2001:db8:abc::/64"

To redirect all Internet-bound traffic, use the current allocated public IP space like this:

push "route-ipv6 2000::/3"