Can someone breakdown what the IPv6 address fd15:53b6:dead::2/64 is?

Question

I am trying to disable IPv6 leak when on an AWS VPN, which only supports IPv4 right now. I've looked at the docs for OpenVPN and the docs for AWS but I'm confused as to what this is actually doing. What is the line ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1 doing and why can't I just use the --block-ipv6 flag?

--block-ipv6    
On the client, instead of sending IPv6 packets over the VPN tunnel, all IPv6 packets are 
answered with an ICMPv6 no route host message. On the server, all IPv6 packets from 
clients are answered with an ICMPv6 no route to host message. This options is intended for 
cases when IPv6 should be blocked and other options are not available. --block-ipv6 will 
use the remote IPv6 as source address of the ICMPv6 packets if set, otherwise will use 
fe80::7 as source address.

For this option to make sense you actually have to route traffic to the tun interface. The 
following example config block would send all IPv6 traffic to OpenVPN and answer all requests 
with no route to host, effectively blocking IPv6 (to avoid IPv6 connections from 
dual-stacked clients leaking around IPv4-only VPN services).

Client config
--ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1
--redirect-gateway ipv6
--block-ipv6
Server config
Push a "valid" ipv6 config to the client and block on the server

--push "ifconfig-ipv6 fd15:53b6:dead::2/64 fd15:53b6:dead::1"
--push "redirect-gateway ipv6"
--block-ipv6

Answer 1

AWS copied the man page regarding block-ipv6, to illustrate an example of when you don't want IPv6 traffic outside of a tunnel (leaks), but the network is not IPv6 ready. Which apparently is currently true of AWS Client VPN.

The manual further explains that this is not always necessary:

Note: this option does not influence traffic sent from the server towards the client (neither on the server nor on the client side). This is not seen as necessary, as such traffic can be most easily avoided by not configuring IPv6 on the server tun, or setting up a server-side firewall rule.

In other words, could skip provisioning IPv6 in your VPN. Then clients could in theory get IPv6 internet from some other interface. The leak of which may or may not be what you want.

Need an IP address to route the system's IPv6 traffic, and receive ICMP unreachable messages back.

Regarding the example address, fd00::/8 is a unique local range, not routable over the internet. You should be generating 40 random bits and making up your own prefix. Here's a /48 just for you. (OpenVPN inserted a clever hex word "dead" in their example, but it is not special.)

Whatever you implement, during your validation test do a packet capture. Dissect and check that you understand what's happening.