8

Trying to find the OpenVPN configuration which suits my needs I made this script to help myself during the installation on a CentOS system. My server config file actually looks like this:

port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.8.0.1"
push "dhcp-options DNS 2a04:52c0:101:xxx::1"
push "redirect-gateway def1 bypass-dhcp"
crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
tls-auth tls-auth.key 0
dh dh4096.pem
auth SHA256
cipher AES-256-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
status openvpn.log
verb 4

It actually works perfectly, but as I rented a server @ liteserver.nl and they gave me a /64 subnet, I was trying to configure OpenVPN server to give one IPv6 address to each client to access the internet with a dedicated IP. So I followed the instructions on this page to setup IPv6 for internal usage. And that page contains instructions for a server with a public IPv6 which is 2001:db8:0:abc::100/64 and a routed IPv6 subnet (which I think is probably what liteserver.nl gave me) which is 2001:db8:0:123::/64. Paying no attention about the sample addresses difference I configured my server with a public IPv6 (2a04:52c0:101:xxx::100/64) and I gave to the OpenVPN clients the whole subnet they gave me ( 2a04:52c0:101:xxx::/64), here's how my server.conf actually looks like:

port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.8.0.1"
push "dhcp-options DNS 2a04:52c0:101:xxx::1"
push "redirect-gateway def1 bypass-dhcp"
crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
tls-auth tls-auth.key 0
dh dh4096.pem
auth SHA256
cipher AES-256-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
status openvpn.log
verb 4
server-ipv6 2a04:52c0:101:xxx::/64
tun-ipv6
push tun-ipv6
ifconfig-ipv6 2a04:52c0:101:xxx::1 2a04:52c0:101:xxx::2
push "route-ipv6 2a04:52c0:101:xxx::/64"
push "route-ipv6 2000::/3"

So as IPv4 connectivity works, IPv6 are assigned correctly, but I cannot access the internet using IPv6 (according to test-ipv6.com ) I'm asking myself if I need two /64 subnets (one for the private OpenVPN network and one for the VPN server itself, so for outgoing connections) to correctly configure this or if I missed something...anyway what I'd like to get is a VPN server with private IPv4 and IPv6 connectivity and with a public IPv4 and one or more IPv6 address(es). Please tell me if that's possible and how to do that. I'm really hoping that someone could help me.

Thanks in advance.

Community
  • 1
Phonic Mouse
  • 81
  • 1
  • 1
  • 8
  • +1 For incrementing exit codes in your script.. :) – gxx Aug 25 '17 at 15:44
  • I've never tried using OpenVPN IPv6 pushing options, but you have another way: use tap in layer 2 and distribute routes and network adapter settings via DHCP. I've never tried it either though. It works fine with v4. – Michal Sokolowski Aug 25 '17 at 16:20
  • @MichalSokolowski First of all, thanks for your answer. I though about that, but I would like to achieve this using only OpenVPN if possible...I read that OpenVPN is now fully supporting IPv6, so there must be a way. Anyway, again, thanks for interestment. – Phonic Mouse Aug 26 '17 at 11:18
  • @MichalSokolowski I would also really prefer tun rather than tap. – Phonic Mouse Aug 26 '17 at 11:22
  • 1
    Having 2 /64 subnets is the best option, if that's available I'd go that route, you're config looks fine otherwise, https://www.jacobdevans.com/ipv6-openvpn-tunneling-with-asus-merlinwrt/ More on splitting a single /64 into (2) /65's https://community.openvpn.net/openvpn/wiki/IPv6#SplittingasingleroutableIPv6netblock – Jacob Evans Aug 28 '17 at 12:47

2 Answers2

5

I think you need to proxy NDP requests to your public IPv6 addresses. I haven't tested this personally, but this is the theory:

Your ISP will send traffic for your whole IPv6 network (2a04:52c0:101:xxx::/64) to your server. This means that, when someone on the Internet tries to connect to an IP address inside that network, the traffic will be sent to your server, expecting it knows how to handle it.

Your server has an address in that network (2a04:52c0:101:xxx::100). When it receives traffic to another address, it ignores it, because it's not an address that it can identify with. So, the traffic that goes to the devices that get an IP address from that network assigned by OpenVPN stops dead on your server.

To make your server realize that it has to get that traffic and sent it "down" through OpenVPN, you have two options: use a different IPv6 network for your OpenVPN clients (so traditional routing works) or proxy the traffic to your current network. The first is the best option, but your ISP may not assign you more than one /64; the latter is NDP proxying, akin to ARP proxying in IPv4.

Using NDP proxying, your server will get the traffic for addresses not its own and resend it to the clients with that same IP address connected through OpenVPN. You will have to do this for every IP address in your network that belongs to an OpenVPN client.

There are other answers in the StackExchange network that cover this in detail:

Please, check those answers for a more thorough explanation.

rsuarez
  • 384
  • 5
  • 11
  • So I have to configure standard private IPv6 networking inside the VPN (with a random IPv6 subnet?), the whole public /64 subnet to my VPN host and then redirect all IPv6 requests from inside the VPN to my public interface? – Phonic Mouse Aug 26 '17 at 10:47
  • 1
    Please put the main information in your answer. If the link gets broken, your answer won't be that helpful anymore. – gxx Aug 26 '17 at 10:48
  • @gf_ I think it would be useful, as I don't know where to look with the current link. – Phonic Mouse Aug 26 '17 at 11:20
  • I've edited my answer to elaborate a little more. Please, ask if you need more help. – rsuarez Aug 28 '17 at 12:03
  • @rsuarez Many many thanks for your answer. I think that NDP proxying is not what I was looking for as I have to add a rule for each address. So as my ISP does not provide me a second subnet I have to find another way. So can I setup the public subnet to my public interface and a random ipv6 subnet for private ipv6 networking inside the VPN? – Phonic Mouse Aug 28 '17 at 14:01
  • That's insane. 2^128 addresses available and you still need to NAT it. Check it out: `However until you can actually get an IPv6 address range from your ISP, you may want to use "private" addresses for internal networks and testing etc. In IPv6 there is a special "Unique Unicast" IP range of fc00::/7 which should be used for this as per RFC4193.` Source: http://simpledns.com/private-ipv6.aspx, `The IANA has assigned the FC00::/7 prefix to "Unique Local Unicast".` Source: http://www.rfc-editor.org/rfc/rfc3879.txt – Michal Sokolowski Aug 29 '17 at 08:47
  • @MichalSokolowski That's what I was looking for. Thanks. – Phonic Mouse Sep 03 '17 at 09:05
0

The solution is very simple (though it took 6 hours to figure it out). Manual is here: Splitting a single routable IPv6 netblock

  1. Remove existing ipv6: ifconfig eth0 inet6 del 2a04:52c0:101:xxx::x/64
  2. Add the same inet6 with /65 prefix: ifconfig eth0 inet6 add 2a04:52c0:101:xxx::x/65
  3. Change the line in your config to: server-ipv6 2a04:52c0:101:xxx:8000::/65
user3599934
  • 21
  • 1
  • 2