I'd like to make this into a full-featured post at some point, but for now I'm just writing down the essentials for getting a working ipv4 openvpn setup to work using ipv6. There are two steps:
- Use IPv6 as the protocol to communicate between client and sever
- Use IPv6 addresses for the clients
I had particular challenges with this because I'm using Cloud at Cost as my VPN server, and they provide a really small subnet. openvpn assumes you'll have a
/112 netmask, but mine is
/120 and I gave
/124 to my vpn subnet.
I was a little rusty on ipv6 addressing and netmasks but https://masteripv6.com/introduction-to-ipv6-address-types helped. Most of what I needed was covered by openvpn docs: https://community.openvpn.net/openvpn/wiki/IPv6.The one thing I didn't catch on first read was that
2001:db8:0:123::/64 is an example subnet; I had to get my own subnet by inspecting the ip address and netmask of my VPS using the cloud at cost panel. https://www.reddit.com/r/CloudAtCost/comments/e3zp11/ipv6_configuration_on_cloudatcost was helpful for this.
I was able to get the UDP6 protocol working fairly seamlessly with my config. I wasn't able to start using my new ipv6 address on the vpn client right away though. Luckily, https://superuser.com/questions/1151539/routing-problems-with-ipv6-over-openvpn got me started on a solution. I still need to figure out if I needed just the first answer, or both the first and second answers. I'm also fairly certain I needed the sysctl commands from https://www.ipsidixit.net/2010/03/24/239 to make it work.
Openvpn docs also advised to run the client using
openvpn client.conf so it was easier to see the output when things failed. That helped a lot, as did
tail -f /var/log/syslog | grep ovpn. Put it all together and here's what everything looks like now:
port 1194 proto udp6 dev tun ca ca.crt cert vpn.devinhoward.ca.crt key vpn.devinhoward.ca.key dh dh4096.pem server 10.8.0.0 255.255.255.0 server-ipv6 2607:1234::1234:1780/124 ifconfig-pool-persist ipp.txt keepalive 10 120 tls-auth ta.key 0 # This file is secret comp-lzo persist-key persist-tun status openvpn-status.log verb 3 # https://superuser.com/questions/1151539/routing-problems-with-ipv6-over-openvpn script-security 3 client-connect /etc/openvpn/ipv6-client-connect.sh
#!/bin/bash ip -6 neigh add proxy $ifconfig_pool_remote_ip6 dev eth0
net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.all.proxy_ndp = 1
client dev tun proto udp6 remote vpn.devinhoward.ca 1194 route-nopull redirect-gateway def1 ipv6 bypass-dhcp resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun comp-lzo verb 3 remote-cert-tls server key-direction 1 ca ca.crt cert cert.crt key key.crt tls-auth ta.key