VPN browsing with OpenVPN ipv6

By devin, 7 October, 2021

I'd like to make this into a full-featured post at some point, but for now I'm just writing down the essentials for getting a working ipv4 openvpn setup to work using ipv6. There are two steps:

  1. Use IPv6 as the protocol to communicate between client and sever
  2. Use IPv6 addresses for the clients

I had particular challenges with this because I'm using Cloud at Cost as my VPN server, and they provide a really small subnet. openvpn assumes you'll have a /64 or /112 netmask, but mine is /120 and I gave /124 to my vpn subnet.

I was a little rusty on ipv6 addressing and netmasks but https://masteripv6.com/introduction-to-ipv6-address-types helped. Most of what I needed was covered by openvpn docs: https://community.openvpn.net/openvpn/wiki/IPv6.The one thing I didn't catch on first read was that 2001:db8:0:123::/64 is an example subnet; I had to get my own subnet by inspecting the ip address and netmask of my VPS using the cloud at cost panel. https://www.reddit.com/r/CloudAtCost/comments/e3zp11/ipv6_configuration_on_cloudatcost was helpful for this.

I was able to get the UDP6 protocol working fairly seamlessly with my config. I wasn't able to start using my new ipv6 address on the vpn client right away though. Luckily, https://superuser.com/questions/1151539/routing-problems-with-ipv6-over-openvpn got me started on a solution. I still need to figure out if I needed just the first answer, or both the first and second answers. I'm also fairly certain I needed the sysctl commands from https://www.ipsidixit.net/2010/03/24/239 to make it work.

Openvpn docs also advised to run the client using openvpn client.conf so it was easier to see the output when things failed. That helped a lot, as did tail -f /var/log/syslog | grep ovpn. Put it all together and here's what everything looks like now:


port 1194
proto udp6
dev tun

ca ca.crt
cert vpn.devinhoward.ca.crt
key vpn.devinhoward.ca.key
dh dh4096.pem

server-ipv6 2607:1234::1234:1780/124
ifconfig-pool-persist ipp.txt

keepalive 10 120
tls-auth ta.key 0 # This file is secret


status openvpn-status.log
verb 3

# https://superuser.com/questions/1151539/routing-problems-with-ipv6-over-openvpn
script-security 3
client-connect /etc/openvpn/ipv6-client-connect.sh



ip -6 neigh add proxy $ifconfig_pool_remote_ip6 dev eth0


net.ipv6.conf.all.proxy_ndp = 1


dev tun
proto udp6
remote vpn.devinhoward.ca 1194

redirect-gateway def1 ipv6 bypass-dhcp

resolv-retry infinite
user nobody
group nogroup
verb 3

remote-cert-tls server
key-direction 1

ca ca.crt
cert cert.crt
key key.crt
tls-auth ta.key

Plain text

  • No HTML tags allowed.
  • Web page addresses and email addresses turn into links automatically.
  • Lines and paragraphs break automatically.