VPN browsing with OpenVPN ipv6

By devin, 7 October, 2021

I'd like to make this into a full-featured post at some point, but for now I'm just writing down the essentials for getting a working ipv4 openvpn setup to work using ipv6\. There are two steps: 1\. Use IPv6 as the protocol to communicate between client and sever 2\. Use IPv6 addresses for the clients I had particular challenges with this because I'm using Cloud at Cost as my VPN server, and they provide a really small subnet. openvpn assumes you'll have a /64 or /112 netmask, but mine is /120 and I gave /124 to my vpn subnet. I was a little rusty on ipv6 addressing and netmasks but https://masteripv6.com/introduction-to-ipv6-address-types/ helped. Most of what I needed was covered by openvpn docs: https://community.openvpn.net/openvpn/wiki/IPv6\. The one thing I didn't catch on first read was that 2001:db8:0:123::/64 is an example subnet; I had to get my own subnet by inspecting the ip address and netmask of my VPS using the cloud at cost panel. https://www.reddit.com/r/CloudAtCost/comments/e3zp11/ipv6_configuration… was helpful for this. I was able to get the UDP6 protocol working fairly seamlessly with my config. I wasn't able to start using my new ipv6 address on the vpn client right away though. Luckily, https://superuser.com/questions/1151539/routing-problems-with-ipv6-over… got me started on a solution. I still need to figure out if I needed just the first answer, or both the first and second answers. I'm also fairly certain I needed the sysctl commands from https://www.ipsidixit.net/2010/03/24/239/ to make it work. Openvpn docs also advised to run the client as "openvpn client.conf" so it was easier to see the output when things failed. That helped a lot, as did tail -f /var/log/syslog | grep ovpn. Put it all together and here's what everything looks like now: server.conf: port 1194 proto udp6 dev tunca ca.crt cert vpn.devinhoward.ca.crt key vpn.devinhoward.ca.key dh dh4096.pem server server-ipv6 2607::1234/124 ifconfig-pool-persist ipp.txt keepalive 10 120 tls-auth ta.key 0 # This file is secret #user nobody # temp disabled for script below to have sudo #group nogroup comp-lzo persist-key persist-tun status openvpn-status.log #log-append /var/log/openvpn.log verb 3 # https://superuser.com/questions/1151539/routing-problems-with-ipv6-over… script-security 3 client-connect /etc/openvpn/ipv6-client-connect.sh client.conf: client dev tun proto udp6 remote vpn.devinhoward.ca 1194 route-nopull redirect-gateway def1 ipv6 bypass-dhcp resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun comp-lzo verb 3 remote-cert-tls server key-direction 1 /etc/openvpn/ipv6-client-connect.sh #!/bin/bash ip -6 neigh add proxy $ifconfig_pool_remote_ip6 dev eth0 /etc/sysctl.conf: net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.all.proxy_ndp = 1

Plain text

  • No HTML tags allowed.
  • Web page addresses and email addresses turn into links automatically.
  • Lines and paragraphs break automatically.