I'd like to make this into a full-featured post at some point, but for now I'm just writing down the essentials for getting a working ipv4 openvpn setup to work using ipv6. There are two steps:
- Use IPv6 as the protocol to communicate between client and sever
- Use IPv6 addresses for the clients
I had particular challenges with this because I'm using Cloud at Cost as my VPN server, and they provide a really small subnet. openvpn assumes you'll have a /64 or /112 netmask, but mine is /120 and I gave /124 to my vpn subnet.
I was a little rusty on ipv6 addressing and netmasks but https://masteripv6.com/introduction-to-ipv6-address-types helped. Most of what I needed was covered by openvpn docs: https://community.openvpn.net/openvpn/wiki/IPv6.The one thing I didn't catch on first read was that 2001:db8:0:123::/64 is an example subnet; I had to get my own subnet by inspecting the ip address and netmask of my VPS using the cloud at cost panel. https://www.reddit.com/r/CloudAtCost/comments/e3zp11/ipv6_configuration_on_cloudatcost was helpful for this.
I was able to get the UDP6 protocol working fairly seamlessly with my config. I wasn't able to start using my new ipv6 address on the vpn client right away though. Luckily, https://superuser.com/questions/1151539/routing-problems-with-ipv6-over-openvpn got me started on a solution. I still need to figure out if I needed just the first answer, or both the first and second answers. I'm also fairly certain I needed the sysctl commands from https://www.ipsidixit.net/2010/03/24/239 to make it work.
Openvpn docs also advised to run the client using openvpn client.conf so it was easier to see the output when things failed. That helped a lot, as did tail -f /var/log/syslog | grep ovpn. Put it all together and here's what everything looks like now:
server.conf
port 1194
proto udp6
dev tun
ca ca.crt
cert vpn.devinhoward.ca.crt
key vpn.devinhoward.ca.key
dh dh4096.pem
server 10.8.0.0 255.255.255.0
server-ipv6 2607:1234::1234:1780/124
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
# https://superuser.com/questions/1151539/routing-problems-with-ipv6-over-openvpn
script-security 3
client-connect /etc/openvpn/ipv6-client-connect.sh
/etc/openvpn/ipv6-client-connect.sh
#!/bin/bash
ip -6 neigh add proxy $ifconfig_pool_remote_ip6 dev eth0
/etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp = 1
client.conf
client
dev tun
proto udp6
remote vpn.devinhoward.ca 1194
route-nopull
redirect-gateway def1 ipv6 bypass-dhcp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
comp-lzo
verb 3
remote-cert-tls server
key-direction 1
ca ca.crt
cert cert.crt
key key.crt
tls-auth ta.key