How to Configure OpenVPN with IPv6 Support: Assigning Public IPv6 Addresses to Clients


48 views

When working with IPv6 in OpenVPN, the fundamental difference from IPv4 is that you typically get a /64 subnet from your provider (like liteserver.nl in this case). This provides 2^64 possible addresses - more than enough for assigning unique public IPv6 addresses to each client.

# Typical IPv6 subnet assignment from hosting provider
Your main server IP: 2a04:52c0:101:xxx::100/64
Your routed subnet:   2a04:52c0:101:xxx::/64

The configuration needs to accomplish three main objectives:

  • Assign unique IPv6 addresses from your /64 subnet to clients
  • Enable IPv6 routing through the VPN tunnel
  • Configure proper firewall rules for IPv6 traffic

Here's the complete server configuration that works with both IPv4 and IPv6:

port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 2a04:52c0:101:xxx::/64
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 2a04:52c0:101:xxx::1"
push "redirect-gateway def1 bypass-dhcp"
crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
tls-auth tls-auth.key 0
dh dh4096.pem
auth SHA256
cipher AES-256-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tun-ipv6
push tun-ipv6
ifconfig-ipv6 2a04:52c0:101:xxx::1 2a04:52c0:101:xxx::2
push "route-ipv6 2a04:52c0:101:xxx::/64"
push "route-ipv6 2000::/3"
status openvpn.log
verb 4

Several key directives make the IPv6 configuration work:

server-ipv6 2a04:52c0:101:xxx::/64  # Assigns from this subnet
tun-ipv6                             # Enable IPv6 in tun interface
push tun-ipv6                        # Tell clients to enable IPv6
ifconfig-ipv6 ::1 ::2                # Server's tunnel IPv6 addresses
push "route-ipv6 2000::/3"           # Route all IPv6 traffic via VPN

Clients need these settings in their config:

client
dev tun
proto udp
remote your-server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
cipher AES-256-CBC
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
verb 3

On the server side, you need to enable IPv6 forwarding and configure proper firewall rules:

# Enable IPv6 forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

# Basic IPv6 firewall rules (using ip6tables)
ip6tables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i eth0 -o tun0 -j ACCEPT
ip6tables -t nat -A POSTROUTING -o eth0 -s 2a04:52c0:101:xxx::/64 -j MASQUERADE

If IPv6 isn't working, check these common pitfalls:

  • Verify your hosting provider actually routes the /64 subnet to your server
  • Check if IPv6 forwarding is enabled (sysctl net.ipv6.conf.all.forwarding)
  • Test basic IPv6 connectivity from the server itself
  • Ensure clients receive both IPv4 and IPv6 DNS servers

Here's how to test basic IPv6 connectivity from the server:

ping6 google.com
traceroute6 google.com

For more control over IPv6 assignments, you can use ifconfig-ipv6-pool:

ifconfig-ipv6-pool 2a04:52c0:101:xxx::1000/112

This would assign addresses from 2a04:52c0:101:xxx::1000 to 2a04:52c0:101:xxx::1fff while keeping the rest of the /64 available for other uses.

When working with IPv6 in OpenVPN, it's crucial to distinguish between the server's public IPv6 address and the routed subnet. In this case, you have:

  • Public IPv6: 2a04:52c0:101:xxx::100/64 (assigned to your server's main interface)
  • Routed subnet: 2a04:52c0:101:xxx::/64 (allocated for VPN clients)

The main issues preventing proper IPv6 connectivity are:

  • Incorrect subnet allocation between server and clients
  • Missing IPv6 forwarding and NAT rules
  • Incomplete route advertisements

Here's the corrected server.conf with proper IPv6 support:

port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 2a04:52c0:101:xxx::/112
push "route-ipv6 2000::/3"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 2a04:52c0:101:xxx::1"
push "redirect-gateway def1 bypass-dhcp"
crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
tls-auth tls-auth.key 0
dh dh4096.pem
auth SHA256
cipher AES-256-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tun-ipv6
push tun-ipv6
ifconfig-ipv6 2a04:52c0:101:xxx::1 2a04:52c0:101:xxx::2
status openvpn.log
verb 4

Add these kernel parameters to /etc/sysctl.conf:

net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.proxy_ndp=1

Apply with:

sysctl -p

Create these iptables rules for proper NAT and routing:

ip6tables -t nat -A POSTROUTING -s 2a04:52c0:101:xxx::/64 -j SNAT --to-source 2a04:52c0:101:xxx::100
ip6tables -A FORWARD -i tun0 -o eth0 -j ACCEPT
ip6tables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Your client.ovpn should include:

client
dev tun
proto udp
remote your.server.ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
cipher AES-256-CBC
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
verb 3

After connecting, verify with:

ping6 google.com
traceroute6 ipv6.google.com
curl -6 https://ifconfig.co
  • Use /112 for the VPN subnet to avoid conflicts with your main /64
  • Ensure your host provider has properly routed the /64 to your server
  • Consider using unique local addresses (ULA) for internal VPN communication