IPv4-Mapped IPv6 Addresses in OpenVPN: Practical Connectivity Solutions for Mixed IPv4/IPv6 Environments


8 views

IPv4-mapped IPv6 addresses (::ffff:0:0/96) serve as a transition mechanism allowing IPv6 applications to communicate with IPv4-only hosts. The format follows ::ffff:a.b.c.d where a.b.c.d represents the IPv4 address. This enables dual-stack systems to handle IPv4 traffic through IPv6 sockets.

The connectivity issues arise because OpenVPN has specific requirements for handling these addresses:

// Typical OpenVPN server configuration that won't work with IPv4-mapped addresses
server-ipv6 2a04::dead:beef:5802:A
push "route-ipv6 2000::/3"

For your case where Server=IPv6 and Client=IPv4:

# Server configuration (IPv6)
mode server
proto udp6
server-ipv6 2a04::dead:beef:5802:A/64
push "route 126.10.13.0 255.255.255.0"

For Server=IPv4 and Client=IPv6:

# Server configuration (IPv4)
mode server
proto udp
server 10.8.0.0 255.255.255.0
push "route-ipv6 2a04::/64"

When programming socket connections:

// C example of handling IPv4-mapped addresses
struct sockaddr_in6 addr;
if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) {
    // Extract IPv4 address
    struct in_addr ipv4_addr;
    memcpy(&ipv4_addr.s_addr, &addr.sin6_addr.s6_addr[12], 4);
    printf("Mapped IPv4: %s\n", inet_ntoa(ipv4_addr));
}

1. Dual-Stack Configuration:

# Server config supporting both
proto udp
proto udp6
server 10.8.0.0 255.255.255.0
server-ipv6 2a04::dead:beef:5802:A/64

2. NAT64/DNS64 Alternative:

# Use when native IPv4-mapped support is unavailable
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 126.10.13.2
ip6tables -t nat -A POSTROUTING -s 2a04::dead:beef:5802:A/64 -j SNAT --to-source ::ffff:7e0a:d02

Always verify:

  • OpenVPN version supports IPv6 (--version should show IPv6)
  • Kernel has IPv6 support (check /proc/sys/net/ipv6/conf/all/disable_ipv6)
  • Firewall rules allow both IPv4 and IPv6 traffic

When working with mixed IPv4/IPv6 environments, IPv4-mapped IPv6 addresses (::FFFF:0:0/96) serve as transitional mechanisms. These addresses allow IPv6-enabled systems to communicate with IPv4-only peers by encapsulating IPv4 addresses within IPv6 format. However, OpenVPN presents unique challenges in this scenario.

IPv4-mapped addresses (e.g., ::ffff:7e0a:d02 for 126.10.13.2) work differently at various layers:

// Typical IPv4-mapped representation in code
struct sockaddr_in6 {
    sa_family_t     sin6_family;   // AF_INET6
    uint16_t        sin6_port;
    uint32_t        sin6_flowinfo;
    struct in6_addr sin6_addr;     // ::ffff:7e0a:d02
    uint32_t        sin6_scope_id;
};

The connectivity issues stem from three key factors:

  1. OpenVPN's internal address resolution logic
  2. Operating system socket API behavior
  3. Network stack translation layers

For successful OpenVPN dual-stack connections:

# Server configuration (IPv6)
proto udp6
server-ipv6 2a04::dead:beef:5802:A/64
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"

# Client configuration (IPv4-mapped)
client
proto udp
remote 2a04::dead:beef:5802:A 1194
dev tun
ifconfig-ipv6 ::ffff:7e0a:d02/96

Essential troubleshooting commands:

# Check OS-level IPv6 mapping
sysctl net.ipv6.bindv6only
# Verify route tables
ip -6 route show table all
# Test raw connectivity
nc -6zv ::ffff:7e0a:d02 1194

When native mapping fails, consider:

  • DNS64/NAT64 gateways
  • Explicit protocol tunneling
  • Dual-stack proxy endpoints

Remember that IPv4-mapped addresses primarily exist for application-layer compatibility, not necessarily for tunnel-level operations. The OpenVPN implementation may require additional bridge configurations or protocol translation services.