#1 2016-04-10 20:30:47

kyl191
Trusted Member
Registered: 2015-02-23
Posts: 10

Anyone use IPv6 inside OpenVPN?

This is specific to using IPv6 *within* an OpenVPN tunnel - I've got a working OpenVPN setup with a dual stack connection (listening on IPv4+IPv6) working fine.

I'm trying to assign each client an IPv6 address from the /64 subnet that comes with the NAT nodes.

I've tried adding IPv6 support as mentioned in https://community.openvpn.net/openvpn/wiki/IPv6. The client correctly gets an IPv6 address, but it doesn't work - I can't ping IPv6 address through the tunnel.

I've also got the IPv6 forwarding sysctl setup on the host, and firewalld is performing masquerading. I've reassigned the IPv6 subnet assigned to the host to split it between the venet0 interface and the tun00 interface, as mentioned in the OpenVPN doc linked above.

Config section:

server 10.9.0.0 255.255.255.0
server-ipv6 2607:5600:dead:beef:8000::/65
ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"
push "route-ipv6 2000::/3"

IP addresses:

[[email protected] ~]# ip addr
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/void
    inet 127.0.0.1/32 scope host venet0
    inet 192.168.0.43/32 brd 192.168.0.43 scope global venet0:0
    inet6 2607:5600:dead:beef::42/65 scope global
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.9.0.1 peer 10.9.0.2/32 scope global tun0
    inet6 2607:5600:dead:beef:8000::1/65 scope global
       valid_lft forever preferred_lft forever

Offline

#2 2016-05-15 18:27:17

zwv970
Trusted Member
Registered: 2016-01-30
Posts: 77

Re: Anyone use IPv6 inside OpenVPN?

The task to assign each client an IPv6 address from the /64 subnet that comes with the NAT nodes will most likely not work on OpenVZ containers but works just fine on minikvm containers. I am using modified openvpn-install.sh script to do that. I wonder if anyone has time to automate IPv6 setup in openvpn-install.sh.

I so far found two problems with OpenVZ containers and IPv6 forwarding.
1. IPv6 nat modules are not loaded on hosts, and IPv6 NAT is not possible.

ip6tables -w2 -t nat -A POSTROUTING -o venet0 -s fd04::/16 -j SNAT --to-source 2602:ffe8:dead:beef::1
ip6tables v1.4.21: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

If IPv6 NAT is fixed then VPN client get get private IPv6 addresses from fd prefix and NATed to public IPv6 the same way as IPv4 is currently NATed.

2. venet interface, at least how I understood it experimenting, only gets addresses assigned via solusvm. eth0 on minikvm gets full /64 from the nearest router unconditionally and it is up to kernel how to deal with it.

Offline

#3 2016-05-15 20:01:58

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,498
Website

Re: Anyone use IPv6 inside OpenVPN?

That sort of thing simply wont work on OpenVZ until a stable version is released on RHEL 7, which I understand will be very soon but it will take a while to upgrade to 7 from 6


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#4 2016-05-15 20:34:48

zwv970
Trusted Member
Registered: 2016-01-30
Posts: 77

Re: Anyone use IPv6 inside OpenVPN?

I just figured it out. IPv6 NAT was introduced in Linux kernel version 3.9.0 and ip6tables version 1.4.18 so it does need OpenVZ 7 to work. Oh well... I am not even daring asking for an ETA....

Offline

#5 2016-05-17 10:40:13

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,498
Website

Re: Anyone use IPv6 inside OpenVPN?

Out of my hands, so many things and devs need to alight before that happens, afaik OnApp are testing virtuozzo for RHEL 7 but I would expect at least a year for a stab 3.x kernel for 6 or backported 2.32


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#6 2016-05-17 13:14:39

zwv970
Trusted Member
Registered: 2016-01-30
Posts: 77

Re: Anyone use IPv6 inside OpenVPN?

Has anyone tried http://tomicki.net/naptd.php for IPv6 tunneling?

Offline

#7 2016-08-14 07:30:54

0x004a
Trusted Member
Registered: 2013-10-15
Posts: 135

Re: Anyone use IPv6 inside OpenVPN?

Managed anything in the end @kyl191 ?

Wondering if it would work by using /112 for clients from the /64 ... ?

https://www.digitalocean.com/community/ … al-network

Offline

Board footer