Support for IPv6 addresses is relatively new in OpenVPN. As IPv6 addresses are now being used more and more by companies and Internet Service Providers, this recipe provides a setup for using IPv6 for tunnel endpoints as well as using it inside the tunnel.
This recipe is a continuation of the previous one. Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates using the previous recipe. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 20 Linux and OpenVPN 2.3.9. Keep the configuration file, basic-udp-server.conf
, from the previous recipe at hand as well as the client configuration file, basic-udp-client.conf
.
basic-udp-server.conf
, by adding a line: server-ipv6 2001:db8:100::0/112
Then save it as example2-4-server.conf
.
[root@server]# openvpn --config example2-4-server.conf [...] do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 /sbin/ip link set dev tun0 up mtu 1500 /sbin/ip addr add dev tun0 10.200.0.1/24 broadcast 10.200.0.255 /sbin/ip -6 addr add 2001:db8:100::1/112 dev tun0 [...]
[root@client]# openvpn --config basic-udp-client.conf [...] [openvpnserver] Peer Connection Initiated with [AF_INET]openvpnserver:1194 TUN/TAP device tun0 opened do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 /usr/sbin/ip link set dev tun0 up mtu 1500 /usr/sbin/ip addr add dev tun0 10.200.0.2/24 broadcast 10.200.0.255 /usr/sbin/ip -6 addr add 2001:db8:100::1000/112 dev tun0 Initialization Sequence Completed
The output showing that OpenVPN has configured an IPv6 address is shown in boldface.
ping6
command:[client]$ ping6 -c 4 2001:db8:100:: PING 2001:db8:100::1(2001:db8:100::1) 56 data bytes 64 bytes from 2001:db8:100::1: icmp_seq=1 ttl=64 time=9.01 ms 64 bytes from 2001:db8:100::1: icmp_seq=2 ttl=64 time=10.8 ms 64 bytes from 2001:db8:100::1: icmp_seq=3 ttl=64 time=9.42 ms 64 bytes from 2001:db8:100::1: icmp_seq=4 ttl=64 time=8.36 ms --- 2001:db8:100::1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 8.364/9.409/10.832/0.904 ms
IPv6 support in OpenVPN works almost exactly like IPv4. The addressing format is different and most options need an extra -ipv6
suffix.
There are a couple of useful tricks to keep in mind when using client configuration files. Some of these tricks are explained here.
If the server openvpnserver.example.com
resolves to an IPv6 address and the client has a valid IPv6 address, then the connection can be automatically established using IPv6. This is achieved by changing the proto udp
line in both client and server configurations to proto udp6
. It is then also possible to specify an IPv6 address for the server, using the following command:
remote 2001:db8:120:e120:225:90ff:fec0:3ed1
Note that even with proto udp6
in the server configuration file, IPv4 clients can still connect.
Even with OpenVPN 2.4, it is not yet possible to set up an IPv6-only VPN. You must always supply an (bogus) IPv4 address range for the VPN IP space. However, with OpenVPN 2.4, it is possible to set up an OpenVPN server that will accept requests only from IPv6-enabled clients. A new flag for the bind
directive was added for this:
proto udp6 bind ipv6only
18.119.102.46