With the advent of IPv6 networks, it is becoming increasingly important to be able to set up a VPN that will secure both IPv4 and IPv6 traffic. If only IPv4 traffic is secured over a VPN tunnel, then it is still possible for traffic to leak out over IPv6. In this recipe, we will set up OpenVPN to secure all IPv6 traffic as well. Support for this was added in OpenVPN 2.4.
The network layout used in this recipe is the same as in the Server-side routing recipe.
This recipe uses the PKI files created in the first recipe of this chapter. Install OpenVPN 2.4 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.4 and the client was running Fedora 20 Linux and OpenVPN 2.4. For the server, keep the IPv6 configuration file, example2-4-server.conf
, from the Adding IPv6 support recipe at hand. For the client, keep the configuration file, basic-udp-client.conf
, from the Server-side routing recipe at hand.
example2-4-server.conf
file:push "redirect-gateway ipv6 !ipv4"
Save it as example2-8-server.conf
.
[root@server]# openvpn --config example2-8-server.conf
[root@server]# sysctl -w net.ipv6.conf.all.forwarding=1
[root@client]# openvpn --config basic-udp-client.conf [...] add_route_ipv6(::/3 -> 2001:db8:100::1 metric -1) dev tun1 add_route_ipv6(2000::/4 -> 2001:db8:100::1 metric -1) dev tun1 add_route_ipv6(3000::/4 -> 2001:db8:100::1 metric -1) dev tun1 add_route_ipv6(fc00::/7 -> 2001:db8:100::1 metric -1) dev tun1 Initialization Sequence Completed
When the client connects to the OpenVPN server, a special redirect statement is pushed out by the server to the OpenVPN client:
push "redirect-gateway ipv6 !ipv4"
The configuration flag ipv6
tells the OpenVPN client to redirect all of the IPv6 traffic over the tunnel, by adding three routes to the client operating system:
2000::/4 3000::/4 fc00::/4
This effectively redirects all of the IPv6 traffic over the VPN tunnel.
The second flag !ipv4
, tells the OpenVPN client to not redirect IPv4 traffic. This was added to this example to demonstrate that it is also possible to redirect IPv6 traffic only.
It is possible to achieve the same behavior by adding the following lines to the server configuration file:
push "route-ipv6 2000::/4" push "route-ipv6 3000::/4" push "route-ipv6 fc00::/4"
This is supported in OpenVPN 2.3 as well. However, there is a very important caveat to this: if the IPv6 address of the server is in the same range as any of the preceding addresses, then this setup will fail, as all of the traffic for the preceding IPv6 networks will be redirected over the tunnel. To overcome this problem, the flag ipv6
was introduced in OpenVPN 2.4.
3.14.247.9