Tunnel and LAN IPv6 addresses for OpenVPN server

lifespeed

I was able to connect from Windows 10 using OpenVPN Connect and the IPv4 settings for tunnel and LAN, below. But my network is set up for IPv6 as well and I would like that functional over VPN. How do I configure the IPv6 subnets and LAN? pfSense shows a globally-routable address for my LAN, I'm not sure that is what I'm supposed to use. For the tunnel network, notes in the server configuration give an example of fe80::/64

JKnott

@lifespeed

Things like routing and tunnels work pretty much the same for IPv4 and IPv6. For example, you used a separate subnet for your IPv4 tunnel. You can do the same with IPv6, using a global address subnet, if you have one to spare or unique local, which is the IPv6 equivalent of RFC1918,

lifespeed

@JKnott I apologize for the late reply. I read your Unique Local Addresses post, and think I understand that I can create a ULA starting with FD as follows, where xxxx are random hex numbers.

FDxx:xxx:xxxx:0::

I don't understand if or why I should use a ULA address with FD prefix instead of a link-local prefix FE as shown in the OpenVPN example above. I'm not sure why a GUA subnet would be used in this case, or how to create it.

Edit: tried fd45::/64 in the IPv6 tunnel network field, the remote client connects and shows both IPv4 and IPv6 configured in OpenVPN server on pfSense as the tunnel network IP addresses

JKnott

@lifespeed

Actually, you can use anything, including no address. When routing, you need to know how to get to the next hop. On a point to point link, such as a VPN you can even use just the interface. There's also no reason you couldn't use a link local address. In fact, that's what I use with my ISP. I just thought using a routable address would be easier for some to understand. My VPN uses one of my global /64 prefixes as the other end is only my notebook computer and it would need a global address. For a tunnel between two sites, any method could be used.

lifespeed

@JKnott said in Tunnel and LAN IPv6 addresses for OpenVPN server:

My VPN uses one of my global /64 prefixes as the other end is only my notebook computer and it would need a global address. For a tunnel between two sites, any method could be used.

This makes sense, and is likely the most complete configuration. The client connected by VPN will have a complete set of network addresses including GUA IPv6 if I configure as a subnet of my ISP prefix delegation to pfSense and LAN.

Now I just need to figure out IPv6 subnet addressing and input the subnet to the IPv6 tunnel address. Of course, if this prefix delegation from my ISP changes addresses once a year or so, it will break the setup as this address will be hard-coded and not follow LAN prefix delegation from the ISP.

JKnott

@lifespeed

My prefix has been the same for almost 5 years. However, this is one reason I mentioned ULA. It won´t change, unless you change it.

There's not much to subnet. You just assign a /64 to each interface.