How to distribute IPv6 adresses to OpenVPN clients with changing prefixes via SLAAC
-
Dear Netgate-forum,
the ISP changes the IPv6 prefix (prefix length 56 bit) once per day and after every disconnect (configuration change, mains or line disconnection).
How can I distribute the IPv6 prefix via SLACC to OpenVPN clients? I'd like to configure OpenVPN to distribute the IPv6 adresses via the normal router advertisements which are used also by the local connected clients.
At the moment the OpenVPN clients don't get IPv6 adresses, they have IPv4 connectivity only.Best regards
Jung-Fernmelder
-
As I mentioned in my other reply to you, use Unique Local Addresses.
-
@JKnott Thank you so much. I've tried to implement your tutorial and added this virtual IP:
And these are my OpenVPN tunnel settings:
The OpenVPN clients get an IPv6 adresse from the expected subnet, in example [fc:12:3456:7890:1234::1000], but they don't have any IPv6 connectivity. What did I configure wrong and how to configure it properly? -
I suspect you may need to have both local and global addresses on the tunnel. I don't see a definite way to do that, though it might be possible to add a second range. Since your global address changes, you'd have to add a network by name rather than address. Someone who knows more about OpenVPN may have to help. Since my prefix doesn't change I was able to use one of my /64s for the tunnel.
-
@JKnott said in How to distribute IPv6 adresses to OpenVPN clients with changing prefixes via SLAAC:
I suspect you may need to have both local and global addresses on the tunnel.
@JKnott said in How to distribute IPv6 adresses to OpenVPN clients with changing prefixes via SLAAC:
Since your global address changes, you'd have to add a network by name rather than address.
Both makes sense.
How to add the network by name? -
@Jung-Fernmelder said in How to distribute IPv6 adresses to OpenVPN clients with changing prefixes via SLAAC:
How to add the network by name?
As I said, this would have to go to someone who's more familiar with OpenVPN. However, the global address is only necessary if you are going through the VPN & pfSense to the Internet. If you're accessing only your local network ULA is fine.
I wish ISPs wouldn't do things like this that break IPv6.
