OpenVPN with ipv6 delegated prefix

TheGushi

Hey there folks. I have native comcast ipv6 at my home, with a /64 prefix delegation, and when I connect to my home openVPN setup, I find that I cannot reach the ipv6 internet. (Specifically, this breaks mosh sessions that were started with a v6 connection at home).

For the moment, I've fixed this by using a "dummy" ipv6 subnet (fc01::/64), and telling pfsense to NAT that subnet outbound on the WAN address (similar to how ipv4 is handled).

It looks like right now I'm being delegated a /64 -- is there a way to use a slice of that for openVPN, and have it automatically track and be added to the openVPN config on change? Or is NAT the most stable way forward?

(I realize that if I'm asking for a new feature here, it would be one that's stunningly rarely used).

JKnott

@TheGushi

I don't know about Comcast, but are they only providing a single /64? Or is that all you're asking for? On the WAN page, there's a setting DHCPv6 Prefix Delegation size where you specify how big of a prefix to request. I have 56 there, which gives me a /56 prefix, so I get 256 /64s.

TheGushi

@JKnott The documentation I can find suggests that if I ask for a /60, they will provide it (I'm a residential customer), but my out of the box pfsense config requests a /64, and that's what I get, and I only have a single flat network.

If I had multiple vlan's, there's an option to "track interface" to grab one of the possible prefixes for internal use on each vlan. But the OpenVPN config doesn't have that option.

I might consider asking for a /60, if there's a way to populate one of those prefixes into my OpenVPN config, automatically.

Otherwise, the easier answer is to just keep NAT'ing my openvpn v6 traffic behind my WAN ip.

JKnott

@TheGushi said in OpenVPN with ipv6 delegated prefix:

But the OpenVPN config doesn't have that option.

You enable it on the WAN page and then you can use it for OpenVPN, as I do here. Since they offer a /60 take the entire prefix and you'll have networks for other things. For example, I have a guest WiFi here, which has it's own IPv6 prefix. It's on a VLAN which the access point connects to the 2nd SSID.

TheGushi

@JKnott

Are you using ipv6 with openvpn with a unique subnet that is part of your delegated prefix? Are you able to share screenshots of your config, if so?

I now am getting a /60, but the config in the openVPN looks the same:

What I am asking here is: is there a way, just like with the LAN config, to tell OpenVPN to just use one of the /64's in my /60, that's assigned to me.

With the default "tun" mode, there's also no usage of your local DHCPv6 server. You don't configure OpenVPN the same way you configure other interfaces.

JKnott

@TheGushi said in OpenVPN with ipv6 delegated prefix:

Are you using ipv6 with openvpn with a unique subnet that is part of your delegated prefix?

In the OpenVPN server config, there's a box IPv6 Tunnel Network. You put the prefix, including /64 at the end in there. Here's mine (modified to protect the guilty): 2607:feb8:4c83:59ff::/64. The ff indicates I'm using the last of my 256 subnets. You can use whatever you want of your 16, provided it's not used elsewhere. There is also a Protocol box where you specify whether to run the VPN over IPv4, IPv6 or both. I have both selected. This way I can connect via either, depending on the network I'm on at the remote end.

TheGushi

@JKnott

I do not know what prefix my ISP will delegate to me. I do not want to have to know that prefix in order to put it in the config for the VPN boxes. Because if my pfsense box or cable modem reboot, there's every chance that that prefix won't be the same.

Normal interfaces can recover from this, by using the "track interface" feature. The openVPN configs cannot.

If I have multiple delegated prefixes (I now do), I'd like pfsense to automatically select one of my delegated /64 prefixes (i.e. LAN gets first one, OpenVPN gets second one), and populate it into the config for openvpn. If my delegation changes, I'd like it to update that on its own (restart openvpn and kick all clients if necessary).

Does what I'm asking to do now make sense?

I suppose if I wanted to make this a feature request, I'd ask for it to be that a magic string like $TRACK_DELEGATED_WAN_INDEX2 into that textbox would cause this behavior. (Either that or rework the setup so it's more like the interface configs).

I did say that I don't think it would be a feature that's used a lot -- but for situations like mine where I need to log in to my home machines, but also still have working ipv6, it's what's necessary. That, or NATting V6, which just feels wrong.

JKnott

@TheGushi said in OpenVPN with ipv6 delegated prefix:

I do not know what prefix my ISP will delegate to me.

Hopefully, it won't change. I've had the same prefix for almost 7 years. However, you have to select System /Advanced / Networking Do not allow PD/Address release to keep from getting different prefixes. But not all ISPs obey that.