DHCPv6 and a VPN

kpa

@JKnott:

You can't use the tunnel /64 network for your LAN because you can't have the same prefix on multiple interfaces, you have get an additional routed /64 from your VPN provider.

I thought openVPN could be configured in either tap or tun modes.  In tap mode, it's essentially a bridge, so anything connected to it is on the same broadcast domain as the LAN and would be using the same subnet or prefix.  On the other hand, tun mode is a different broadcast domain and requires it's own prefix.

A tap VPN tunnel with a bridge is very complicated setup and I'm not sure you can do that reliably on pfSense. There are additional complexities if your LAN is bridged to the VPN and uses routed connection to the real WAN at the same time.

bimmerdriver

I asked about this a couple of weeks ago because I would like to set up policy based routing with a couple of openvpn connections to mullvad, which is the openvpn service provider I've been using for a while. Here is the thread: https://forum.pfsense.org/index.php?topic=129148.0. I am able to get things working with ipv4, but I got nowhere with ipv6. The only reply I got was to the effect, "why do you want to do this"? I guess my reply is why wouldn't you want to do this? In an ipv6-only world, people will still want to use a vpn, so it should be possible. However, from what I've figured out so far, it does not seem possible to use openvpn from within pfsense in the manner in which you would use openvpn on a dedicated computer.

I agree that there are some complications. Another pfsense user who is also trying to get mullvad working with pfsense contacted their support and received a response that outbound NAT would be required. This was met with ridicule, but in retrospect, I think some sort of "NAT" is required for ipv6 to be used in conjunction with a vpn. The obvious reason is that if you are using the vpn to obscure your public ip addresses, how else are you going to do it?

In the case of mullvad, they use tun. In both cases, within the client, there are private ip addresses for both ipv4 and ipv6 (10.x.y.z/16 and fdday:z/64. When I connected two computers at the same time to the same server, they had unique private ipv4 and ipv6 addresses (as expected), but they were using the same public ipv4 and ipv6 address. I think pfsense needs to be able to perform outbound "NAT" for ipv6 to work over a vpn. Or is there some other way to make it work? Are there any openvpn services for which ipv6 can be used? If so, how do they do it?

kpa

You can use IPv6 ULA (unique local address,  fd00::/8) addresses as additional addresses on your LAN and do outbound NAT on the VPN interface and that way you don't need a routed subnet from the VPN provider. Completely not how IPv6 is supposed to be used but the VPN providers are probably not going to route anything back to you even if you ask nicely.

JKnott

I think some sort of "NAT" is required for ipv6 to be used in conjunction with a vpn. The obvious reason is that if you are using the vpn to obscure your public ip addresses, how else are you going to do it?

????
At some point you're going to have a public IP or you won't be able to access the 'net.  Whether you use NAT or not, you will have one.  For example, on IPv4, with NAT you'd have an RFC 1918 address on your computer, but the real world sees the IP on your firewall/router.  The only exception would be those unfortunates who are on an ISP that uses carrier grade NAT.  While it may be technically possible to NAT IPv6, the  reason for NAT, the IPv4 address shortage, doesn't exist on IPv6.

Bottom line, you should be able to route a /64 prefix via OpenVPN.  If you can't set up a separate IPv6 prefix on a VPN with pfSense, as you would on IPv4, then there's a problem with pfSense.

JKnott

Completely not how IPv6 is supposed to be used but the VPN providers are probably not going to route anything back to you even if you ask nicely.

One question that might be asked is what sort of VPN?  Is this to connect one network to another?  To connect one computer to a network?  Or to hide the source computer?  Of these, only the first requires providing an entire prefix.  The other 2 require only a single address point to point link.  I have done the first 2 on IPv4 with OpenVPN and IPSec.  I haven't had the need on IPv6, as using SSH right to the destination gives me all the access I need.

bimmerdriver

OP, I hope I'm not hijacking your thread. If this is off your topic, please say so.

I thought it was clear what type of vpn I was referring, which I understood OP was referring to, but I can see it wasn't. I was referring to a vpn service for geolocation / privacy. It's strictly outgoing. I don't think there's any need for an inward connection, at least don't have any need for that. Maybe others do.

As I mentioned in my other thread, it's possible the issue I encountered with mullvad is only the gateway address, but I didn't see any threads about using pfsense / openvpn / ipv6.

JKnott

I thought it was clear what type of vpn I was referring

The OP in this thread was about using a block of addresses from a single /64 prefix over OpenVPN.  This is a bit different from what you were trying to do, which I understand to be hiding your location.

So, are the clients the OP is trying to connect individual devices?  If so, then he only has to provide a single address via point to point link.  In some ways, this question goes back to the dial up ISP days.  You'd have a computer or "terminal server" accepting PPP connections, via phone, that provided a single address to the remote device.  The terminal server would then use proxy arp to accept traffic for the remote device.  I have no idea is something similar is available on IPv6, but if it is, then it would be possible to use addresses from that /64 remotely.  Beyond that, sharing a single /64 gets messy.

JKnott

How do I distribute that /64 block of addresses to clients on my LAN?

One other thing just occurred to me.  If the purpose of this is to just provide IPv6 access to the clients, there might not be a need for the encryption OpenVPN provides.  All that is necessary is some means of tunneling over IPv4.  One common way to do this is with PPPoE, which can be configured to support IPv4, IPv6 or just about any other protocol.  What about setting up pfSense as a PPPoE server?  A quick Google search turns up some info on doing that with FreeBSD.  Think back to the dial up ISPs, as I mentioned above, and go from there.  The principles are the same, whether PPP or PPPoE.  Another method would be to use 6in4 tunnels, which is designed for just this sort of thing.  I ran a 6in4 tunnel for about 6 years, until my ISP started providing native IPv6.  At home it was configured to provide a /56 prefix, but on my network, just a single address, for use when away from home.

Bottom line, think tunnel, instead of just OpenVPN.

bimmerdriver

@JKnott:

How do I distribute that /64 block of addresses to clients on my LAN?

One other thing just occurred to me.  If the purpose of this is to just provide IPv6 access to the clients, there might not be a need for the encryption OpenVPN provides.  All that is necessary is some means of tunneling over IPv4.  One common way to do this is with PPPoE, which can be configured to support IPv4, IPv6 or just about any other protocol.  What about setting up pfSense as a PPPoE server?  A quick Google search turns up some info on doing that with FreeBSD.  Think back to the dial up ISPs, as I mentioned above, and go from there.  The principles are the same, whether PPP or PPPoE.  Another method would be to use 6in4 tunnels, which is designed for just this sort of thing.  I ran a 6in4 tunnel for about 6 years, until my ISP started providing native IPv6.  At home it was configured to provide a /56 prefix, but on my network, just a single address, for use when away from home.

Bottom line, think tunnel, instead of just OpenVPN.

There are more differences between a tunnel and a vpn than there are similarities, IMO. The reasons why someone would use a tunnel or a vpn are completely different. A tunnel is used to get ipv6 when your isp doesn't support ipv6. A tunnel does not support ipv4. Why would it, because its purpose is ipv6? A tunnel provides unique virtually static addresses for a customer and as far as I know, it's not encrypted. A vpn provides a encrypted, anonymous and untraceable connectivity. If OP is using openvpn, I doubt a tunnel will meet his needs.

JKnott

Actually, other than encryption, a VPN and a tunnel perform the exact same function, that is transporting a protocol between point A and point B.  There are plenty of tunnels that have nothing to do with IPv6 specifically.  PPPoE is but one example.  There is also 4in6 tunnel for transporting IPv4 over IPv6.  PPTP and L2TP also come to mind.  There are others.  OpenVPN is a tunnel that provides encryption.  Same with IPSec.  Years ago, I used to use CIPE.  There are also methods to transport now obsolete protocols, such as IPX over IPv4 etc.  So, tunnels are not just used to get IPv6, they have several uses.

Here's some info on 4in6, where IPv6 is used to transport IPv4:
https://en.wikipedia.org/wiki/4in6

As you can see, it's not used to get IPv6 over IPv4, but carry IPv4 over IPv6.

bimmerdriver

You're missing the point of why someone would use a vpn as opposed to a tunnel. There are similarities between tunnels and vpns, but as services, they are very different. Before my isp supported native ipv6, I used both for completely unrelated purposes.

When you set up a tunnel, you get a static prefix that you can use to allocate global addresses for the hosts on your network. These addresses can be used for outward and inward communication. Because they are static, they are identifiable.

When you set up a vpn, it's for outward ipv4 and ipv6 communication and the addresses are shared, not unique. Depending on the vpn service provider, they not identifiable to an individual user. Many vpn services can be paid for using bitcoin so they are virtually untraceable. (I said "virtually" because only the NSA knows what the NSA is capable of.)

The question I have, which I think is the same as OP, is how do you make the connection between individual hosts on your network and the endpoint of the vpn, which is a ULA, not a prefix. I'm hoping to hear an answer to this question.

JKnott

When you set up a tunnel, you get a static prefix that you can use to allocate global addresses for the hosts on your network. These addresses can be used for outward and inward communication. Because they are static, they are identifiable.

IPv6 supports something called "privacy addresses".  Those are random number based and change frequently, so they're not usable for long (more than a few days).  So, the only thing that could be identified is the prefix.  In that case, it doesn't matter what host address you use.  Also, with a /64 prefix, even knowing the prefix leaves a huge (2^64) address block to search.  As for incoming, if you want to allow it, you'd use the MAC based address, which does not change.  However, the situation you're describing is not what the OP is asking about.  I suggest you go back and re-read the first message

bimmerdriver

Privacy addresses use the delegated prefix, which belongs to the user.

JKnott

^^^^
Isn't that what I said?  Again, this has nothing to do with the OP, where he said:"How do I distribute that /64 block of addresses to clients on my LAN?".

He's not interested in hiding his network.  He wants to share his /64 prefix with other devices.  As I mentioned earlier, sharing a /64 can be messy and involves something like point to point links that provide a single address to a device, out of that /64.  If he's accessing his network then encryption is a good idea.  If all he's doing is providing IPv6, where not otherwise available, to access the Internet, then perhaps encryption is not needed.

bimmerdriver

@JKnott:

^^^^
Isn't that what I said?  Again, this has nothing to do with the OP, where he said:"How do I distribute that /64 block of addresses to clients on my LAN?".

He's not interested in hiding his network.  He wants to share his /64 prefix with other devices.  As I mentioned earlier, sharing a /64 can be messy and involves something like point to point links that provide a single address to a device, out of that /64.  If he's accessing his network then encryption is a good idea.  If all he's doing is providing IPv6, where not otherwise available, to access the Internet, then perhaps encryption is not needed.

With all due respect, you don't know what OP's intentions are. If he is knowingly using a vpn it must be for a reason. Maybe he will return and explain what he's trying to do.

JKnott

I just set up OpenVPN between my psSense firewall and a computer running Windows.  Initially, it provided the Windows computer an IPv6 address on my network prefix.  However, that will cause problems with routing etc., so I changed it to another prefix.  I'll have to see what happens with this.  At the moment, I can't ping the firewall or Windows computer, using the OpenVPN endpoint addresses.