[SOLVED] Tunneling IPv6 over IPv4 with OpenVPN?

sebastiannielsen

Why should I request a /48? I really don't need that much IP-adresses for clients on the LAN or OpenVPN, its not like that OpenVPN clients will share Connection with others. Theres plenty of space in those /80's so I could even encode a whole IPv4 adress into the IPv6 if I would want (for example 2001:470:28:1c:2:0:5f8f:c1a0 would correspond to my current public IP of 95.143.193.160), so in thery, I could offer a OpenVPN tunnel to everyone on the IPv4 space and still have IP adresses left.

What are making /80's not working?

I was given a routable /64 from he.
I divide this into a smaller subnet /80 for the LAN. and one subnet /80 for the OpenVPN.
(Tried that now).

Currently, the LAN works perfectly under a /80.
So why does not OpenVPN work?

sebastiannielsen

Solved it.
The static IP on the tunnel interface (the interface assigned to gif0) should not be /128 that those instructions say: http://iserv.nl/files/pfsense/ipv6/
This is incorrect.
Mask should be /64.

Also RADVD (But NOT dhcp6) needed to be enabled on the OpenVPN virtual adapter interface. Seems the RADVD is the thing "doing the magic".
Configure it in "Router Only" mode, Medium priority, and then set a RA subnet of [interface adress]/[subnet], in my case 2001:470:28:1c:2::1/80

This solved Everything.

Now I have IPv6 both on LAN and OpenVPN.

kejianshi

I understand everything here except one part…
I am getting exactly the same behavior your were getting. 
I can access the pfsense web gui via the ipv6 address through openvpn same as yours...  But no internet.

I understand that I should add a "virtual adapter" for openvpn and set radvd, but I feel like I must be adding that virtual adapter wrong.
Can you send me some instructions and maybe a few screen shots on that part?

Whenever I add an adapter and assign, my openvpn quits working completely, so I must be doing that part wrong.

dragoangel

@kejianshi:

I understand everything here except one part…
I am getting exactly the same behavior your were getting. 
I can access the pfsense web gui via the ipv6 address through openvpn same as yours...  But no internet.

I understand that I should add a "virtual adapter" for openvpn and set radvd, but I feel like I must be adding that virtual adapter wrong.
Can you send me some instructions and maybe a few screen shots on that part?

Whenever I add an adapter and assign, my openvpn quits working completely, so I must be doing that part wrong.

Same thing.
If I assign OVPN interface all goes down. But I give fd65:a1a0:1c2e:aa01::/64 and fd65:a1a0:1c2e:aa02::/64 for 2 OVPNs
I can ping6 my gateway and all lan segment fd65:a1a0:1c2e::/48.
I have 2 WANs and 2 WAN-HE.nets, configured NPt like:
Interface External Prefix Internal prefix
WAN01HE 2001:470:::/48 fd64:a1a0:1c2e::/48
WAN02HE 2001:470:::/48 fd64:a1a0:1c2e::/48

But some thing wrong with gateway. I have modern VPN Client Pro for Android, it can add from client side redirect gateway option and custom routes, but even adding routes like:
fd64:a1a0:1c2e::/48 via fd64:a1a0:1c2e::1
2000::/3 via fd64:a1a0:1c2e::1
not helps… Maybe you figure out how to fix it?

yon

Could you tell me how do it ? i want to ipv4 andriod mobile via openvpn get to ipv6.

@sebastiannielsen:

Solved it.
The static IP on the tunnel interface (the interface assigned to gif0) should not be /128 that those instructions say: http://iserv.nl/files/pfsense/ipv6/
This is incorrect.
Mask should be /64.

Also RADVD (But NOT dhcp6) needed to be enabled on the OpenVPN virtual adapter interface. Seems the RADVD is the thing "doing the magic".
Configure it in "Router Only" mode, Medium priority, and then set a RA subnet of [interface adress]/[subnet], in my case 2001:470:28:1c:2::1/80

This solved Everything.

Now I have IPv6 both on LAN and OpenVPN.

dragoangel

I fix it long ago, but forget write to the forum.
I configured it like this (in my case I have 2 WANs):
1. Have 2 GIFs for first and second WAN, they have tunnel subnet mask /64
2. Assign them in Interfaces without any configuration
3. Put on LAN interface static IPv6 with any mask you want, I use /64 and it have IP from my first tunnel scoop
4. (if you have 1 wan you not need it) In Firewall=>NAT=>NPt i created rule that change IPs from first tunnel scoop subnet to second tunnel subnet on interface with second tunnel.
5. I enabled RA and DHCP6 only on LAN inten interface
6. Because I have 2 WANs (4 WANs if add 2 HE.nets) I configured OpenVPN server on localhost interface - this give me option to use NAT\Firewall-Rule to open access to port on that interface I need it and do not create many servers for every WAN.
7. In OpenVPN Server I give for IPv6 Tunnel Network - /64 (you can with any mask you want) but this pool musn't be used for any others LAN interfaces!
8. IPv6 Local network(s) must be you LAN interface address pool
9. In Advanced Configuration in Custom options I push:
push "dhcp-option DNS6 myDNS1-IPv6";
push "dhcp-option DNS6 myDNS2-IPv6";
10. I give to clients choice to you my VPN like access to LAN or like gateway, in Client Export I added:
auth-nocache;remote-random;remote wan2 1194 udp;#Uncomment to use VPN as IPv4 Gateway;#redirect-gateway def1;#Uncomment to use VPN as IPv6 Gateway;#route-ipv6 ::/0;

This all - client only need uncomment 1 or 2 lines what they want. - If you want push it to clients - in can be solved by enabling: Redirect Gateway - Force all client generated traffic through the tunnel.

yon

thank you. My andriod mobile can get ip6 address, but i visit test-ipv6.com for test show no ipv6. i don't know why it is.

johnpoz

"in my case 2001:470:28:1c:2::1/80"

this is just plain broken!!

dragoangel

@yon:

thank you. My andriod mobile can get ip6 address, but i visit test-ipv6.com for test show no ipv6. i don't know why it is.

Because you haven't route all traffic to dev-tun0?
Try use another OpenVPN Client like https://play.google.com/store/apps/details?id=de.blinkt.openvpn or https://play.google.com/store/apps/details?id=it.colucciweb.free.openvpn.
I use second one.
Here like it looks:

yon

i have config ipv6, but it still not get ipv6 route.

@DRago_Angel:

@yon:

thank you. My andriod mobile can get ip6 address, but i visit test-ipv6.com for test show no ipv6. i don't know why it is.

Because you haven't route all traffic to dev-tun0?
Try use another OpenVPN Client like https://play.google.com/store/apps/details?id=de.blinkt.openvpn or https://play.google.com/store/apps/details?id=it.colucciweb.free.openvpn.
I use second one.
Here like it looks:


dragoangel

That what I've already say to you  ;D. You already have answer on yours question in post above T__T (Reply #9 on: Today at 04:10:22 am)
You have 2 choices:
1. Push route from OpenVPN server side.
(This good if you want that all clients by default use yours IPv6.)
Under OpenVPN Server:
From server config Redirect Gateway - Force all client generated traffic through the tunnel.

2. Use client side config to add route.
(This good when somebody do not need yours VPN like gateway.)
From client OVPN config (can be automated by custom field in client export plugin in pfSenese):
#Uncomment to use VPN as IPv4 Gateway
#redirect-gateway def1
#Uncomment to use VPN as IPv6 Gateway
#route-ipv6 ::/0

Its hard to read all comments? :-X
In that mobile client you can edit setting and add route through the GUI that you want:
Edit Button -> Routing -> IPv6 tab

yon

i add these, get ipv6 toute, but i still cant go to ipv6 internet.

push "redirect-gateway ipv6";
push "redirect-gateway def1 bypass-dhcp";
push "route-ipv6 ::/0";
push "route-ipv6 2000::/3"


yon

i have setup server for this, but ipv6 still not normal work.  where download your pro version?

@DRago_Angel:

That what I've already say to you  ;D. You already have answer on yours question in post above T__T (Reply #9 on: Today at 04:10:22 am)
You have 2 choices:
1. Push route from OpenVPN server side.
(This good if you want that all clients by default use yours IPv6.)
Under OpenVPN Server:
From server config Redirect Gateway - Force all client generated traffic through the tunnel.

2. Use client side config to add route.
(This good when somebody do not need yours VPN like gateway.)
From client OVPN config (can be automated by custom field in client export plugin in pfSenese):
#Uncomment to use VPN as IPv4 Gateway
#redirect-gateway def1
#Uncomment to use VPN as IPv6 Gateway
#route-ipv6 ::/0

Its hard to read all comments? :-X
In that mobile client you can edit setting and add route through the GUI that you want:
Edit Button -> Routing -> IPv6 tab

.jpg)
.jpg_thumb)

dragoangel

Uhhh, really men? From Google Play ofcourse (it cost money  ???)
It easy like a … 1+1=2
Use google or
add to the server custom config then this lines:
push "dhcp-option DNS6 myDNS1-IPv6";
push "dhcp-option DNS6 myDNS2-IPv6";
push "route-ipv6 ::/0";

i hope you have IPv6 dns... T__T

yon

ipv6 dns had been pushed. test-ipv6.com test still cant get my ipv6 address. ipv6 not work.

@DRago_Angel:

Uhhh, really men? From Google Play ofcourse (it cost money  ???)
It easy like a … 1+1=2
Use google or
add to the server custom config then this lines:
push "dhcp-option DNS6 myDNS1-IPv6";
push "dhcp-option DNS6 myDNS2-IPv6";
push "route-ipv6 ::/0";

i hope you have IPv6 dns... T__T

johnpoz

And is your dnscrypt ipv6?  I know your huge fan of that.. yon

xl

Try to use Google Public DNS: 8.8.8.8 / 8.8.4.4 it works for me with IPv6 tunnel.

johnpoz

Huh.. how is 8.8.8.8 / 8.8.4.4 ipv6 dns ;)

You mean their ipv6 addresses?
The Google Public DNS IPv6 addresses are as follows:

2001:4860:4860::8888
    2001:4860:4860::8844

For devices that will not accept :: then use the full address

2001:4860:4860:0:0:0:0:8888
    2001:4860:4860:0:0:0:0:8844

xl

I mean they can resolve IPv6:

nslookup ipv6.google.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    ipv6.l.google.com
Address:  2a00:1450:400c:c04::71
Aliases:  ipv6.google.com

I have no local IPv6 and OpenVPN config like that:

server-ipv6 fd6c:62d9:eb8c::/112
proto udp6
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

And it can pass all test at http://test-ipv6.com

johnpoz

Pretty lame setup to go through all the hassles of giving your client an IPv6 address, and then pointing it to dns via ipv4… Even if those forwarders can use ipv6..

Why would you not just point them towards ipv6 dns?

How exactly are you getting to your server from your phone to a ULA address?  And how would you then convert that ula even if your tunnel to the public internet global range?  And even if you wanted to use a ULA for your vpn tunnel connection.. why in the world would you be using a borked /112 ??

Your example dns lookup is just looking up a AAAA record.. Yeah no shit anyone can lookup AAAA via ipv4... That is not the same thing at all..

I doubt your config is working - show your test ipv6 page showing a ULA address like you show getting to your server via..  Also the OP is asking how to tunnel ipv6 over a ipv4 connection.  For the life of me why would you be using ULA at all??  Anywhere in your setup if your trying to get your vpn client an IPv6 address that it can use to get to the internet.  Since your routing ipv6 through the tunnel.

I just added a ipv6 tunnel network from my HE /48 to a ipv4 setup I have.  Connected via my phone on ipv4 - and there you go using this IPv6 to get to the internet, etc...  Took all of 30 seconds to setup.. Remote even - all it took was adding the ipv6 tunnel network in my vpn config on pfsense, and adding some ipv6 dns..

I then disconnected the vpn over IPv4 and just to show the network I am on here has no ipv6.. I ran again the ipv6 test page.. And no ipv6 connectivity - it was going thru my tunnel.