[SOLVED] Tunneling IPv6 over IPv4 with OpenVPN?

dragoangel

I fix it long ago, but forget write to the forum.
I configured it like this (in my case I have 2 WANs):
1. Have 2 GIFs for first and second WAN, they have tunnel subnet mask /64
2. Assign them in Interfaces without any configuration
3. Put on LAN interface static IPv6 with any mask you want, I use /64 and it have IP from my first tunnel scoop
4. (if you have 1 wan you not need it) In Firewall=>NAT=>NPt i created rule that change IPs from first tunnel scoop subnet to second tunnel subnet on interface with second tunnel.
5. I enabled RA and DHCP6 only on LAN inten interface
6. Because I have 2 WANs (4 WANs if add 2 HE.nets) I configured OpenVPN server on localhost interface - this give me option to use NAT\Firewall-Rule to open access to port on that interface I need it and do not create many servers for every WAN.
7. In OpenVPN Server I give for IPv6 Tunnel Network - /64 (you can with any mask you want) but this pool musn't be used for any others LAN interfaces!
8. IPv6 Local network(s) must be you LAN interface address pool
9. In Advanced Configuration in Custom options I push:
push "dhcp-option DNS6 myDNS1-IPv6";
push "dhcp-option DNS6 myDNS2-IPv6";
10. I give to clients choice to you my VPN like access to LAN or like gateway, in Client Export I added:
auth-nocache;remote-random;remote wan2 1194 udp;#Uncomment to use VPN as IPv4 Gateway;#redirect-gateway def1;#Uncomment to use VPN as IPv6 Gateway;#route-ipv6 ::/0;

This all - client only need uncomment 1 or 2 lines what they want. - If you want push it to clients - in can be solved by enabling: Redirect Gateway - Force all client generated traffic through the tunnel.

yon

thank you. My andriod mobile can get ip6 address, but i visit test-ipv6.com for test show no ipv6. i don't know why it is.

johnpoz

"in my case 2001:470:28:1c:2::1/80"

this is just plain broken!!

dragoangel

@yon:

thank you. My andriod mobile can get ip6 address, but i visit test-ipv6.com for test show no ipv6. i don't know why it is.

Because you haven't route all traffic to dev-tun0?
Try use another OpenVPN Client like https://play.google.com/store/apps/details?id=de.blinkt.openvpn or https://play.google.com/store/apps/details?id=it.colucciweb.free.openvpn.
I use second one.
Here like it looks:

yon

i have config ipv6, but it still not get ipv6 route.

@DRago_Angel:

@yon:

thank you. My andriod mobile can get ip6 address, but i visit test-ipv6.com for test show no ipv6. i don't know why it is.

Because you haven't route all traffic to dev-tun0?
Try use another OpenVPN Client like https://play.google.com/store/apps/details?id=de.blinkt.openvpn or https://play.google.com/store/apps/details?id=it.colucciweb.free.openvpn.
I use second one.
Here like it looks:


dragoangel

That what I've already say to you  ;D. You already have answer on yours question in post above T__T (Reply #9 on: Today at 04:10:22 am)
You have 2 choices:
1. Push route from OpenVPN server side.
(This good if you want that all clients by default use yours IPv6.)
Under OpenVPN Server:
From server config Redirect Gateway - Force all client generated traffic through the tunnel.

2. Use client side config to add route.
(This good when somebody do not need yours VPN like gateway.)
From client OVPN config (can be automated by custom field in client export plugin in pfSenese):
#Uncomment to use VPN as IPv4 Gateway
#redirect-gateway def1
#Uncomment to use VPN as IPv6 Gateway
#route-ipv6 ::/0

Its hard to read all comments? :-X
In that mobile client you can edit setting and add route through the GUI that you want:
Edit Button -> Routing -> IPv6 tab

yon

i add these, get ipv6 toute, but i still cant go to ipv6 internet.

push "redirect-gateway ipv6";
push "redirect-gateway def1 bypass-dhcp";
push "route-ipv6 ::/0";
push "route-ipv6 2000::/3"


yon

i have setup server for this, but ipv6 still not normal work.  where download your pro version?

@DRago_Angel:

That what I've already say to you  ;D. You already have answer on yours question in post above T__T (Reply #9 on: Today at 04:10:22 am)
You have 2 choices:
1. Push route from OpenVPN server side.
(This good if you want that all clients by default use yours IPv6.)
Under OpenVPN Server:
From server config Redirect Gateway - Force all client generated traffic through the tunnel.

2. Use client side config to add route.
(This good when somebody do not need yours VPN like gateway.)
From client OVPN config (can be automated by custom field in client export plugin in pfSenese):
#Uncomment to use VPN as IPv4 Gateway
#redirect-gateway def1
#Uncomment to use VPN as IPv6 Gateway
#route-ipv6 ::/0

Its hard to read all comments? :-X
In that mobile client you can edit setting and add route through the GUI that you want:
Edit Button -> Routing -> IPv6 tab

.jpg)
.jpg_thumb)

dragoangel

Uhhh, really men? From Google Play ofcourse (it cost money  ???)
It easy like a … 1+1=2
Use google or
add to the server custom config then this lines:
push "dhcp-option DNS6 myDNS1-IPv6";
push "dhcp-option DNS6 myDNS2-IPv6";
push "route-ipv6 ::/0";

i hope you have IPv6 dns... T__T

yon

ipv6 dns had been pushed. test-ipv6.com test still cant get my ipv6 address. ipv6 not work.

@DRago_Angel:

Uhhh, really men? From Google Play ofcourse (it cost money  ???)
It easy like a … 1+1=2
Use google or
add to the server custom config then this lines:
push "dhcp-option DNS6 myDNS1-IPv6";
push "dhcp-option DNS6 myDNS2-IPv6";
push "route-ipv6 ::/0";

i hope you have IPv6 dns... T__T

johnpoz

And is your dnscrypt ipv6?  I know your huge fan of that.. yon

xl

Try to use Google Public DNS: 8.8.8.8 / 8.8.4.4 it works for me with IPv6 tunnel.

johnpoz

Huh.. how is 8.8.8.8 / 8.8.4.4 ipv6 dns ;)

You mean their ipv6 addresses?
The Google Public DNS IPv6 addresses are as follows:

2001:4860:4860::8888
    2001:4860:4860::8844

For devices that will not accept :: then use the full address

2001:4860:4860:0:0:0:0:8888
    2001:4860:4860:0:0:0:0:8844

xl

I mean they can resolve IPv6:

nslookup ipv6.google.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    ipv6.l.google.com
Address:  2a00:1450:400c:c04::71
Aliases:  ipv6.google.com

I have no local IPv6 and OpenVPN config like that:

server-ipv6 fd6c:62d9:eb8c::/112
proto udp6
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

And it can pass all test at http://test-ipv6.com

johnpoz

Pretty lame setup to go through all the hassles of giving your client an IPv6 address, and then pointing it to dns via ipv4… Even if those forwarders can use ipv6..

Why would you not just point them towards ipv6 dns?

How exactly are you getting to your server from your phone to a ULA address?  And how would you then convert that ula even if your tunnel to the public internet global range?  And even if you wanted to use a ULA for your vpn tunnel connection.. why in the world would you be using a borked /112 ??

Your example dns lookup is just looking up a AAAA record.. Yeah no shit anyone can lookup AAAA via ipv4... That is not the same thing at all..

I doubt your config is working - show your test ipv6 page showing a ULA address like you show getting to your server via..  Also the OP is asking how to tunnel ipv6 over a ipv4 connection.  For the life of me why would you be using ULA at all??  Anywhere in your setup if your trying to get your vpn client an IPv6 address that it can use to get to the internet.  Since your routing ipv6 through the tunnel.

I just added a ipv6 tunnel network from my HE /48 to a ipv4 setup I have.  Connected via my phone on ipv4 - and there you go using this IPv6 to get to the internet, etc...  Took all of 30 seconds to setup.. Remote even - all it took was adding the ipv6 tunnel network in my vpn config on pfsense, and adding some ipv6 dns..

I then disconnected the vpn over IPv4 and just to show the network I am on here has no ipv6.. I ran again the ipv6 test page.. And no ipv6 connectivity - it was going thru my tunnel.

yon

i think not because dns server,  should ipv6 not real work. test site no show me get ipv6 address.

yon

@johnpoz:

And is your dnscrypt ipv6?  I know your huge fan of that.. yon

ja, i am using new dns ways for this. Pcap_DNSProxy is new software. good tool you can try it.

yon

give me that your config file and pfsense show.  :D

@johnpoz:

Pretty lame setup to go through all the hassles of giving your client an IPv6 address, and then pointing it to dns via ipv4… Even if those forwarders can use ipv6..

Why would you not just point them towards ipv6 dns?

How exactly are you getting to your server from your phone to a ULA address?  And how would you then convert that ula even if your tunnel to the public internet global range?  And even if you wanted to use a ULA for your vpn tunnel connection.. why in the world would you be using a borked /112 ??

Your example dns lookup is just looking up a AAAA record.. Yeah no shit anyone can lookup AAAA via ipv4... That is not the same thing at all..

I doubt your config is working - show your test ipv6 page showing a ULA address like you show getting to your server via..  Also the OP is asking how to tunnel ipv6 over a ipv4 connection.  For the life of me why would you be using ULA at all??  Anywhere in your setup if your trying to get your vpn client an IPv6 address that it can use to get to the internet.  Since your routing ipv6 through the tunnel.

I just added a ipv6 tunnel network from my HE /48 to a ipv4 setup I have.  Connected via my phone on ipv4 - and there you go using this IPv6 to get to the internet, etc...  Took all of 30 seconds to setup.. Remote even - all it took was adding the ipv6 tunnel network in my vpn config on pfsense, and adding some ipv6 dns..

I then disconnected the vpn over IPv4 and just to show the network I am on here has no ipv6.. I ran again the ipv6 test page.. And no ipv6 connectivity - it was going thru my tunnel.

xl

johnpoz, why so many aggression :) It is really working. Yep, I NATed local IPv6, I have my reasons to do it. But result is the same. (I don't need to give my phone public IPv6, just need IPv6 working).

yon

openvpn log :

Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. GDG: SIOCGIFHWADDR(lo) failed

client config file  （ip and CERTIFICATE hide）

persist-tun
persist-key
cipher AES-256-CBC
ncp-disable
auth SHA256
tls-client
client
remote 12.1.1.1 2254 tcp-client
lport 0
remote-cert-tls server
comp-lzo

<ca>–---BEGIN CERTIFICATE-----
MIIGdDCCBFygAwIBAgIBADANBgkqhkiG9

-----END CERTIFICATE-----</ca>
<cert>-----BEGIN CERTIFICATE-----
MIIF2jCCA8KgAwIBAgIBATANBgkqhkiG9

-----END CERTIFICATE-----</cert>
<key>-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAAS

-----END PRIVATE KEY-----</key>
<tls-crypt>#

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
e915f97d913d93a88aa72b02d384aa9b

-----END OpenVPN Static key V1-----</tls-crypt>