Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN IPv6 Tunnel Network?

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 1.1k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      arostad
      last edited by arostad

      Excuse my newbness but can somebody clarify what I would need to put in here so I can pass all IPv6 internet traffic between my client and server? I've spent days searching help docs and the net but I can't seem to find any useful info.

      Here's a quick rundown of my setup...

      -pfSense version 2.4.4-RELEASE-p2.
      -IPv6 is supported by my ISP.
      -I've received an address via DHCP6 on my WAN and have my LAN set to "Track Interface" for the IPv6 Config Type.
      -The DHCPv6 server is disabled on the LAN and Router Advertisements is set to "Assisted".
      -Test-ipv6.com always gives me a 10/10 when running from any client behind my pfSense box, on my LAN.

      My use case for this VPN is for full protection of IPv4 AND IPv6 traffic while using public wifi as I travel a lot for work and I'm on airport and hotel wifi quite a bit.

      I currently serve a OpenVPN tun tunnel with multihome turned on (I CAN connect to my OVPN server via ipv4 or ipv6 from outside my home with no issue) that forces all IPv4 and IPv6 traffic through it but I've never actually got the IPv6 part of it to work. I tried putting in the example IPv6 tunnel network (fe80::/64) into my OVPN server config and that doesn't seem to work. It should also be noted that I have already change both of the auto generated firewall rules from the OpenVPN wizzard from ipv4 to ipv4+6 to allow me to connect via IPv6 with the multihome setup and to allow IPv6 traffic to work on the OpenVPN tunnel.

      All i'm trying to accomplish is for all IPv6 web traffic to be routed between my client and my server just like IPv4 already is.

      Can somebody school me? Please?! 😬

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by Derelict

        You need to pick a /64 out of the prefix delegation from the ISP that is not used by a tracked interface and use that as the IPv6 tunnel network.

        Of course, you have to pass IPv6 traffic from the OpenVPN clients to the internet.

        This will not automatically change if the PD changes so in that case you will have to manually update it.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • A Offline
          arostad
          last edited by

          My lan is showing "v6/t6: 2001:48f8:405d:f6:207:43ff:fe3d:f88/64" so I assume that's what my ISP is giving me? Is it even possible for me to divvy that up?

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            You have to look at the prefix delegation you are getting.

            Interfaces will always be a /64.

            No you can't break it up.

            What values does it say are available in the LAN track interface configuration?

            IPv6 Prefix ID 1
            (hexadecimal from 0 to ff)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • A Offline
              arostad
              last edited by

              it's saying 0 of 0 and it's of course set to 0.

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by Derelict

                Then you need more addresses. Sorry.

                This is why ISPs giving a single /64 instead of a /56 or /48 is woefully insufficient.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 1
                • A Offline
                  arostad
                  last edited by

                  bummer.. ok. well thank you very much for the help. I really appreciate it.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.