IPv6 over OpenVPN
-
I have a pfSense server with static IP connected to my LAN (using a Ubiquiti router). The router gets IPv6 addresses using prefix delegation (/60) for several VLAN's from Comcast/Xfinity. I'm using the standard ::2 to ::7d1 range on each VLAN that is the default for the UniFi controller.
How do I set up so my OpenVPN clients can get an IPv6 address?
-
@ericnix said in IPv6 over OpenVPN:
How do I set up so my OpenVPN clients can get an IPv6 address?
Hi,
You are already using some of your /60's (4 of them) on your LAN's (or VLAN's).
I have a LAN using 192.168.1.0/24 - the default value.
And a second LAN using 192.168.2.0/24
A third one, 192.168.3.0/24 is assigned to the pfSense OpenVPN server :I'm also have a /56 IPv6, and using the third "block" for my pfSense OpenVPN server - as you can see in the image.
This permits me to call into my pfSense OpenVPN.
Btw :
A network printer is not a server, although it has often web server build in for maintenance.
pfSense isn't a server neither - it's a router / firewall. Although it has several services build in that behave as a 'server'. -
@Gertjan Where did you get the your IPv6 tunnel network address from?
-
Well ...
IPv4 takes a couple of years to "master".
IPv6 a part of your live - and will last then to the very end.
There are these guys that give you for free T-shirt (no joke) if you take their free IPv6 course.
And they give you a huge /56 ..... for free. With POP's all over the planet.
The best ISPv6 there is.
pfSense has intrstructions in the manual how to set it up.Five letters and a dot : he.net.
-
@ericnix said in IPv6 over OpenVPN:
Where did you get the your IPv6 tunnel network address from?
That comes from your assigned prefixes. Take a look at your LAN address. You're likely using your first prefix of 16. @Gertjan is using his 3rd. I'm using ff of my 256 /64s. So, you can choose whatever available /64s you have and that's where you get your VPN address from.
-
I never realized how complicated this is. How do I obtain the available configuration from Xfinity?
-
What does Xfinity have to do with this? Don't you know what your prefix is? Check your LAN config and see what your address is. You will see a setting for Prefix ID. I bet it's 0. You can then use any other, up to f (with a /60), that's not already in use, to create your VPN address. It's that simple. For example, the last 16 bits of my prefix are b00. With a /56 my highest prefix is bff, which is what I use for my VPN. I also use b04, for my test LAN, etc.
So, you just take your current LAN prefix and change the Prefix ID portion of it to whatever you wish to use and put that value in the IPv6 Tunnel Network box.
-
@JKnott Sorry I'm a newb when it comes to IPv6. It's confusing -- nothing like IPv4. I thought Xfinity assigned the IPv6 addresses (unlike IPv4)?
No I have no idea what my prefix is. When I look at the IPv6 address my computer has obtained, there are 4 numbers followed by letters and numbers.
I guess I don't know the formatting to figure out what all I need to put in the field -- like what portion is the prefix?
Sorry to sound so retarded with this. It's confusing.
-
In many ways, IPv4 & IPv6 work the same way, but there are significant differences. Unlike IPv4, where most people get a single address, which they have to share using NAT, with IPv6, you get a prefix, which compares to a subnet on IPv4. You will get at least 1, in your case 16, /64 prefixes, each of which contain 18.4 billion, billion addresses. Your 16 /64s are provided to you as a /60 prefix, which pfsense can split into individual /64s. You can use as many of them as you want. Here's an example of an IPv6 address. I've inserted a space between the prefix and the rest of the LAN address: fd48:1a37:2160:0 4584:6fe:fe33:a937
There's normally be another : where the space is. The left half is the /64 prefix and the right half is the address within the LAN. Notice the 0 at the right end of the prefix. That would be the prefix ID and could range from 0 - f, with your /60 prefix. Your LAN would normally use 0, and if you had other networks, including a VPN, you would choose another number for that position. If you were creating another LAN, then you would choose that prefix ID during the configuration. However, in that tunnel address, you have to do it yourself. The address I provided is one similar to the RFC 1918 addresses in IPv4, in that they're not allowed on the Internet. The addresses you get from your ISP would start with either a 2 or 3. Each block of characters, separated with a : represents 16 bits, expressed as 4 hex digits. Leading 0s don't have to be displayed and if you see ::, that refers to a string of as many 0s as needed to fill out the 128 address bits. It can only be used once within an address.So, with this info, you could take the address for your computer, determine which is the prefix and LAN portions and then determine the rightmost digit in the prefix for the prefix ID. Use whichever available prefix you wish and put it in that tunnel address box.
-
@JKnott Thank you so much for that info! That made IPv6 understandable. Thank you!!
-
So I see in the pfSense status/dashboard that I'm getting an IPv6 address. However, when I run an IPv6 test site it's not transferring to my client.
Are there any special settings I need with OpenVPN (other than enabling IPv6) or Windows 10?
-
@ericnix said in IPv6 over OpenVPN:
So I see in the pfSense status/dashboard that I'm getting an IPv6 address
That's the
@JKnott said in IPv6 over OpenVPN:
there are significant differences
part.
Your ISP router from Xfinity 'knows' how to
- obtain a IPv6 that it can use to route 'local' IPv6 addresses from LAN segments.
- It also knows how to obtain the so called 'prefix'.
You might think : this looks like what DHCP is doing for IPv4.
Now comes the trick : this IPv6 negotiation is ISP dependant. Some only handle over a single /64, so your (typical SOHO) router can only have one ( 1 ) LAN. This is what is the case with my ISP. Pretty useless.
ipv6.he.net gives a /64 and a /56 : I can stuff into pfSense 1 + 254 NIC's and have as many LAN's.
Understand also that if you put your pfSense (a router) behind your ISP router - and your ISP only hands over one single /64, the ISP Xfinity router's LAN will get assigned this /64 network. pfSense gets, as any device on your LAN, a single IPv6 address out of this /64, and it can not delegate further down a subset of this /64 (no, you can't break it up into 16 /70 - which would be more then enough ...)
It's like having one 192.168.1.0/24 IPv4 network for you aviable, and try to add a second LAN NIC to your pfSense (let's presume 192.168.2.0/24 etc doesn't exist).So, it al boils down to : replace the Xfinity router with pfSense. And being able to instruct pfSense so it knows how the ISP Xfinity hands over this 'prefix' into. Several solutions exist, and the ISP can also use some 'own, invented - not standard' solution.
Not often ISP's detail about the process being involved, as they control and program their routers as they wantwithout the need to explain you 'how it works' to the end users. They often don't know nothing themselves.
The big advantage for them is : they do not have to support clients that start to ask over the phone : "my router (pfSense) doesn't work when I try to use IPv6 ....". They will say :" use our own router, you'll be fine - bye".As always : when you pick an ISP, there is a list with criteria that make you select the right one.
Now you know you have to add one more to that list.I was not joking about ipv6 he.net t-shirt
Btw : IPv6 is more complex : all LAN based devices can also auto assign themselves 'random' IPv6 addresses (the fe80:xxxxxx addressees), all they need to know is what device will be te router that routes IPv6 to the rest of the world.
@ericnix said in IPv6 over OpenVPN:
However, when I run an IPv6 test site it's not transferring to my client.
First : hook up a client ( a PC) to the LAN of pfSense.
Does it get a IPv6 ?
Do you see :or the real thing (we're router admins, right ? ) :
Carte Ethernet Ethernet : Suffixe DNS propre à la connexion. . . : brit-hotel-fumel.net Description. . . . . . . . . . . . . . : Intel(R) Ethernet Connection (11) I219-LM Adresse physique . . . . . . . . . . . : A4-BB-6D-BA-16-A1 DHCP activé. . . . . . . . . . . . . . : Oui Configuration automatique activée. . . : Oui Adresse IPv6. . . . . . . . . . . . . .: 2001:470:1f23:5d0:2::84(préféré) Bail obtenu. . . . . . . . . . . . . . : jeudi 3 septembre 2020 02:44:41 Bail expirant. . . . . . . . . . . . . : vendredi 4 septembre 2020 09:03:57 Adresse IPv6 de liaison locale. . . . .: fe80::410c:5e0d:e1a1:6075%10(préféré) Adresse IPv4. . . . . . . . . . . . . .: 192.168.1.120(préféré) Masque de sous-réseau. . . . . . . . . : 255.255.255.0 Bail obtenu. . . . . . . . . . . . . . : mardi 25 août 2020 11:24:29 Bail expirant. . . . . . . . . . . . . : samedi 5 septembre 2020 01:34:20 Passerelle par défaut. . . . . . . . . : fe80::215:17ff:fe77:d118%10 192.168.1.1 Serveur DHCP . . . . . . . . . . . . . : 192.168.1.1 IAID DHCPv6 . . . . . . . . . . . : 111459181 DUID de client DHCPv6. . . . . . . . : 00-01-00-01-26-59-DF-9D-A4-BB-6D-BA-17-A1 Serveurs DNS. . . . . . . . . . . . . : 2001:470:1f23:5d0:2::1 192.168.1.1 NetBIOS sur Tcpip. . . . . . . . . . . : Activé Liste de recherche de suffixes DNS propres à la connexion : brit-hotel-fumel.net
( sorry - my Windows uses a non-standard language )
-
@Gertjan Thanks for that reply. My understanding of IPv6 is a little more clear now.
I have a Ubiquiti Router (UniFi Dream Machine Pro) as I use it for operating cameras. I have 8 VLANs in my home network.
The pfSense box is connected to my main LAN (default LAN) with a static IP (10.0.1.15). The OpenVPN tunnel runs through it with OpenVPN clients being assigned IPv4 IP's in the 10.0.0.0/24 range. The default LAN has a subnet of 10.0.1.0/24.
So it may not be possible to give out IPv6 addresses to OpenVPN clients since I'm not using the pfSense box as a router and its obtaining its own IPv6 address from the UniFi router.
-
If pfSense can't route IPv6, then you can't do much.
Except : opt-in for IPv6 from he.net, and discard the IPv6 functionality that your ISP offers you. The pfSense WAN probably still obtains an IPv6 from your upstream router, but you will never use it.The set up is pretty straight forward - a real set it and forget it fonctionality.
You can experiment with it : the IPv6 from he.net (tunneled over IPv4, some what like a VPN) is pretty rock solid - and free. Maybe ones in a year the (a - their) IPv6-POP has an issue, but they are very fast in re-establishing from problems.
IPv6 brings with it a nice gadget : NAT isn't needed any more.
pfSense as a router will .... route. This means that firewall rules are the only protection you have.
The firewalls default behaviour : "block everything except what is expressively permitted" still applies, though.I could access my Synology Diskstation on my LAN from any where in the world with this rule :
I limited the 'source' with the alias 'SYS' which are my IPv6 known locations.
-
@ericnix said in IPv6 over OpenVPN:
So I see in the pfSense status/dashboard that I'm getting an IPv6 address. However, when I run an IPv6 test site it's not transferring to my client.
Are there any special settings I need with OpenVPN (other than enabling IPv6) or Windows 10?Take a look at the dashboard again. Do you see an IPv6 on the LAN side? If not the other devices on your LAN won't get an address either. Is your modem in bridge or gateway mode? You want bridge. If it's in gateway mode, you'll get a single /64, which pfSense cannot do anything with.
BTW, it might be better to get IPv6 working properly on your LAN, before you start worrying about a VPN.
-
@JKnott I have IPv6 working on my LAN, but I'm using a Ubiquiti UniFi Dream Machine Pro as my router. The pfSense box is connected to LAN using static IP and serves only as an OpenVPN server. IPv6 addresses are successfully being handed out on all subnets by the UDMP router. (I have 8 VLANs)
I will keep working with it to hopefully get it working. Out of curiosity, what do I put after my prefix? Let's say prefix is ab:bc:cd:df -- what am I supposed to put after that? The router's config has a range, and I left it at default.
-
@ericnix said in IPv6 over OpenVPN:
Let's say prefix is ab:bc:cd:df -- what am I supposed to put after that? The router's config has a range, and I left it at default.
In that tunnel address box, you put only the prefix. Using your example, it would be ab:bc:cd:df:: /64.
-
See image here https://forum.netgate.com/topic/156544/ipv6-over-openvpn?_=1599304505033