OpenVPN-Client different Gateways when using IPv4 or IPv6 as remote VPN-Server

2018

My VPN Server (Debian OpenVPN latest Version) is in Dual-Stack Mode (has a public IPv4 (e.g. 4.4.4.4) & IPv6 Address (e.g. 2a01:aaaa:bbbb:cccc:0:0:0:1)). All is working very well with Ubuntu, Windows etc.

When connecting my PfSense (Client of the VPN) with the IPv4 Address of the Linux VPN-Server (under VPN -> OpenVPN -> Clients -> Edit), the Gateway which is pushed is something like  2a01:aaaa:bbbb:cccc:0:0:1:1. The v6 Gateway and the IPv6 Internet is pingable. All works fine.

When connecting my PfSsense with the IPv6 Address of the Linux VPN-Server, the Gateway which is pushed is something like fe80:45674567. The v6 Gateway and the IPv6 Internet is not pingable. 100% Packet Loss.

IPv4 Connection Log:
OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017
library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
WARNING: –ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Outgoing Control Channel Authentication: Using 128 bit message hash 'SHA' for HMAC authentication
Incoming Control Channel Authentication: Using 128 bit message hash 'SHA' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]4.4.4.4:1992
Socket Buffers: R=[42080->42080] S=[57344->57344]
UDP link local (bound): [AF_INET][undef]:1992
UDP link remote: [AF_INET]4.4.4.4:1992
TLS: Initial packet from [AF_INET]4.4.4.4:1992 (via [AF_INET]192.168.0.100%), sid=7962a9e6 dec2475c
VERIFY OK: …
VERIFY OK: ...
VERIFY OK: ...
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA, 4096 bit RSA
[server] Peer Connection Initiated with [AF_INET]4.4.4.4:1992 (via [AF_INET]192.168.0.100%)
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,redirect-gateway ipv6,dhcp-option DOMAIN local.domains,dhcp-option DOMAIN local.domains,dhcp-option DNS 10.8.0.1,dhcp-option DNS6 2a01:aaaa:bbbb:cccc:0:0:1:1,tun-ipv6,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig-ipv6 2a01:aaaa:bbbb:cccc:0:0:1:100/112 2a01:aaaa:bbbb:cccc:0:0:1:1,ifconfig 10.8.0.100 255.255.255.0,peer-id 1'
Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: –ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1656
Outgoing Data Channel: Cipher 'AES-AES-AES' initialized with 256 bit key
Outgoing Data Channel: Using 128 bit message hash 'SHA' for HMAC authentication
Incoming Data Channel: Cipher 'AES-AES-AES' initialized with 256 bit key
Incoming Data Channel: Using 128 bit message hash 'SHA' for HMAC authentication
ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=vtnet2 HWADDR=aa:06:bb:2b:53:e2
GDG6: remote_host_ipv6=n/a
ROUTE6_GATEWAY fe80:45674567 IFACE=vtnet2
TUN/TAP device ovpnc1 exists previously, keep at program end
TUN/TAP device /dev/tap1 opened
do_ifconfig, tt->did_ifconfig_ipv6_setup=1
/sbin/ifconfig ovpnc1 10.8.0.100 netmask 255.255.255.0 mtu 1500 up
/sbin/ifconfig ovpnc1 inet6 2a01:aaaa:bbbb:cccc:0:0:1:100/112
/usr/local/sbin/ovpn-linkup ovpnc1 1500 1620 10.8.0.100 255.255.255.0 init
/sbin/route add -net 4.4.4.4 192.168.0.1 255.255.255.255
/sbin/route add -net 0.0.0.0 10.8.0.1 128.0.0.0
/sbin/route add -net 128.0.0.0 10.8.0.1 128.0.0.0
add_route_ipv6(::/3 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
/sbin/route add -inet6 ::/3 2a01:aaaa:bbbb:cccc:0:0:1:1
add_route_ipv6(2000::/4 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
/sbin/route add -inet6 2000::/4 2a01:aaaa:bbbb:cccc:0:0:1:1
add_route_ipv6(3000::/4 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
/sbin/route add -inet6 3000::/4 2a01:aaaa:bbbb:cccc:0:0:1:1
add_route_ipv6(fc00::/7 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
/sbin/route add -inet6 fc00::/7 2a01:aaaa:bbbb:cccc:0:0:1:1
Initialization Sequence Completed

IPv6 Connection Log:

OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017
library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
WARNING: –ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Outgoing Control Channel Authentication: Using 128 bit message hash 'SHA' for HMAC authentication
Incoming Control Channel Authentication: Using 128 bit message hash 'SHA' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET6]2a01:aaaa:bbbb:cccc:0:0:0:1:1992
Socket Buffers: R=[42080->42080] S=[57344->57344]
setsockopt(IPV6_V6ONLY=0)
UDP link local (bound): [AF_INET6][undef]:1990
UDP link remote: [AF_INET6]2a01:aaaa:bbbb:cccc:0:0:0:1:1992
TLS: Initial packet from [AF_INET6]2a01:aaaa:bbbb:cccc:0:0:0:1:1992 (via 2a02:cccc:bbbb:aaaa:12341234:1234%vtnet2), sid=1a46f25c fbf95001
VERIFY OK: …
VERIFY OK: ...
VERIFY OK: ...
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ... RSA
[server] Peer Connection Initiated with [AF_INET6]2a01:aaaa:bbbb:cccc:0:0:0:1:1992 (via 2a02:cccc:bbbb:aaaa:12341234:1234%vtnet2)
Key [AF_INET6]2a01:aaaa:bbbb:cccc:0:0:0:1:1992 (via 2a02:cccc:bbbb:aaaa:12341234:1234%vtnet2) not initialized (yet), dropping packet.
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,redirect-gateway ipv6,dhcp-option DOMAIN local.domains,dhcp-option DOMAIN local.domain,dhcp-option DNS 10.8.0.1,dhcp-option DNS6 2a01:aaaa:bbbb:cccc:0:0:1:1,tun-ipv6,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig-ipv6 2a01:aaaa:bbbb:cccc:0:0:1:100/112 2a01:aaaa:bbbb:cccc:0:0:1:1,ifconfig 10.8.0.100 255.255.255.0,peer-id 4'
Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: –ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1656
Outgoing Data Channel: Cipher 'AES-AES-AES' initialized with 256 bit key
Outgoing Data Channel: Using 384 bit message hash 'SHA' for HMAC authentication
Incoming Data Channel: Cipher 'AES-AES-AES' initialized with 256 bit key
Incoming Data Channel: Using 384 bit message hash 'SHA' for HMAC authentication
ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=vtnet2 HWADDR=aa:06:bb:2b:53:e2
GDG6: remote_host_ipv6=2a01:aaaa:bbbb:cccc:0:0:0:1
ROUTE6_GATEWAY fe80:45674567 IFACE=vtnet2
ROUTE6: 2000::/4 overlaps IPv6 remote 2a01:aaaa:bbbb:cccc:0:0:0:1, adding host route to VPN endpoint
TUN/TAP device ovpnc1 exists previously, keep at program end
TUN/TAP device /dev/tap1 opened
do_ifconfig, tt->did_ifconfig_ipv6_setup=1
/sbin/ifconfig ovpnc1 10.8.0.100 netmask 255.255.255.0 mtu 1500 up
/sbin/ifconfig ovpnc1 inet6 2a01:aaaa:bbbb:cccc:0:0:1:100/112
/usr/local/sbin/ovpn-linkup ovpnc1 1500 1620 10.8.0.100 255.255.255.0 init
ROUTE remote_host protocol differs from tunneled
/sbin/route add -net 0.0.0.0 10.8.0.1 128.0.0.0
/sbin/route add -net 128.0.0.0 10.8.0.1 128.0.0.0
add_route_ipv6(2a01:aaaa:bbbb:cccc:0:0:0:1/128 -> fe80:45674567%vtnet2 metric 1) dev vtnet2
/sbin/route add -inet6 2a01:aaaa:bbbb:cccc:0:0:0:1/128 fe80:45674567%vtnet2
add_route_ipv6(::/3 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
/sbin/route add -inet6 ::/3 2a01:aaaa:bbbb:cccc:0:0:1:1
add_route_ipv6(2000::/4 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
/sbin/route add -inet6 2000::/4 2a01:aaaa:bbbb:cccc:0:0:1:1
add_route_ipv6(3000::/4 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
/sbin/route add -inet6 3000::/4 2a01:aaaa:bbbb:cccc:0:0:1:1
add_route_ipv6(fc00::/7 -> 2a01:aaaa:bbbb:cccc:0:0:1:1 metric -1) dev ovpnc1
/sbin/route add -inet6 fc00::/7 2a01:aaaa:bbbb:cccc:0:0:1:1
Initialization Sequence Completed
MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
MANAGEMENT: CMD 'state 1'
MANAGEMENT: CMD 'status 2'
MANAGEMENT: Client disconnected

If you need more information, please let me know.
Thank you for your help and for your time making pfsense even more perfect and IPv6 running like v4!!! THX