Dual-stack v4+v6 OpenVPN server - question re: IPv6 Tunnel Network

luckman212 · Oct 16, 2018, 4:34 PM

I've got an OpenVPN server set up and working well on pfSense 2.4.4.

I wanted to add IPv6 to the tunnel (dual stack). First I tried just using the example fe80::/64 private tunnel network. That didn't work. I scratched my head for a few minutes and then realized that was probably because I don't use Automatic Outbound NAT—I'm in full manual mode. I don't want to NAT this traffic anyway, since the ISP delegates a whole /56—plenty of addresses to go around.

I carved out a routable /64 and assigned it in IPv6 Tunnel Network, and it worked like a dream.

Just wanted to clarify that this is the correct way to do it? The Netgate docs don't have too much detail. Logically it makes sense that if I'm not NAT'ting then I would have to have a routable v6 prefix specified there. It's just throwing me off a bit because of the wording on the config page: "This is the IPv6 virtual network used for private communications between this server and client hosts" -- makes me think it is supposed to be a ULA or link-local address.

jimp · Oct 16, 2018, 4:13 PM

It's all in what you want to do with it.

If you only want to communicate from clients to local services then so long as everything involved is using pfSense as the gateway/VPN server then it should "Just Work" with ULA or whatever. Though it does need to be a /64.

If you want connected clients to reach out to other networks like the Internet, it needs to be a routed address, or at least an address your other connected networks know how to reach via whatever they use for routing (static routes, routing protocols, etc).

If you have a static IPv6 allocation the easiest and most flexible thing is to just use a routed /64 there.

You don't need to touch anything in NAT for IPv6.

luckman212 · Oct 16, 2018, 4:19 PM

Thanks for that JimP, good to know

What had me confused was, a couple of years ago when I was running in Automatic NAT mode, I remember using fe80::/64 and that it worked. Once I realized what I was doing wrong, it was a pretty easy fix.

jimp · Oct 16, 2018, 4:22 PM

With fe80:: you can only get from the client to the firewall and no farther, since it's link-local. You want something ULA under fc00::/7

JKnott · Oct 16, 2018, 4:27 PM

@luckman212 said in Dual-stack v4+v6 OpenVPN server - question re: IPv6 Tunnel Network:

I carved out a /64 and assigned it in IPv6 Tunnel Network, and it worked like a dream.

That's the way to do it. As mentioned by others, the link local addresses won't work, as they can't be routed. One thing a lot of people don't realize is that with an VPN, the VPN transport can be IPv4, while carrying IPv6. Also, networks on IPv6 are normally /64. While you can use a much smaller prefix for a point to point link, a /64 is needed for SLAAC to work.

gsmornot · Oct 16, 2018, 8:36 PM

@luckman212 said in Dual-stack v4+v6 OpenVPN server - question re: IPv6 Tunnel Network:

I've got an OpenVPN server set up and working well on pfSense 2.4.4.

I wanted to add IPv6 to the tunnel (dual stack). First I tried just using the example fe80::/64 private tunnel network. That didn't work. I scratched my head for a few minutes and then realized that was probably because I don't use Automatic Outbound NAT—I'm in full manual mode. I don't want to NAT this traffic anyway, since the ISP delegates a whole /56—plenty of addresses to go around.

I carved out a routable /64 and assigned it in IPv6 Tunnel Network, and it worked like a dream.

Just wanted to clarify that this is the correct way to do it? The Netgate docs don't have too much detail. Logically it makes sense that if I'm not NAT'ting then I would have to have a routable v6 prefix specified there. It's just throwing me off a bit because of the wording on the config page: "This is the IPv6 virtual network used for private communications between this server and client hosts" -- makes me think it is supposed to be a ULA or link-local address.

I did the same. At a point in the past I was using the provided gateway from my provider. In passthrough they give my LAN a /64 assignment. I took the next block back for VPN. LAN is 576f::/64, I use 576e::/64. Works fine. My main use for the OpenVPN is pfBlocker while mobile. I have another VPN provider (PIA) for general use but for most things my personal VPN is the one I use so it feels like home.

MikeV7896 · Oct 17, 2018, 12:23 AM

Likewise, I've taken a /64 out of my /60 for OpenVPN. Obviously I had to manually enter it, so if my prefix ever changes, I'm screwed until I can update things... but it does work great.

luckman212 · Oct 17, 2018, 12:42 AM

Thanks for all the replies guys. Good to know I've done something right for a change.

P.S. @virgiliomi your signature makes me chuckle :)