OpenVPN IPv6 Tunnel Network?



  • Excuse my newbness but can somebody clarify what I would need to put in here so I can pass all IPv6 internet traffic between my client and server? I've spent days searching help docs and the net but I can't seem to find any useful info.

    Here's a quick rundown of my setup...

    -pfSense version 2.4.4-RELEASE-p2.
    -IPv6 is supported by my ISP.
    -I've received an address via DHCP6 on my WAN and have my LAN set to "Track Interface" for the IPv6 Config Type.
    -The DHCPv6 server is disabled on the LAN and Router Advertisements is set to "Assisted".
    -Test-ipv6.com always gives me a 10/10 when running from any client behind my pfSense box, on my LAN.

    My use case for this VPN is for full protection of IPv4 AND IPv6 traffic while using public wifi as I travel a lot for work and I'm on airport and hotel wifi quite a bit.

    I currently serve a OpenVPN tun tunnel with multihome turned on (I CAN connect to my OVPN server via ipv4 or ipv6 from outside my home with no issue) that forces all IPv4 and IPv6 traffic through it but I've never actually got the IPv6 part of it to work. I tried putting in the example IPv6 tunnel network (fe80::/64) into my OVPN server config and that doesn't seem to work. It should also be noted that I have already change both of the auto generated firewall rules from the OpenVPN wizzard from ipv4 to ipv4+6 to allow me to connect via IPv6 with the multihome setup and to allow IPv6 traffic to work on the OpenVPN tunnel.

    All i'm trying to accomplish is for all IPv6 web traffic to be routed between my client and my server just like IPv4 already is.

    Can somebody school me? Please?! 😬


  • LAYER 8 Netgate

    You need to pick a /64 out of the prefix delegation from the ISP that is not used by a tracked interface and use that as the IPv6 tunnel network.

    Of course, you have to pass IPv6 traffic from the OpenVPN clients to the internet.

    This will not automatically change if the PD changes so in that case you will have to manually update it.



  • My lan is showing "v6/t6: 2001:48f8:405d:f6:207:43ff:fe3d:f88/64" so I assume that's what my ISP is giving me? Is it even possible for me to divvy that up?


  • LAYER 8 Netgate

    You have to look at the prefix delegation you are getting.

    Interfaces will always be a /64.

    No you can't break it up.

    What values does it say are available in the LAN track interface configuration?

    IPv6 Prefix ID 1
    (hexadecimal from 0 to ff)



  • it's saying 0 of 0 and it's of course set to 0.


  • LAYER 8 Netgate

    Then you need more addresses. Sorry.

    This is why ISPs giving a single /64 instead of a /56 or /48 is woefully insufficient.



  • bummer.. ok. well thank you very much for the help. I really appreciate it.


Log in to reply