Tunnel and LAN IPv6 addresses for OpenVPN server
-
I was able to connect from Windows 10 using OpenVPN Connect and the IPv4 settings for tunnel and LAN, below. But my network is set up for IPv6 as well and I would like that functional over VPN. How do I configure the IPv6 subnets and LAN? pfSense shows a globally-routable address for my LAN, I'm not sure that is what I'm supposed to use. For the tunnel network, notes in the server configuration give an example of fe80::/64
-
Things like routing and tunnels work pretty much the same for IPv4 and IPv6. For example, you used a separate subnet for your IPv4 tunnel. You can do the same with IPv6, using a global address subnet, if you have one to spare or unique local, which is the IPv6 equivalent of RFC1918,
-
@JKnott I apologize for the late reply. I read your Unique Local Addresses post, and think I understand that I can create a ULA starting with FD as follows, where xxxx are random hex numbers.
FDxx:xxx:xxxx:0::
I don't understand if or why I should use a ULA address with FD prefix instead of a link-local prefix FE as shown in the OpenVPN example above. I'm not sure why a GUA subnet would be used in this case, or how to create it.
Edit: tried fd45::/64 in the IPv6 tunnel network field, the remote client connects and shows both IPv4 and IPv6 configured in OpenVPN server on pfSense as the tunnel network IP addresses
-
Actually, you can use anything, including no address. When routing, you need to know how to get to the next hop. On a point to point link, such as a VPN you can even use just the interface. There's also no reason you couldn't use a link local address. In fact, that's what I use with my ISP. I just thought using a routable address would be easier for some to understand. My VPN uses one of my global /64 prefixes as the other end is only my notebook computer and it would need a global address. For a tunnel between two sites, any method could be used.
-
@JKnott said in Tunnel and LAN IPv6 addresses for OpenVPN server:
My VPN uses one of my global /64 prefixes as the other end is only my notebook computer and it would need a global address. For a tunnel between two sites, any method could be used.
This makes sense, and is likely the most complete configuration. The client connected by VPN will have a complete set of network addresses including GUA IPv6 if I configure as a subnet of my ISP prefix delegation to pfSense and LAN.
Now I just need to figure out IPv6 subnet addressing and input the subnet to the IPv6 tunnel address. Of course, if this prefix delegation from my ISP changes addresses once a year or so, it will break the setup as this address will be hard-coded and not follow LAN prefix delegation from the ISP.
-
My prefix has been the same for almost 5 years. However, this is one reason I mentioned ULA. It won´t change, unless you change it.
There's not much to subnet. You just assign a /64 to each interface.
