OpenVPN with ipv6 delegated prefix
-
Hey there folks. I have native comcast ipv6 at my home, with a /64 prefix delegation, and when I connect to my home openVPN setup, I find that I cannot reach the ipv6 internet. (Specifically, this breaks mosh sessions that were started with a v6 connection at home).
For the moment, I've fixed this by using a "dummy" ipv6 subnet (fc01::/64), and telling pfsense to NAT that subnet outbound on the WAN address (similar to how ipv4 is handled).
It looks like right now I'm being delegated a /64 -- is there a way to use a slice of that for openVPN, and have it automatically track and be added to the openVPN config on change? Or is NAT the most stable way forward?
(I realize that if I'm asking for a new feature here, it would be one that's stunningly rarely used).
-
I don't know about Comcast, but are they only providing a single /64? Or is that all you're asking for? On the WAN page, there's a setting DHCPv6 Prefix Delegation size where you specify how big of a prefix to request. I have 56 there, which gives me a /56 prefix, so I get 256 /64s.
-
@JKnott The documentation I can find suggests that if I ask for a /60, they will provide it (I'm a residential customer), but my out of the box pfsense config requests a /64, and that's what I get, and I only have a single flat network.
If I had multiple vlan's, there's an option to "track interface" to grab one of the possible prefixes for internal use on each vlan. But the OpenVPN config doesn't have that option.
I might consider asking for a /60, if there's a way to populate one of those prefixes into my OpenVPN config, automatically.
Otherwise, the easier answer is to just keep NAT'ing my openvpn v6 traffic behind my WAN ip.
-
@TheGushi said in OpenVPN with ipv6 delegated prefix:
But the OpenVPN config doesn't have that option.
You enable it on the WAN page and then you can use it for OpenVPN, as I do here. Since they offer a /60 take the entire prefix and you'll have networks for other things. For example, I have a guest WiFi here, which has it's own IPv6 prefix. It's on a VLAN which the access point connects to the 2nd SSID.
-
Are you using ipv6 with openvpn with a unique subnet that is part of your delegated prefix? Are you able to share screenshots of your config, if so?
I now am getting a /60, but the config in the openVPN looks the same:
What I am asking here is: is there a way, just like with the LAN config, to tell OpenVPN to just use one of the /64's in my /60, that's assigned to me.
With the default "tun" mode, there's also no usage of your local DHCPv6 server. You don't configure OpenVPN the same way you configure other interfaces.
-
@TheGushi said in OpenVPN with ipv6 delegated prefix:
Are you using ipv6 with openvpn with a unique subnet that is part of your delegated prefix?
In the OpenVPN server config, there's a box IPv6 Tunnel Network. You put the prefix, including /64 at the end in there. Here's mine (modified to protect the guilty): 2607:feb8:4c83:59ff::/64. The ff indicates I'm using the last of my 256 subnets. You can use whatever you want of your 16, provided it's not used elsewhere. There is also a Protocol box where you specify whether to run the VPN over IPv4, IPv6 or both. I have both selected. This way I can connect via either, depending on the network I'm on at the remote end.
-
I do not know what prefix my ISP will delegate to me. I do not want to have to know that prefix in order to put it in the config for the VPN boxes. Because if my pfsense box or cable modem reboot, there's every chance that that prefix won't be the same.
Normal interfaces can recover from this, by using the "track interface" feature. The openVPN configs cannot.
If I have multiple delegated prefixes (I now do), I'd like pfsense to automatically select one of my delegated /64 prefixes (i.e. LAN gets first one, OpenVPN gets second one), and populate it into the config for openvpn. If my delegation changes, I'd like it to update that on its own (restart openvpn and kick all clients if necessary).
Does what I'm asking to do now make sense?
I suppose if I wanted to make this a feature request, I'd ask for it to be that a magic string like $TRACK_DELEGATED_WAN_INDEX2 into that textbox would cause this behavior. (Either that or rework the setup so it's more like the interface configs).
I did say that I don't think it would be a feature that's used a lot -- but for situations like mine where I need to log in to my home machines, but also still have working ipv6, it's what's necessary. That, or NATting V6, which just feels wrong.
-
@TheGushi said in OpenVPN with ipv6 delegated prefix:
I do not know what prefix my ISP will delegate to me.
Hopefully, it won't change. I've had the same prefix for almost 7 years. However, you have to select System /Advanced / Networking Do not allow PD/Address release to keep from getting different prefixes. But not all ISPs obey that.
-
Dear Netgate-Forum,
I have a quite similar problem, but I get a /56-prefix from the ISP.
I'd like to advertise to the OpenVPN-Clients an own /64-subnet which allows them to use IPv6 as normal as the local clients do.
How can I configure this? Thanke you for your advice.
Here is my actual configuration:
Best regards
Jung-Fernmelder
-
Your ISP has a bunch of /64 prefixes avaible for you.
"Pick one", and assign it here :
?
You'll say : wait ... but my ISP can change these prefixes any time .... as already said above, and you're right.
Have a look at the official OpenVPN (server) manual, maybe there are special commands/settings to be used in the "Custom options" so that the OpenVPN server, a bit like what a DHCPv6 LAN server does when you use "Tracking" maybe there is a mechanisme for that ?
If you find nothing, that could mean that you should do what you already did : assign the fc432:... as the tunnel network, and then NAT (?) to a GUA from a prefix ??For my own curiosity : why would you want to "advertise to the OpenVPN-Clients an own /64-subnet" knowing that you don't really own it (the ISP can pull the plug any time).
Do you want to 'expose' connected OpenVPN client to the Internet ? -
@Gertjan Thank you very much for your answer.
I'd like to advertise a /64-subnet with SLAAC router advertisements. If SLAAC router advertisements are not available, I'd have to use DHCPv6, but not every client supports DHCPv6 due it's a technology which is designed for servers in data centre environments, in SOHO use cases SLAAC is the way to go. It should track the PPPoE interface for its prefix (a /56-prefix is assinged by the ISP in this case, I guess and pfSense assignes a /64-prefix to every interface) like the other interfaces for LAN, IoT, Wifi et cetera do.
Do you know the special commands needed in this usecase?@Gertjan said in OpenVPN with ipv6 delegated prefix:
Do you want to 'expose' connected OpenVPN client to the Internet ?
Absolutely. The remote clients connected via OpenVPN should behave the same like local (except their higher latency and lower speed). I need this for some VoIP stuff because some VoIP servers hosted by the ISP are available through the network which is managed by this pfSense only.
-
Hey there folks,
I've come up with a patch to do what I want to do. I've tested it and ip6.me now shows a separate prefix from my comcast-delegated segment, and the admin UI lets me configure this thusly:
Is there some way I can submit this patch to the Netgate folks?
-
@TheGushi This looks awesome.
I'd suggest that you go to the subforum "General pfSense Questions" and ask whether commiting to the pfSense project is possible for non-staff developers and if yes how to do so. Maybe pfSense is an open source project developed by Netgate-staff exclusively. It's not really a community driven project like OPNsense, I guess.
Maybe you want to release your patch at GitHub? Maybe you can request a merge there or create a pull request. -
@Jung-Fernmelder I've posted it over on the Redmine issue tracker, with the attached patch (which modifies three files), and the same screenshot I shared above.
I plan to re-test that it applies cleanly when I'm safely home and can upgrade to 26.03 as well.
https://redmine.pfsense.org/issues/16822
-
I said earlier :
said in OpenVPN with ipv6 delegated prefix:
Have a look at the official OpenVPN (server) manual, maybe there are special commands/settings to be used in the "Custom options" so that the OpenVPN server, a bit like what a DHCPv6 LAN server does when you use "Tracking" maybe there is a mechanisme for that ?
as I wasn't aware of this :
so the OpenVPN server can obtain a IPv6 prefix from 'upstream' ...
I never tested this (wasn't even ware that it was possible) ... -
@TheGushi Thank you very much. Awesome that you fixed this issue.
As I will have some free time, I'll test your patch on a virtualized pfSense 2.8.1CE. Since it isn't an official patch in a release, it can be used in productive pfSense instances after intensive testing with sufficient results. -
@Gertjan Did you not read this whole thread?
I was also asking for that feature. It was not available. If you go look in your pfsense machine, you won't find the things in the screenshot that I posted (they only exist on my pfsense plus box).
I came up with a patch for PFSense that does what I need (and what you are asking for).
Maybe the PFsense authors will accept it and put it in a future version.
I also don't know why people question your desire to put "real" ipv6 addresses on your openvpn subnet. That's how ipv6 works, it's all assumed to be globally routable addresses.
-
The patch affects three files -- I would make backups of them and if for any reason the patch doesn't apply cleanly, don't try to use it, copy the files back into place. Here's what I did while testing to back them up:
cp /etc/inc/openvpn.inc /etc/inc/openvpn.inc.orig cp /usr/local/www/vpn_openvpn_server.php /usr/local/www/vpn_openvpn_server.php.orig cp /etc/rc.newwanipv6 /etc/rc.newwanipv6.orig -
@TheGushi said in OpenVPN with ipv6 delegated prefix:
Did you not read this whole thread?
I did - but sure enough, I wasn't actually reading what you were saying.
This threw me off track :
This is what I see right now on the OpenVPN server settings page :
Btw : I'm using pfSense Plus 26.03.
For a reason yet to be determined, you don't have the "IPv6 Tunnel Type" selection pull down ?
I could select 'Tracking' there, select the to be tracked IPV6 interface, and the prefix ID.In the past, I was asking the same question as you : why can't I assign my own GUA type IPv6 to my OpenVPN server clients ?
Hardcoding a 2xxxxx......, using a /64 prefix from my ISP is a bad idea, as it can change any time.I wasn't aware that this had changed - dono when ...
Then there is my "ISP IPv6 issue" : my ISP says it has a /56 for me. Great.
Or, pfSense can obtain only one ( 1 ) /64 and that's it. This is a known ISP router-box bug. So only my LAN uses IPv6, I can't assign other prefixes to other local networks.
I had to put "can my OpenVPN server also do IPv6" question on a side track.
This means also I couldn't even test your patches
Btw : pfSense does accept pull requests.
@TheGushi said in OpenVPN with ipv6 delegated prefix:
I also don't know why people question your desire to put "real" ipv6 addresses on your openvpn subnet. That's how ipv6 works, it's all assumed to be globally routable addresses.
That's my opinion also. I've GUA's avaible, so why not using them ?
There is something else I do know : I'm 'contaminated' with the IPv4 way of thinking, which means - for me - that how I should see and use IPv6 isn't probably correct. For some, I admit, stupid not founded reason, I don't like these fxxxxx IPv6 address. I prefer using DHCPv6 distributing GUA out of a prefix etc.No "help me" PM's please. Use the forum, the community will thank you.
-
@Gertjan I'm away from home right now. Hitting the upgrade button on a faraway router didn't feel wise :)
I will see if pfsense plus 26 is any different, and if the patches still apply cleanly. If not, I'll rework them.
