OpenVPN with IPv6 WAN IP?

athurdent

Hi,
how would I make OpenVPN listen on the external IPv6 IP? My ISP is beginning to switch customers to DS-Lite, so it would be nice if OpenVPN would work when accessed via IPv6.
Many thanks for any hints!

jimp

There's no reason I know of that it can't do that, but it appears our GUI doesn't list the IPv6 IPs.

In the advanced options, try putting "local xx::x" (without quotes) where xx::x is your actual IPv6 "wan" address.

Also make sure you have a firewall to pass IPv6 tcp or udp to the correct port on there.

jimp

Actually I can't seem to get it to bind to IPv6 no matter what I do even manually. Might need some more research there, it may not work.

athurdent

I tried to alter the config manually on the console. IIRC the daemon would not start if I used

proto udp6

Which seems so be a necessary step to take according to this:
http://blog.cykerway.com/post/250

athurdent

@jimp:

Actually I can't seem to get it to bind to IPv6 no matter what I do even manually. Might need some more research there, it may not work.

Now it's listening, edited the config manually. I tried with TCP though and have yet to see if I can access it from the outside.
You need to set

proto tcp6-server

instead of

proto tcp-server

And you have to switch the local entry to your IPv6 IP as it was already mentioned.

jimp

ok, that should make it a bit easier to tinker with. I wish it could automatically switch between both. I imagine it could on the client side, since you can specify remotes with "remote <server><proto>" and maybe you can do "remote x.x.x.x udp" and "remote xx::x udp6", but that would need some testing. The server side looks like it will need a master switch of some sort to select between IPv4 and IPv6.</proto></server>

athurdent

I can connect to my server just fine now, had to adapt the client conf:

proto tcp6

and change the IP to

remote 2001:xxxx 9443

My test server listens on 9443.

jimp

can you try that with:

remote 2001:xxxx 9443 tcp6

All on one line?

athurdent

Works like a charm. I removed the```
proto tcp6

jimp

ok.

Here is another step forward…

https://github.com/bsdperimeter/pfsense/commit/6714bbdc6573489a25e2b93eeb9e94e2251475b6

athurdent

Great, many many thanks! Tried the new .inc file on my pfSense KVM. The generated server configuration looks good and works fine!