[SOLVED] Tunneling IPv6 over IPv4 with OpenVPN?

dragoangel · Aug 13, 2017, 2:25 PM

Uhhh, really men? From Google Play ofcourse (it cost money ???)
It easy like a … 1+1=2
Use google or
add to the server custom config then this lines:
push "dhcp-option DNS6 myDNS1-IPv6";
push "dhcp-option DNS6 myDNS2-IPv6";
push "route-ipv6 ::/0";

i hope you have IPv6 dns... T__T

yon · Aug 14, 2017, 1:02 AM

ipv6 dns had been pushed. test-ipv6.com test still cant get my ipv6 address. ipv6 not work.

@DRago_Angel:

Uhhh, really men? From Google Play ofcourse (it cost money ???)
It easy like a … 1+1=2
Use google or
add to the server custom config then this lines:
push "dhcp-option DNS6 myDNS1-IPv6";
push "dhcp-option DNS6 myDNS2-IPv6";
push "route-ipv6 ::/0";

i hope you have IPv6 dns... T__T

johnpoz · Aug 14, 2017, 9:42 AM

And is your dnscrypt ipv6? I know your huge fan of that.. yon

xl · Aug 14, 2017, 4:27 PM

Try to use Google Public DNS: 8.8.8.8 / 8.8.4.4 it works for me with IPv6 tunnel.

johnpoz · Aug 14, 2017, 6:56 PM

Huh.. how is 8.8.8.8 / 8.8.4.4 ipv6 dns ;)

You mean their ipv6 addresses?
The Google Public DNS IPv6 addresses are as follows:

2001:4860:4860::8888
2001:4860:4860::8844

For devices that will not accept :: then use the full address

2001:4860:4860:0:0:0:0:8888
2001:4860:4860:0:0:0:0:8844

xl · Aug 14, 2017, 8:15 PM

I mean they can resolve IPv6:

nslookup ipv6.google.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    ipv6.l.google.com
Address:  2a00:1450:400c:c04::71
Aliases:  ipv6.google.com

I have no local IPv6 and OpenVPN config like that:

server-ipv6 fd6c:62d9:eb8c::/112
proto udp6
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

And it can pass all test at http://test-ipv6.com

johnpoz · Aug 14, 2017, 9:30 PM

Pretty lame setup to go through all the hassles of giving your client an IPv6 address, and then pointing it to dns via ipv4… Even if those forwarders can use ipv6..

Why would you not just point them towards ipv6 dns?

How exactly are you getting to your server from your phone to a ULA address? And how would you then convert that ula even if your tunnel to the public internet global range? And even if you wanted to use a ULA for your vpn tunnel connection.. why in the world would you be using a borked /112 ??

Your example dns lookup is just looking up a AAAA record.. Yeah no shit anyone can lookup AAAA via ipv4... That is not the same thing at all..

I doubt your config is working - show your test ipv6 page showing a ULA address like you show getting to your server via.. Also the OP is asking how to tunnel ipv6 over a ipv4 connection. For the life of me why would you be using ULA at all?? Anywhere in your setup if your trying to get your vpn client an IPv6 address that it can use to get to the internet. Since your routing ipv6 through the tunnel.

I just added a ipv6 tunnel network from my HE /48 to a ipv4 setup I have. Connected via my phone on ipv4 - and there you go using this IPv6 to get to the internet, etc... Took all of 30 seconds to setup.. Remote even - all it took was adding the ipv6 tunnel network in my vpn config on pfsense, and adding some ipv6 dns..

I then disconnected the vpn over IPv4 and just to show the network I am on here has no ipv6.. I ran again the ipv6 test page.. And no ipv6 connectivity - it was going thru my tunnel.

yon · Aug 14, 2017, 11:02 PM

i think not because dns server, should ipv6 not real work. test site no show me get ipv6 address.

yon · Aug 14, 2017, 11:07 PM

@johnpoz:

And is your dnscrypt ipv6? I know your huge fan of that.. yon

ja, i am using new dns ways for this. Pcap_DNSProxy is new software. good tool you can try it.

yon · Aug 14, 2017, 11:09 PM

give me that your config file and pfsense show. :D

@johnpoz:

Pretty lame setup to go through all the hassles of giving your client an IPv6 address, and then pointing it to dns via ipv4… Even if those forwarders can use ipv6..

Why would you not just point them towards ipv6 dns?

How exactly are you getting to your server from your phone to a ULA address? And how would you then convert that ula even if your tunnel to the public internet global range? And even if you wanted to use a ULA for your vpn tunnel connection.. why in the world would you be using a borked /112 ??

Your example dns lookup is just looking up a AAAA record.. Yeah no shit anyone can lookup AAAA via ipv4... That is not the same thing at all..

I doubt your config is working - show your test ipv6 page showing a ULA address like you show getting to your server via.. Also the OP is asking how to tunnel ipv6 over a ipv4 connection. For the life of me why would you be using ULA at all?? Anywhere in your setup if your trying to get your vpn client an IPv6 address that it can use to get to the internet. Since your routing ipv6 through the tunnel.

I just added a ipv6 tunnel network from my HE /48 to a ipv4 setup I have. Connected via my phone on ipv4 - and there you go using this IPv6 to get to the internet, etc... Took all of 30 seconds to setup.. Remote even - all it took was adding the ipv6 tunnel network in my vpn config on pfsense, and adding some ipv6 dns..

I then disconnected the vpn over IPv4 and just to show the network I am on here has no ipv6.. I ran again the ipv6 test page.. And no ipv6 connectivity - it was going thru my tunnel.

xl · Aug 15, 2017, 8:15 AM

johnpoz, why so many aggression :) It is really working. Yep, I NATed local IPv6, I have my reasons to do it. But result is the same. (I don't need to give my phone public IPv6, just need IPv6 working).

yon · Aug 15, 2017, 8:32 AM

openvpn log :

Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. GDG: SIOCGIFHWADDR(lo) failed

client config file （ip and CERTIFICATE hide）

persist-tun
persist-key
cipher AES-256-CBC
ncp-disable
auth SHA256
tls-client
client
remote 12.1.1.1 2254 tcp-client
lport 0
remote-cert-tls server
comp-lzo

<ca>–---BEGIN CERTIFICATE-----
MIIGdDCCBFygAwIBAgIBADANBgkqhkiG9

-----END CERTIFICATE-----</ca>
<cert>-----BEGIN CERTIFICATE-----
MIIF2jCCA8KgAwIBAgIBATANBgkqhkiG9

-----END CERTIFICATE-----</cert>
<key>-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAAS

-----END PRIVATE KEY-----</key>
<tls-crypt>#

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
e915f97d913d93a88aa72b02d384aa9b

-----END OpenVPN Static key V1-----</tls-crypt>

johnpoz · Aug 15, 2017, 10:28 AM

"I NATed local IPv6"

So you have not /64 segments and natted - wow what a BORKED setup!

you don't need all that shit… You just need to add the ipv6 to your ipv4 tunnel..

yon · Aug 16, 2017, 5:01 PM

@johnpoz:

"I NATed local IPv6"

So you have not /64 segments and natted - wow what a BORKED setup!

you don't need all that shit… You just need to add the ipv6 to your ipv4 tunnel..

yes, i have do that, but not work for me.