[SOLVED] Tunneling IPv6 over IPv4 with OpenVPN?
-
I dont know if this fits in the IPv6 forum or if this fits more in OpenVPN forum…
Im currently have a working nice IPv6 setup with a HE tunnel.
Now I want to "provision" out IPv6 adresses to OpenVPN clients on the OpenVPN dialin server.This is my OpenVPN server config:
I have also added the VPNSERVER interface that has a interface adress of 2001:470:28:1c:2::1/112 and 192.168.2.1/24
(I have 2001:470:28:1c::/64 from HE, I have then routed 2001:470:28:1c:1::1/80 to the internal LAN and 2001:470:28:1c:2::1/112 to the VPNServer interface, by setting those adresses on the interfaces)Firewall rules are added to allow VPN server traffic (IPv4+IPv6) to the internal DNS resolver and also out on the internet.
Now I try to connect to this OpenVPN server, with Android, over a IPv4 network (does not support IPv6). However, logic says that OpenVPN shouldn't care about the transport, since the IPv6 packets should be encapsulated, then encrypted, and then should be able to sent successfully over IPv4 (the IPv4 transport layer doesn't even know its IPv6 its transporting) to the OpenVPN server which should unpack the packets and then send them off the HE tunnel.
I successfully get a IPv6 on Android 4.4.2:
But when running ipv6 tests or attempting to access ipv6 hosts, fail.
What can the problem be? -
I would start by requesting a /48 from HE (or whatever they hand out these days) and use unique /64's for the LAN, OpenVPN Tunnel Network, etc.
I get a /60 from Comcast. Using /64's on the LAN and Ovpn network IPv6-over-IPv4 works fine.
I also found that I needed the following to get 6-over-4 to work reliably with all clients.
push "redirect-gateway-ipv6 def1"; push "route-ipv6 2000::/3"; <<<----- Global Unicast Address -
Did not work.
One thing I noticed is that its possible to reach the tunnel endpoint (The OpenVPN Tunnel endpoint located at 2001:470:28:1c:2::1).
This regardless of the settings priller submitted or not.
However, I noticed the following in the route table:
2001:470:28:1c:1::/80 link#6 U 0 4887 1500 em0_vlan1
2001:470:28:1c:1::1 link#6 UHS 0 0 16384 lo0
2001:470:28:1c:2::/80 link#9 U 0 777 1500 ovpns3
2001:470:28:1c:2::1 link#9 UHS 0 0 16384 lo0The link# numbers differ between them.
Seems there is a routing error somewhere since the packets reach the firewall but end up somewhere else.
Adding manual gateway does not work either.
But this is really strange with the routing… -
However, I noticed the following in the route table:
2001:470:28:1c:1::/80 link#6 U 0 4887 1500 em0_vlan1
2001:470:28:1c:1::1 link#6 UHS 0 0 16384 lo0
2001:470:28:1c:2::/80 link#9 U 0 777 1500 ovpns3
2001:470:28:1c:2::1 link#9 UHS 0 0 16384 lo0The link# numbers differ between them.
Seems there is a routing error somewhere since the packets reach the firewall but end up somewhere else.
Should try adding manual gateways in the firewall rules….
But this is really strange with the routing...Ya, no doubt.
Until you start using /64's I doubt very much that this will work.
-
Why should I request a /48? I really don't need that much IP-adresses for clients on the LAN or OpenVPN, its not like that OpenVPN clients will share Connection with others. Theres plenty of space in those /80's so I could even encode a whole IPv4 adress into the IPv6 if I would want (for example 2001:470:28:1c:2:0:5f8f:c1a0 would correspond to my current public IP of 95.143.193.160), so in thery, I could offer a OpenVPN tunnel to everyone on the IPv4 space and still have IP adresses left.
What are making /80's not working?
I was given a routable /64 from he.
I divide this into a smaller subnet /80 for the LAN. and one subnet /80 for the OpenVPN.
(Tried that now).Currently, the LAN works perfectly under a /80.
So why does not OpenVPN work? -
Solved it.
The static IP on the tunnel interface (the interface assigned to gif0) should not be /128 that those instructions say: http://iserv.nl/files/pfsense/ipv6/
This is incorrect.
Mask should be /64.Also RADVD (But NOT dhcp6) needed to be enabled on the OpenVPN virtual adapter interface. Seems the RADVD is the thing "doing the magic".
Configure it in "Router Only" mode, Medium priority, and then set a RA subnet of [interface adress]/[subnet], in my case 2001:470:28:1c:2::1/80This solved Everything.
Now I have IPv6 both on LAN and OpenVPN.
-
I understand everything here except one part…
I am getting exactly the same behavior your were getting.
I can access the pfsense web gui via the ipv6 address through openvpn same as yours... But no internet.I understand that I should add a "virtual adapter" for openvpn and set radvd, but I feel like I must be adding that virtual adapter wrong.
Can you send me some instructions and maybe a few screen shots on that part?Whenever I add an adapter and assign, my openvpn quits working completely, so I must be doing that part wrong.
-
I understand everything here except one part…
I am getting exactly the same behavior your were getting.
I can access the pfsense web gui via the ipv6 address through openvpn same as yours... But no internet.I understand that I should add a "virtual adapter" for openvpn and set radvd, but I feel like I must be adding that virtual adapter wrong.
Can you send me some instructions and maybe a few screen shots on that part?Whenever I add an adapter and assign, my openvpn quits working completely, so I must be doing that part wrong.
Same thing.
If I assign OVPN interface all goes down. But I give fd65:a1a0:1c2e:aa01::/64 and fd65:a1a0:1c2e:aa02::/64 for 2 OVPNs
I can ping6 my gateway and all lan segment fd65:a1a0:1c2e::/48.
I have 2 WANs and 2 WAN-HE.nets, configured NPt like:
Interface External Prefix Internal prefix
WAN01HE 2001:470:::/48 fd64:a1a0:1c2e::/48
WAN02HE 2001:470:::/48 fd64:a1a0:1c2e::/48But some thing wrong with gateway. I have modern VPN Client Pro for Android, it can add from client side redirect gateway option and custom routes, but even adding routes like:
fd64:a1a0:1c2e::/48 via fd64:a1a0:1c2e::1
2000::/3 via fd64:a1a0:1c2e::1
not helps… Maybe you figure out how to fix it? -
Could you tell me how do it ? i want to ipv4 andriod mobile via openvpn get to ipv6.
Solved it.
The static IP on the tunnel interface (the interface assigned to gif0) should not be /128 that those instructions say: http://iserv.nl/files/pfsense/ipv6/
This is incorrect.
Mask should be /64.Also RADVD (But NOT dhcp6) needed to be enabled on the OpenVPN virtual adapter interface. Seems the RADVD is the thing "doing the magic".
Configure it in "Router Only" mode, Medium priority, and then set a RA subnet of [interface adress]/[subnet], in my case 2001:470:28:1c:2::1/80This solved Everything.
Now I have IPv6 both on LAN and OpenVPN.
-
I fix it long ago, but forget write to the forum.
I configured it like this (in my case I have 2 WANs):
1. Have 2 GIFs for first and second WAN, they have tunnel subnet mask /64
2. Assign them in Interfaces without any configuration
3. Put on LAN interface static IPv6 with any mask you want, I use /64 and it have IP from my first tunnel scoop
4. (if you have 1 wan you not need it) In Firewall=>NAT=>NPt i created rule that change IPs from first tunnel scoop subnet to second tunnel subnet on interface with second tunnel.
5. I enabled RA and DHCP6 only on LAN inten interface
6. Because I have 2 WANs (4 WANs if add 2 HE.nets) I configured OpenVPN server on localhost interface - this give me option to use NAT\Firewall-Rule to open access to port on that interface I need it and do not create many servers for every WAN.
7. In OpenVPN Server I give for IPv6 Tunnel Network - /64 (you can with any mask you want) but this pool musn't be used for any others LAN interfaces!
8. IPv6 Local network(s) must be you LAN interface address pool
9. In Advanced Configuration in Custom options I push:
push "dhcp-option DNS6 myDNS1-IPv6";
push "dhcp-option DNS6 myDNS2-IPv6";
10. I give to clients choice to you my VPN like access to LAN or like gateway, in Client Export I added:
auth-nocache;remote-random;remote wan2 1194 udp;#Uncomment to use VPN as IPv4 Gateway;#redirect-gateway def1;#Uncomment to use VPN as IPv6 Gateway;#route-ipv6 ::/0;This all - client only need uncomment 1 or 2 lines what they want. - If you want push it to clients - in can be solved by enabling: Redirect Gateway - Force all client generated traffic through the tunnel.
-
thank you. My andriod mobile can get ip6 address, but i visit test-ipv6.com for test show no ipv6. i don't know why it is.
-
"in my case 2001:470:28:1c:2::1/80"
this is just plain broken!!
-
@yon:
thank you. My andriod mobile can get ip6 address, but i visit test-ipv6.com for test show no ipv6. i don't know why it is.
Because you haven't route all traffic to dev-tun0?
Try use another OpenVPN Client like https://play.google.com/store/apps/details?id=de.blinkt.openvpn or https://play.google.com/store/apps/details?id=it.colucciweb.free.openvpn.
I use second one.
Here like it looks:
-
i have config ipv6, but it still not get ipv6 route.
@DRago_Angel:
@yon:
thank you. My andriod mobile can get ip6 address, but i visit test-ipv6.com for test show no ipv6. i don't know why it is.
Because you haven't route all traffic to dev-tun0?
Try use another OpenVPN Client like https://play.google.com/store/apps/details?id=de.blinkt.openvpn or https://play.google.com/store/apps/details?id=it.colucciweb.free.openvpn.
I use second one.
Here like it looks:
 -
That what I've already say to you ;D. You already have answer on yours question in post above T__T (Reply #9 on: Today at 04:10:22 am)
You have 2 choices:
1. Push route from OpenVPN server side.
(This good if you want that all clients by default use yours IPv6.)
Under OpenVPN Server:
From server config Redirect Gateway - Force all client generated traffic through the tunnel.2. Use client side config to add route.
(This good when somebody do not need yours VPN like gateway.)
From client OVPN config (can be automated by custom field in client export plugin in pfSenese):
#Uncomment to use VPN as IPv4 Gateway
#redirect-gateway def1
#Uncomment to use VPN as IPv6 Gateway
#route-ipv6 ::/0Its hard to read all comments? :-X
In that mobile client you can edit setting and add route through the GUI that you want:
Edit Button -> Routing -> IPv6 tab
-
i add these, get ipv6 toute, but i still cant go to ipv6 internet.
push "redirect-gateway ipv6"; push "redirect-gateway def1 bypass-dhcp"; push "route-ipv6 ::/0"; push "route-ipv6 2000::/3"
 -
i have setup server for this, but ipv6 still not normal work. where download your pro version?
@DRago_Angel:
That what I've already say to you ;D. You already have answer on yours question in post above T__T (Reply #9 on: Today at 04:10:22 am)
You have 2 choices:
1. Push route from OpenVPN server side.
(This good if you want that all clients by default use yours IPv6.)
Under OpenVPN Server:
From server config Redirect Gateway - Force all client generated traffic through the tunnel.2. Use client side config to add route.
(This good when somebody do not need yours VPN like gateway.)
From client OVPN config (can be automated by custom field in client export plugin in pfSenese):
#Uncomment to use VPN as IPv4 Gateway
#redirect-gateway def1
#Uncomment to use VPN as IPv6 Gateway
#route-ipv6 ::/0Its hard to read all comments? :-X
In that mobile client you can edit setting and add route through the GUI that you want:
Edit Button -> Routing -> IPv6 tab.jpg)
.jpg_thumb) -
Uhhh, really men? From Google Play ofcourse (it cost money ???)
It easy like a … 1+1=2
Use google or
add to the server custom config then this lines:
push "dhcp-option DNS6 myDNS1-IPv6";
push "dhcp-option DNS6 myDNS2-IPv6";
push "route-ipv6 ::/0";i hope you have IPv6 dns... T__T
-
ipv6 dns had been pushed. test-ipv6.com test still cant get my ipv6 address. ipv6 not work.
@DRago_Angel:
Uhhh, really men? From Google Play ofcourse (it cost money ???)
It easy like a … 1+1=2
Use google or
add to the server custom config then this lines:
push "dhcp-option DNS6 myDNS1-IPv6";
push "dhcp-option DNS6 myDNS2-IPv6";
push "route-ipv6 ::/0";i hope you have IPv6 dns... T__T
-
And is your dnscrypt ipv6? I know your huge fan of that.. yon
