Getting IPv6 to work over OpenVPN

TomCruise

Current IPv4 situation:

Data center box as OpenVPN server.
pfSense box at home as OpenVPN client.

My home connection routes all internet traffic through the data center box. Works.

The data center box has a public IPv6 subnet and I would like to access the internet at home via IPv6 as well. My connection at home does not have IPv6 so I wonder where to start. I don't have IPv6 on my LAN yet.

divsys

The general concept is tunneling IPv6 through IPv4.

I would move this over to the IPv6 forum and ask there.

johnpoz

Do you have another /64 at the DC that you can use for the vpn tunnel?

This is as simple as on your openvpn setup putting in /64 to use for the tunnel, and then if you want to route all your ipv6 traffic thru the vpn connection

in the advanced section
push "route-ipv6 2000::/3"

Just set this up in other direction, don't have ipv6 at work but do at home..  Your other option if you want ipv6 at work is just setup a HE tunnel https://tunnelbroker.net/ you can get a single /64 from them or a /48 if you want to run multiple ipv6 networks at home or wherever.

jimp

It all depends on how much address space you have and what the nature of the client is. For what you describe, your server end would need to have a /48 or /56 and then you'd use:

• One /64 for the tunnel network on OpenVPN
• One or more /64 networks for use by your home pfSense firewall (LAN, other local interfaces)

gbotti

Hi.

After searching for a while this is one of the Ideas that would help me. I know this Post is quiet old but I didn't find a (better) different solution and won't open another post.

@johnpoz:

Do you have another /64 at the DC that you can use for the vpn tunnel?

This is as simple as on your openvpn setup putting in /64 to use for the tunnel, and then if you want to route all your ipv6 traffic thru the vpn connection

in the advanced section
push "route-ipv6 2000::/3"

Just set this up in other direction, don't have ipv6 at work but do at home..  Your other option if you want ipv6 at work is just setup a HE tunnel https://tunnelbroker.net/ you can get a single /64 from them or a /48 if you want to run multiple ipv6 networks at home or wherever.

I've got a pfSense in a Datacenter and in a Company LAN, both running 2.3.4_1. The Company-pfSense is behind another firewall system.

Unfortunately the Network Admin won't provide me with any IPv6. Anyway. I am running some kind of Island in this Network and I have to test IPv6 traffic with Android Apps.

I've configured an OpenVPN-Tunnel which is working great with forwarding all traffic on IPv4.

In the Datacenter I've got a /56 network and I want to use those IPs in any way.

Could you please provide some other details how to configure that or where I could find more information? I am no specialist to IPv6…

johnpoz

So if you have a /56 that gives you 256 /64s to work with…  So use one for your tunnel network and then how ever many more you need in each site..

JKnott

@johnpoz:

So if you have a /56 that gives you 256 /64s to work with…  So use one for your tunnel network and then how ever many more you need in each site..

There's an Advanced > Custom options on the Servers page and also Advanced > Additional configuration options on the Client export page.  Which are you referring to?  Does it matter which?

I'm in the same situation where IPv4 works fine through OpenVPN, but IPv6 doesn't.  Using Packet Capture, I can see IPv6 pings coming in on the OpenVPN Server interface, but no response.  I'm also using one of my 256 /64 prefixes for the VPN.

rudivd

Hi,

Got this very same issue. Moved a from working with v6 (ovpn) config from 2.2 (yeah, old !)
to 2.4.2, and reconfigured openvpn.

Before with the same settings in 2.2 I got everything (including openvpn v6) working now,
I got in the (same as you) situation where I see packets over v6 coming to the openvpn link,
but no reply from the (outside) net, while I set rules on the ovpn interface to allow both v4 and v6.
I have the tunnel interface net defined as a /64 from my providers /58.
V6 routing on non-openvpn interfaces works great !

Do I need a static route to the ovpn interface maybe ?! (not needed before)

It might be due to the fact that the prefixes in the /58 that I use in the client subnet have not
explicitly been requested by dhcpv6 or so ? where before this just worked..
(note, I only changed the version of pfsense, nothing else)

Related question, how do I tell the dhcpv6 client to request that specific prefix as well as the others
that are distributed through the wired interface (ipv6-follow)

Rudi