OpenVPN is very popular open-source software application that implements virtual private networks (VPN). It uses a custom security protocol that utilizes SSL/TLS for key exchange. We very often configure only IPv4 for the VPN service. But if you have IPv6, why not enable it for VPN?
First, let’s quickly see how can we install OpenVPN in an Ubuntu server; we will then enable IPv6.
1. Install OpenVPN
In this example, I am using an OpenVPN road warrior installer. Download the initial script and run the command:
$ wget https://git.io/vpn -O openvpn-install.sh
$ sudo bash openvpn-install.sh
You need to define the external IP address on which you will run the service:
a. External IP address on which you will run the service
b. Port No
c. DNS you want to use
This will create the necessary certificates and create the first client.
That’s it. Your OpenVPN server has been configured and is ready to use. You can see the added firewall rules /etc/rc.local file:
$ cat /etc/rc.local
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 203.0.113.10
Type the following command to start the OpenVPN service:
$ sudo /etc/init.d/openvpn start
The client certificate will be stored in the home directory.
fakrul-apnic.ovpn
To connect from MacOSX, you can use TunnelBlick.
To add a new client, run the openvpn-install.sh script. Choose option 1 to add a new client and the certificate will be stored in the home folder.
B. Enable IPv6
Now let’s enable IPv6. For the configuration I am using IP 2001:db8:ee00:ee00::10/64 for the VPN server.
2001:db8:ee00:abcd::/64 has been routed to the OpenVPN server host. That mean users connected via OpenVPN will get an address from 2001:db8:ee00:abcd::/64
Step 1: We need to edit the OpenVPN configuration file and enable IPv6 tunnel service
vi /etc/openvpn/server.conf
Add the following:
server-ipv6 2001:0db8:ee00:abcd::/64 tun-ipv6 push tun-ipv6 ifconfig-ipv6 2001:0db8:ee00:abcd::1 2001:0db8:ee00:abcd::2 push "route-ipv6 2001:0db8:ee00:ee00::2/64" push "route-ipv6 2000::/3"
Step 2: Enable IPv6 forwarding:
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
Step 3: Reload OpenVPN Service
sudo /etc/init.d/openvpn restart
Try to connect your OpenVPN client.
From the Tunnelblick log you can verify the IP addresses:
Test the IPv6 reachability by accessing http://test-ipv6.com/
Note:
1. To make IPv6 forwarding persistent, remember to uncomment in /etc/sysctl.conf:
net.ipv6.conf.all.forwarding = 1
2. Make sure that you route 2001:db8:ee00:abcd::/64 to your OpenVPN Server. I have done this from my Cisco router:
ipv6 route 2001:db8:ee00:abcd::/64 2001:db8:ee00:ee00::10
So you now have native IPv6 and can access all IPv6-enabled services. As a roaming user, it will give you better security.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.
hello ,
I did exactly as per the tutotial but i am getting this error in my log :-
Wed Dec 13 21:48:03 2017 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a –route-ipv6 option and no default was specified by either –route-ipv6-gateway or –ifconfig-ipv6 options
Wed Dec 13 21:48:03 2017 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
Wed Dec 13 21:48:03 2017 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a –route-ipv6 option and no default was specified by either –route-ipv6-gateway or –ifconfig-ipv6 options
Wed Dec 13 21:48:03 2017 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2001:0db8:ee00:ee00::2/64
I have set ipv6 manually for eth0 :- 2001:db8:ee00:ee00::10/64
for tun-local:- 2001:db8:ee00:abcd::/64 (TUN interface).
Can you please point out where is the problem ?
One problem is that you are trying to use a block that’s not yours. Your address needs to be one you acutally have. Not the authors. Second, your error is saying there is no route out. Probably because you don’t have your addresses configured right. Contact your ISP to get the v6 blocks that you need. If you get a /56 you can net it out to use a xxxx:xxxx:xxxx:1::X for the server and xxxx:xxxx:xxxx:2::X for your users.
Hi,
Thank you for this good and simple tutorial.
On my side, I had to do an extra step to allow IPv6 OpenVPN traffic passing through my server: this comment helped me a lot https://www.digitalocean.com/community/questions/openvpn-ipv6-works-only-in-local-network?answer=20835
Best regards,
Chouffy
this is my ipv6 can you please help, i cannot understand
2406:da1a:ab:2b01:db40:52ee:b35b:4a45/128
can you please replace the values here
server-ipv6 2001:0db8:ee00:abcd::/64
tun-ipv6
push tun-ipv6
ifconfig-ipv6 2001:0db8:ee00:abcd::1 2001:0db8:ee00:abcd::2
push “route-ipv6 2001:0db8:ee00:ee00::2/64”
push “route-ipv6 2000::/3”
total ipv6 noob here
thanks for all the help
Here is my openvpn static-key config, already tested on openwrt.
openvpn-server.ovpn
dev tun0-ipv6
port 1194
proto tcp-server
auth-nocache
cipher AES-256-CBC
ifconfig 10.8.0.1 10.8.0.2
ifconfig-ipv6 2001:db8:ee00:ee00::1/124 2001:db8:ee00:ee00::2
keepalive 10 120
persist-key
persist-tun
secret [inline]
……
openvpn-client.ovpn
dev tun-ipv6
remote remote.openvpn.server 1194
proto tcp-client
auth-nocache
cipher AES-256-CBC
ifconfig 10.8.0.2 10.8.0.1
ifconfig-ipv6 2001:db8:ee00:ee00::2/124 2001:db8:ee00:ee00::1
keepalive 10 120
persist-key
persist-tun
redirect-gateway ipv6 !ipv4
dhcp-option DNS 2001:4860:4860::8888
route 0.0.0.0 0.0.0.0 vpn_gateway 500 #Fix “Unidentified network” on Windows 10.
route-ipv6 64:ff9b::/96 #You can add this route, if nat64 gateway is set up on the server.
route-ipv6 2000::/3
verb 3
secret [inline]
……
ipv6 route 2001:db8:ee00:abcd::/64 2001:db8:ee00:ee00::10
How to enable IPv6 in my smart phone?