OpenVPN is very popular open-source software application that implements virtual private networks (VPN). It uses a custom security protocol that utilizes SSL/TLS for key exchange. We very often configure only IPv4 for the VPN service. But if you have IPv6, why not enable it for VPN?
First, let’s quickly see how can we install OpenVPN in an Ubuntu server; we will then enable IPv6.
1. Install OpenVPN
In this example, I am using an OpenVPN road warrior installer. Download the initial script and run the command:
$ wget https://git.io/vpn -O openvpn-install.sh
$ sudo bash openvpn-install.sh
You need to define the external IP address on which you will run the service:
a. External IP address on which you will run the service
b. Port No
c. DNS you want to use
This will create the necessary certificates and create the first client.
That’s it. Your OpenVPN server has been configured and is ready to use. You can see the added firewall rules /etc/rc.local file:
$ cat /etc/rc.local iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I INPUT -p udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 203.0.113.10
Type the following command to start the OpenVPN service:
$ sudo /etc/init.d/openvpn start
The client certificate will be stored in the home directory.
To connect from MacOSX, you can use TunnelBlick.
To add a new client, run the openvpn-install.sh script. Choose option 1 to add a new client and the certificate will be stored in the home folder.
B. Enable IPv6
Now let’s enable IPv6. For the configuration I am using IP 2001:db8:ee00:ee00::10/64 for the VPN server.
2001:db8:ee00:abcd::/64 has been routed to the OpenVPN server host. That mean users connected via OpenVPN will get an address from 2001:db8:ee00:abcd::/64
Step 1: We need to edit the OpenVPN configuration file and enable IPv6 tunnel service
Add the following:
server-ipv6 2001:0db8:ee00:abcd::/64 tun-ipv6 push tun-ipv6 ifconfig-ipv6 2001:0db8:ee00:abcd::1 2001:0db8:ee00:abcd::2 push "route-ipv6 2001:0db8:ee00:ee00::2/64" push "route-ipv6 2000::/3"
Step 2: Enable IPv6 forwarding:
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
Step 3: Reload OpenVPN Service
sudo /etc/init.d/openvpn restart
Try to connect your OpenVPN client.
Test the IPv6 reachability by accessing http://test-ipv6.com/
1. To make IPv6 forwarding persistent, remember to uncomment in /etc/sysctl.conf:
net.ipv6.conf.all.forwarding = 1
2. Make sure that you route 2001:db8:ee00:abcd::/64 to your OpenVPN Server. I have done this from my Cisco router:
ipv6 route 2001:db8:ee00:abcd::/64 2001:db8:ee00:ee00::10
So you now have native IPv6 and can access all IPv6-enabled services. As a roaming user, it will give you better security.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.