Using OpenVPN with IPv6

By on 9 Jun 2017

Category: Tech matters

Tags: , , , ,

Blog home

OpenVPN is very popular open-source software application that implements virtual private networks (VPN). It uses a custom security protocol that utilizes SSL/TLS for key exchange. We very often configure only IPv4 for the VPN service. But if you have IPv6, why not enable it for VPN?

First, let’s quickly see how can we install OpenVPN in an Ubuntu server; we will then enable IPv6.

1. Install OpenVPN

In this example, I am using an OpenVPN road warrior installer. Download the initial script and run the command:

$ wget -O

$ sudo bash

You need to define the external IP address on which you will run the service:

a. External IP address on which you will run the service
b. Port No
c. DNS you want to use

This will create the necessary certificates and create the first client.

That’s it. Your OpenVPN server has been configured and is ready to use. You can see the added firewall rules /etc/rc.local file:

$ cat /etc/rc.local
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s -j SNAT --to

Type the following command to start the OpenVPN service:

$ sudo /etc/init.d/openvpn start

The client certificate will be stored in the home directory.


To connect from MacOSX, you can use TunnelBlick.

To add a new client, run the script. Choose option 1 to add a new client and the certificate will be stored in the home folder.

B. Enable IPv6

Now let’s enable IPv6. For the configuration I am using IP 2001:db8:ee00:ee00::10/64 for the VPN server.

2001:db8:ee00:abcd::/64 has been routed to the OpenVPN server host. That mean users connected via OpenVPN will get an address from 2001:db8:ee00:abcd::/64

Step 1: We need to edit the OpenVPN configuration file and enable IPv6 tunnel service

vi /etc/openvpn/server.conf

Add the following:

server-ipv6 2001:0db8:ee00:abcd::/64
push tun-ipv6
ifconfig-ipv6 2001:0db8:ee00:abcd::1 2001:0db8:ee00:abcd::2
push "route-ipv6 2001:0db8:ee00:ee00::2/64"
push "route-ipv6 2000::/3"

Step 2: Enable IPv6 forwarding:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Step 3: Reload OpenVPN Service

sudo /etc/init.d/openvpn restart

Try to connect your OpenVPN client.

From the Tunnelblick log you can verify the IP addresses:

Test the IPv6 reachability by accessing

1. To make IPv6 forwarding persistent, remember to uncomment in /etc/sysctl.conf:

net.ipv6.conf.all.forwarding = 1

2. Make sure that you route 2001:db8:ee00:abcd::/64 to your OpenVPN Server. I have done this from my Cisco router:

ipv6 route 2001:db8:ee00:abcd::/64 2001:db8:ee00:ee00::10

So you now have native IPv6 and can access all IPv6-enabled services. As a roaming user, it will give you better security.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please answer the math question * Time limit is exhausted. Please reload CAPTCHA.