Using OpenVPN with IPv6

By on 9 Jun 2017

Category: Tech matters

Tags: , , , ,

5 Comments

Blog home

OpenVPN is very popular open-source software application that implements virtual private networks (VPN). It uses a custom security protocol that utilizes SSL/TLS for key exchange. We very often configure only IPv4 for the VPN service. But if you have IPv6, why not enable it for VPN?

First, let’s quickly see how can we install OpenVPN in an Ubuntu server; we will then enable IPv6.

1. Install OpenVPN

In this example, I am using an OpenVPN road warrior installer. Download the initial script and run the command:

$ wget https://git.io/vpn -O openvpn-install.sh

$ sudo bash openvpn-install.sh

You need to define the external IP address on which you will run the service:

a. External IP address on which you will run the service
b. Port No
c. DNS you want to use

This will create the necessary certificates and create the first client.

That’s it. Your OpenVPN server has been configured and is ready to use. You can see the added firewall rules /etc/rc.local file:

$ cat /etc/rc.local
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 203.0.113.10

Type the following command to start the OpenVPN service:

$ sudo /etc/init.d/openvpn start

The client certificate will be stored in the home directory.

fakrul-apnic.ovpn

To connect from MacOSX, you can use TunnelBlick.

To add a new client, run the openvpn-install.sh script. Choose option 1 to add a new client and the certificate will be stored in the home folder.

B. Enable IPv6

Now let’s enable IPv6. For the configuration I am using IP 2001:db8:ee00:ee00::10/64 for the VPN server.

2001:db8:ee00:abcd::/64 has been routed to the OpenVPN server host. That mean users connected via OpenVPN will get an address from 2001:db8:ee00:abcd::/64

Step 1: We need to edit the OpenVPN configuration file and enable IPv6 tunnel service

vi /etc/openvpn/server.conf

Add the following:

server-ipv6 2001:0db8:ee00:abcd::/64
tun-ipv6
push tun-ipv6
ifconfig-ipv6 2001:0db8:ee00:abcd::1 2001:0db8:ee00:abcd::2
push "route-ipv6 2001:0db8:ee00:ee00::2/64"
push "route-ipv6 2000::/3"

Step 2: Enable IPv6 forwarding:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Step 3: Reload OpenVPN Service

sudo /etc/init.d/openvpn restart

Try to connect your OpenVPN client.

From the Tunnelblick log you can verify the IP addresses:

Test the IPv6 reachability by accessing http://test-ipv6.com/

Note:
1. To make IPv6 forwarding persistent, remember to uncomment in /etc/sysctl.conf:

net.ipv6.conf.all.forwarding = 1

2. Make sure that you route 2001:db8:ee00:abcd::/64 to your OpenVPN Server. I have done this from my Cisco router:

ipv6 route 2001:db8:ee00:abcd::/64 2001:db8:ee00:ee00::10

So you now have native IPv6 and can access all IPv6-enabled services. As a roaming user, it will give you better security.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

5 Comments

  1. deepanshu

    hello ,
    I did exactly as per the tutotial but i am getting this error in my log :-

    Wed Dec 13 21:48:03 2017 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a –route-ipv6 option and no default was specified by either –route-ipv6-gateway or –ifconfig-ipv6 options
    Wed Dec 13 21:48:03 2017 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
    Wed Dec 13 21:48:03 2017 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a –route-ipv6 option and no default was specified by either –route-ipv6-gateway or –ifconfig-ipv6 options
    Wed Dec 13 21:48:03 2017 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2001:0db8:ee00:ee00::2/64

    I have set ipv6 manually for eth0 :- 2001:db8:ee00:ee00::10/64

    for tun-local:- 2001:db8:ee00:abcd::/64 (TUN interface).
    Can you please point out where is the problem ?

    Reply
  2. Logan

    One problem is that you are trying to use a block that’s not yours. Your address needs to be one you acutally have. Not the authors. Second, your error is saying there is no route out. Probably because you don’t have your addresses configured right. Contact your ISP to get the v6 blocks that you need. If you get a /56 you can net it out to use a xxxx:xxxx:xxxx:1::X for the server and xxxx:xxxx:xxxx:2::X for your users.

    Reply
  3. alam

    this is my ipv6 can you please help, i cannot understand

    2406:da1a:ab:2b01:db40:52ee:b35b:4a45/128

    can you please replace the values here

    server-ipv6 2001:0db8:ee00:abcd::/64
    tun-ipv6
    push tun-ipv6
    ifconfig-ipv6 2001:0db8:ee00:abcd::1 2001:0db8:ee00:abcd::2
    push “route-ipv6 2001:0db8:ee00:ee00::2/64”
    push “route-ipv6 2000::/3”

    total ipv6 noob here

    thanks for all the help

    Reply
  4. zerocustom

    Here is my openvpn static-key config, already tested on openwrt.

    openvpn-server.ovpn

    dev tun0-ipv6
    port 1194
    proto tcp-server
    auth-nocache
    cipher AES-256-CBC
    ifconfig 10.8.0.1 10.8.0.2
    ifconfig-ipv6 2001:db8:ee00:ee00::1/124 2001:db8:ee00:ee00::2
    keepalive 10 120
    persist-key
    persist-tun
    secret [inline]

    ……

    openvpn-client.ovpn

    dev tun-ipv6
    remote remote.openvpn.server 1194
    proto tcp-client
    auth-nocache
    cipher AES-256-CBC
    ifconfig 10.8.0.2 10.8.0.1
    ifconfig-ipv6 2001:db8:ee00:ee00::2/124 2001:db8:ee00:ee00::1
    keepalive 10 120
    persist-key
    persist-tun
    redirect-gateway ipv6 !ipv4
    dhcp-option DNS 2001:4860:4860::8888
    route 0.0.0.0 0.0.0.0 vpn_gateway 500 #Fix “Unidentified network” on Windows 10.
    route-ipv6 64:ff9b::/96 #You can add this route, if nat64 gateway is set up on the server.
    route-ipv6 2000::/3
    verb 3
    secret [inline]

    ……

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Please answer the math question * Time limit is exhausted. Please reload CAPTCHA.

Top