Trying to find the OpenVPN configuration which suits my needs I made this script to help myself during the installation on a CentOS system.
My server config file actually looks like this:
port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.8.0.1"
push "dhcp-options DNS 2a04:52c0:101:xxx::1"
push "redirect-gateway def1 bypass-dhcp"
crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
tls-auth tls-auth.key 0
dh dh4096.pem
auth SHA256
cipher AES-256-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
status openvpn.log
verb 4
It actually works perfectly, but as I rented a server @ liteserver.nl and they gave me a /64 subnet, I was trying to configure OpenVPN server to give one IPv6 address to each client to access the internet with a dedicated IP. So I followed the instructions on this page to setup IPv6 for internal usage.
And that page contains instructions for a server with a public IPv6 which is 2001:db8:0:abc::100/64 and a routed IPv6 subnet (which I think is probably what liteserver.nl gave me) which is 2001:db8:0:123::/64.
Paying no attention about the sample addresses difference I configured my server with a public IPv6 (2a04:52c0:101:xxx::100/64) and I gave to the OpenVPN clients the whole subnet they gave me ( 2a04:52c0:101:xxx::/64), here's how my server.conf actually looks like:
port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.8.0.1"
push "dhcp-options DNS 2a04:52c0:101:xxx::1"
push "redirect-gateway def1 bypass-dhcp"
crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
tls-auth tls-auth.key 0
dh dh4096.pem
auth SHA256
cipher AES-256-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
status openvpn.log
verb 4
server-ipv6 2a04:52c0:101:xxx::/64
tun-ipv6
push tun-ipv6
ifconfig-ipv6 2a04:52c0:101:xxx::1 2a04:52c0:101:xxx::2
push "route-ipv6 2a04:52c0:101:xxx::/64"
push "route-ipv6 2000::/3"
So as IPv4 connectivity works, IPv6 are assigned correctly, but I cannot access the internet using IPv6 (according to test-ipv6.com ) I'm asking myself if I need two /64 subnets (one for the private OpenVPN network and one for the VPN server itself, so for outgoing connections) to correctly configure this or if I missed something…anyway what I'd like to get is a VPN server with private IPv4 and IPv6 connectivity and with a public IPv4 and one or more IPv6 address(es). Please tell me if that's possible and how to do that.
I'm really hoping that someone could help me.
Thanks in advance.
Best Answer
I think you need to proxy NDP requests to your public IPv6 addresses. I haven't tested this personally, but this is the theory:
Your ISP will send traffic for your whole IPv6 network (2a04:52c0:101:xxx::/64) to your server. This means that, when someone on the Internet tries to connect to an IP address inside that network, the traffic will be sent to your server, expecting it knows how to handle it.
Your server has an address in that network (2a04:52c0:101:xxx::100). When it receives traffic to another address, it ignores it, because it's not an address that it can identify with. So, the traffic that goes to the devices that get an IP address from that network assigned by OpenVPN stops dead on your server.
To make your server realize that it has to get that traffic and sent it "down" through OpenVPN, you have two options: use a different IPv6 network for your OpenVPN clients (so traditional routing works) or proxy the traffic to your current network. The first is the best option, but your ISP may not assign you more than one /64; the latter is NDP proxying, akin to ARP proxying in IPv4.
Using NDP proxying, your server will get the traffic for addresses not its own and resend it to the clients with that same IP address connected through OpenVPN. You will have to do this for every IP address in your network that belongs to an OpenVPN client.
There are other answers in the StackExchange network that cover this in detail:
Please, check those answers for a more thorough explanation.