My current situatuion is that i want to use IPv6 but currently don't have any IPv6 address assigned. But I have a server with a dual stack interface including a public IPv4 and IPv6 address (only a /128 subnet). So I thought: Hey, wouldn't it be nice to make use of the server's IPv6 capability?
For the first time I set up a OpenVPN server which routes all my IPv4 traffic through a IPv4 tunnel. That worked well. After that I googled a lot and tried to find a solution for my need to route all IPv6 traffic through this tunnel. I found a lot of tutorials showing how to assign a new IPv6 address from a own subnet to each user connecting to the OpenVPN server. But unfortunately I do only have one IPv6 address: the one for my server which is not in my LAN (because they are a precious thing for the hoster of my server, you know…). I tried to apply NAT for my only IPv6 address analogously as for my IPv4 address afterwards, but failed with that…
server.conf:
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
server-ipv6 fe80::/64
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "route-ipv6 2000::/3"
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0
key-direction 0
cipher AES-128-CBC # AES
auth SHA256
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 3
iptable:
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o ens3 -j MASQUERADE
ip6tables -t nat -A POSTROUTING -s fe80::/64 -o ens3 -j MASQUERADE
Best Answer
IPv6 addresses are not precious, although hosting services are unlikely to want to become tunnel brokers. IPv6 should not require NAT although there are experimental implementations.
The major advantage of IPv6 over IPv4 is that NAT is not required. If you are trying to get IPv6 on your LAN, configure your LAN for IPv6. The disadvantage is you need to firewall appropriately, as you no longer have NAT protecting your network.
You could use 6to4 to create an address based on your LAN's external IP. This will give you a /64 block for your LAN. You could then route this over your VPN to provide IPv6 access to your server. This would not be globally routable, as external hosts will route to your LAN. (You could try the same on your server.) I documented my experience with Implementing IPv6 6to4 on OpenWRT, which is mostly applicable to other Linux based servers (configuration is different).
However, I would recommend using a tunnel broker. They will provide at least one /64 block, and will provide additional blocks on request. Skip using a VPN for IPv6 and use Firewalls to limit/permit access appropriately. I switched to a tunnel broker and documented additional setup in Implementing IPv6 Part 2.