OpenVPN with ipv4 and a native IPv6 at once?

[WhitcombeRD]

My VPS host has a native ipv6 address range and it works nicely - full access out via it, all the servers on the site receiving incoming and so on.

Currently i run openVPN on there to provide full internet access (ipv4) to my laptop and other clients connecting from elsewhere.  This bit works perfectly.

What i'd like to do now if possible is use that same openVPN to provide v6 routing as well as normal v4 to clients (as no ISP im involved with gives ipv6 native, especially abroad!).

Im using debian package and its v2.1.rc11 which apparently supports a "tun-ipv6" device.

The client PCs are windows based.

How do i go about setting this up?  Ive tried the "tun-ipv6" option in server config, this creates a "tun-ipv6" device but it still only forwards v4.  The client PC has no routing on 6 at all so it seems to do nothing.

Some config info if it helps
(i) running in TUN mode but i can reconfigure to TAP if it'll help.  I tried earlier and nothing happened.

(ii) Device created by openVPN server:  tun-ipv6  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:172.16.1.1  P-t-P:172.16.1.2  Mask:255.255.255.255
no mention of an ipv6 address here

(iii) Client PC ipV4 = 172.16.1.6.

(iv) the native ipv6 is running on device eth0


Do i need to manually set up routes or something (on ipv4 openvpn there is no config outside the server config file, the daemon sets them all up and client side is done by the vpn software as well).
Im stumped as i didnt need to do much at all to get ipv6 working through it.

[jimb]

I'm actually trying to get the same thing working.  With Tun also.  TAP might be easier though since it just acts as an ethernet interface which can carry IPv6.

Anyway, I can't find much in the way of docs on ipv6 as a payload other than the tun-ipv6 option.  For instance, no idea how to have the server dole out an IPv6 address.  The "server" command you use with IPv4 doesn't seem to accept IPv6 addresses.

I also tried to simply place an IPv6 address on the same /64 on both ends, but it wouldn't ping.  I thought it was doing it at first, but turned out it was going through 6to4 ( lol ).

EDIT: I found this, and I think Gert is on this forum too:  http://www.greenie.net/ipv6/openvpn.html

I was actually hoping that IPv6 support would be present in ovpn 2.2 beta, but apparently isn't?

[jimb]

K.  I got this working w/ Gert's branch of the code.  It wasn't easy though.

Gert's code (http://www.greenie.net/ipv6/openvpn.html) provides a few new config items, including the "server" workalike for IPv6 called "server-ipv6".  It allows one to set up an IPv6 range to hand to VPN clients (that's the primary use I have for OpenVPN, as a VPN remote access service).  I believe the newest versions have IPv6 support built in for a site-to-site manually configured tunnel, but not for VPN clients.  Gert's page has more info on that.

Anyway, I tried to apply the Gert's IPv6 payload patch, but none of the versions I could download would take the patch, and I couldn't find the 2.1.1b version which Gert used to download anywhere).  So I wound up using git to grab the modified branch like so:

git clone -b gert-ipv6 git://git.birkenwald.de/openvpn.git

This doesn't have a configure script, so I had to create one from the source configure.ac file using autoconf, etc.  It was also missing an install-sh script, so I grabbed that out of the archive for openvpn-2.1.3 and put it into the dir.

I wound up having to do a few extra things to get a working ./configure script. 

autoupdate
autoconf
automake --add-missing


Once I was done with that, I was able to run configure.
./configure --enable-iproute2 (do a ./configure --help to see if you might want to add or remove other features)
make
make install

This was on a gentoo system.  (You might find binaries or something for whatever you're running.)

I didn't feel like setting up support scripts, etc, for it, so I just mv'ed my existing openvpn executable to openvpn.orig, then symlinked to the new exe which was placed in /usr/local/sbin.  This allowed me to use the gentoo init scripts and such to bring it up, shut it down, etc.

I added these lines to the server configuration to have it configure IPv6 addresses on my VPN client:

server-ipv6 2001:db8:1234:1::/64
push "route-ipv6 2001:db8:1234::/64"
push "route-ipv6 2000::/3"

The first line defines the IPv6 subnet (carved out of my /48) which will be passed out to the clients (2001:db8:1234:1::/64).  The second pushes a route for my LAN IPv6 to the client (sort of redundant really, but I wanted it there in case I want to omit the third line in certain situations), and the third is basically a default route for IPv6 traffic.  In cases where I already have IPv6 connectivity, I can easily delete the "default route" on the client side so I just use the VPN for my IPv6 LAN only.

On the client side, I got the modified windows install from Gert's site which supports IPv6 transport and installed that on my Win 7 laptop.  The configuration file that works for IPv4 can pretty much be left alone and work. 

But unfortunately for whatever reason, the IPv6 address and route for the VPN client network is not removed when disconnecting, so I created a simple "down" script to remove these upon disconnection.  If you don't do this, you have to remove them by hand before trying to connect again, or the client will fail when it can't add the routes and addresses ('cause they're already there).

I call the down script with this config line:
down clear_ipv6.bat

The batch file is really simple:

@echo off
REM Hose out the ipv6 config on the TAP interface since openvpn doesn't seem to do it
REM TAP interface is "Local Area Connection 2"

REM delete the IPv6 address from the TAP interface
netsh int ipv6 delete addr "Local Area Connection 2" 2001:db8:1234:1::1:0
REM delete the left over route
netsh int ipv6 delete route 2001:db8:1234:1::/64 "Local Area Connection 2"

(for some reason Gert's mods use the 7th quad for the host address instead of the last)

Because I am using a down script, I also had to add this line to my VPN client configuration file which allows OpenVPN to use scripts:

script-security 2

That's pretty much it.  I can now use openVPN to get secure IPv4 and IPv6 access to my LAN, and IPv6 access to the internet (via my LAN and home internet connection) when I need it.

[kriteknetworks]

jimb: I'm currently trying to get the Windows Gert ipv6 installation to work as a client, but if I use an ipv6 IP, with and without [], or an ipv6 only fqdn for remote, openvpn.exe spits out:

Wed Nov 16 02:10:17 2011 us=19000 RESOLVE: Cannot resolve host address: address_here_as_described_above: [NO_DATA] The requested name is valid but does not have an IP address.

Same client config works fine using ipv4 IP or hostname for remote.

The Windows openvpn version is: OpenVPN 2.2.0 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] [IPv6 payload 20110522-1 (2.2.0)] built on May 22 2011
Windows 7 Ultimate, 32 bit

I've googled this for a few hours, and what little I can tell is the claims that the ipv6 side of things can't resolve dns, no idea why since ipv4/6 resolves fine elsewhere, the recursor itself is on v4, ipv6 in Windows works fine...

Any thoughts?

[jimb]

If I understand correctly, you're trying to do an OpenVPN connection using IPv6 as a transport for the tunnel traffic.  I'm not sure if this is supported in OpenVPN or not.

I'm not doing the same thing.  My OpenVPN connection is over IPv4, and simply allows IPv6 and IPv4 to be tunneled across the VPN.  I'm not trying to actually establish a tunnel link over IPv6.  That's still transported via IPv4.