Integrate basic dhcpv6 client into OpenVPN with

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Aodan
OpenVpn Newbie
Posts: 1
Joined: Fri Oct 09, 2015 10:42 pm

Integrate basic dhcpv6 client into OpenVPN with

Post by Aodan » Fri Oct 09, 2015 11:05 pm

I stumbled across the following problem when I wanted to provide IPv6 inside the tunnel on my network.

I can request a prefix from my router via prefix delegation with Dibbler, WIDE-dhcpv6 or some other DHCPv6 client and afterwards write it as server-ipv6 into the configuration.

But many ISPs only hand out dynamic IPv6 blocks, resulting in the problem that one has to update the configuration regularly. This is clearly not a good solution.

So either it would be nice if OpenVPN could monitor the assigned prefix from these DHCPv6 clients, or, maybe even easier, include an own DHCPv6 client which does nothing more than requesting a prefix and using it for the tunnel.

So, in the configuration, do something like this:

server-ipv6 ia-pd 64

In this case, OpenVPN would request a 64 bit prefix and use it for the tunnel. No other configuration required, and the home router would automatically change the routing table. Even easier than IPv4 where you need to add a static route to 10.8.0.0/24 to the OpenVPN computer :D Of course it then also needs to change the prefix in the tunnel if a new prefix is received, all this without doing a restart of the server (I guess by setting the lifetime of the IPs).

One small thing to note though: It would be good if one requested /64 block could be shared between multiple OpenVPN instances. So request a /64 block once, but split it to two /65 for two simultaneously running servers on the same machine.

zaaj
OpenVpn Newbie
Posts: 1
Joined: Mon Nov 23, 2015 7:08 pm

Re: Integrate basic dhcpv6 client into OpenVPN with

Post by zaaj » Mon Nov 23, 2015 8:23 pm

I've got a similar wishlist item, perhaps similar enough to add to this thread:

I'm running pfSense as a home router/firewall/OpenVPN server. From a thread on their community support thread, I gathered that IPv6 address management for OpenVPN is done by OpenVPN, not by pfSense, so I'm bringing this here. If it should be over at pfSense instead, let me know and I'll post there.

For IPv4, NAT is common enough, so specifying a static subnet for the OpenVPN clients is no problem, pfSense or whatever else handles the public interface just NATs the clients to the IPv4 public IP for internet access.

For IPv6 however, as Aodan points out, ISPs can hand out Prefix Delegations that can change, and they're public IPs, so no NAT is required or desired. Comcast in my area (my ISP) will allow me to request a /60, so I have my LAN and DMZ set to Track Interface (WAN) and I choose a unique ID in the range of 0..f for the LAN and DMZ interfaces. That works great, any time the PD changes, the LAN and DMZ IPv6 address spaces update automatically.

The OpenVPN IPv6 subnet however, has to be entered manually, so every time my delegated prefix changes, I need to go into the pfSense GUI and update the OpenVPN client IPV6 subnet.

My wishlist item is to have OpenVPN IPv6 able to be set to Track Interface, with the option to specify which interface to track, and which ID within that tracked interfaces' PD to use, the way pfSense does for LAN and OPT/DMZ interfaces.

Aodan:
As for splitting up a /64, everything I've read so far regarding IPv6 suggests that's not a good idea. SLAAC stops working if it's not a /64, there may be some devices sticking with the RFCs that won't work as smoothly, etc. It would be better to see if your ISP can give you a bigger block via Prefix Delegation. Convention seems to suggest that it's "better" to ask for delegations on 4-bit boundaries, (/60, /54, /48...) as they line up with the hexadecimal digits used to write IPv6 in as human readable a format as we're likely to get, but you might be able to ask for a /63, which would give you just the two /64's you want, such as getting, say:
2001:DB8:123:3210::/64 and
2001:DB8:123:3211::/64
but as a /63, it could as easily end in
2001:DB8:123:321a::/64 and
2001:DB8:123:321b::/64 for example
If you ask for / receive a /64 ,the 16th hexadecimal digit is all yours, for 16 /64's to play with.

snarky
OpenVpn Newbie
Posts: 1
Joined: Tue May 03, 2016 10:44 am

Re: Integrate basic dhcpv6 client into OpenVPN with

Post by snarky » Tue May 03, 2016 11:02 am

Hello everybody!

Came here by googling exactly this problem. I second the idea, as I have very similar ideas with pfSense, OpenVPN, and semi-dynamically allocated IPv6 blocks. :D

I think (as the OP appears to) this should be a feature of OpenVPN rather than pfSense (the latter would have to edit config files on the fly... not a nice solution). Prefix delegation is an essential part in DHCPv6. Every network-oriented application should honor that in one way or the other. This is most true for OpenVPN, as it is even recommended in the documentation to use publicly routable IPv6 addresses for the tunnel (see https://community.openvpn.net/openvpn/wiki/IPv6). Whether integrating a lightweight DHCPv6 client into OpenVPN itself is a good way I cannot say. Sounds like a good solution from the user's point of view an a lot of additional code to maintain from the developer's point of view. :?
If this gets built into OpenVPN, pfSense will for sure make use of it.

TL;DR
My Wishlist Item: Please add a facility to OpenVPN so that the server can use delegated IPv6 prefixes automatically without needing to change the config file after every new block allocation.

Yours
Snarky

Post Reply