setting up server & client config's IPs in IPv6-only vpn?

[darx]

I've installed OpenVPN 2.3.2 on two servers. One's a VPS in the cloud, the other's my local LAN's edge router/firewall box.

I'm trying to get an all IPv6 solution set up, with the LAN-box connecting as a vpn-client to the VPS-box, as the vpn-server.

They two boxes' nets are

Code: Select all

	SERVER (remote VPC)
		one real interface
			= eth0
				IPv4 = XX.XX.XX.100
				IPv6 = 2600::...:35::100  <-- ISP provided
		tun1

	CLIENT (Home Office Router/Firewall)
		two real interfaces
			= eth0 (external)
				IPv4 = YY.YY.YY.56
				IPv6 = 2100::...:13:2     <-- Tunnelbroker IPv6 client endpoint
			= eth1
				IPv4 = 192.168.1.20
				IPv6 = 2100::...:13:20
		tun1

The VPN configs are below. As far as I can tell, even in an IPv6-only config, you still need IPv4 data in the configs. I'm confused as to what exactly those IPs need to be; for IPv4 I'm supposed to use 'internal' (10., 192., 172.) addresses, and for IPv6 ... what?

I can ping/ping6 all real IPs in both diretions, and can bring up each end's vpn instance with no errors, but -- so far -- I can't get the Client to connect to the Server.

I'd appreciate a look over my configs here, and any specific guidance on what the IPs need to be.

server.conf

Code: Select all

		daemon
		dev tun1
		tun-ipv6
		proto tcp6-server
		mode server
??		local 2600::...:100
		bind
		port 1194
		
??		server           ??.??.??.?? 255.255.255.0
??		server-ipv6      2600::...:35::/64

??		push "route      ??.??.??.?? 255.255.255.0"
??		push "route-ipv6 ??::...:??::/??"

		tls-server
		ca         /etc/openvpn/ca.crt
		cert       /etc/openvpn/server.crt
		key        /etc/openvpn/server.key
		tls-auth   /etc/openvpn/common.ta.key 0
		dh         /etc/openvpn/dh2048.pem
		user  nobody
		group nobody
		chroot /etc/openvpn
		script-security 2
		persist-tun
		persist-key
		keepalive 10 120
		resolv-retry infinite

client.conf

Code: Select all

		daemon
		<connection>
??		remote 2600::...:100 1194 tcp6-client
		</connection>
		dev tun1
		tun-ipv6
		proto-force tcp6-client
??		local 2100::...:20
		bind
		port 1194

		tls-client
		ca         /etc/openvpn/ca.crt
		cert       /etc/openvpn/client.crt
		key        /etc/openvpn/client.key
		tls-auth   /etc/openvpn/common.ta.key 1
		dh         /etc/openvpn/dh2048.pem
		remote-cert-tls server
		user  nobody
		group nobody
		chroot /etc/openvpn
		script-security 2
		comp-lzo
		persist-tun
		persist-key
		keepalive 10 120
		resolv-retry infinite

[JoshC]

For now, OpenVPN requires the use of an IPv4 network across the tun interfaces due to internal code assumptions; long-term this requirement will be lifted, but the code changes are non-trivial. For now, just use an obscure RFC1918 network range even if you don't really need IPv4.

As for the IPv6 setup, the same basics apply. You need to use an IP range you have been assigned from your provider. Note that it can't be the /64 you're using on your server's uplink connection when you are using OpenVPN in a tun (routed) setup. Your provider should have given you (or maybe you need to request) a larger block, often a /56, that is routed to your server. If you cannot obtain this from your ISP, use one that knows how IPv6 works. You then use a /64 out of the /56 for the VPN's IPv6 network.

So the IPv6 range you push to clients in --server-ipv6 should be a network range you have access and control over that is routed to your VPN server by your upstream network (your server's network provider.) You're free to use less than a /64 if you'd like, although some of the 2.2.x IPv6 patches (such as the current OpenVPN version in Ubuntu's official repos) will only work with a /64, nothing smaller; OpenVPN 2.3.x supports down to a /112 if you'd prefer.

If you're connecting to your server over IPv6, use the udp6 or tcp6-server/tcp6-client protocols. This said, try and avoid running OpenVPN over TCP unless UDP isn't an option as TCP comes with a significant performance penalty.