In the IPv6 in OpenVPN wiki https://community.openvpn.net/openvpn/wiki/IPv6, it says,
The wiki doesn't explain why you cannot use the on-link network, but presumably it's to avoid address conflicts. If you already have a network interface supporting ipv6, you already have a routed prefix and addresses can be allocated without conflict using dhcp (or SLAAC).In a routed setup, you cannot use your on-link network; you must use a unique routed network range, just like when routing with IPv4. Most ISPs should have a facility to obtain a routed block on request, or sometimes provided as part of DHCPv6-PD; these concepts are outside the scope of this document. Speak to your ISP or use other IPv6 learning resources for further information.
Further down in the wiki, it describes splitting a prefix if a second prefix is not available, again, presumably the issue is address conflicts. It says,
Even if the network is dedicated only to the openvpn server, it's not possible to guarantee that all addresses will be unallocated. It says to avoid this if you are using SLAAC, among other things. Using ipv6, hosts normally have multiple addresses (e.g., EIA-64, SLAAC or privacy extension SAA) in addition to the dhcp address and there could easily be several hosts (the server, the gateway, the dhcp and one or more dns servers). The only addresses that can be easily controlled are dhcp addresses if the router allows the range to be configured. Because EIA-64 uses the MAC address, there is no way to guarantee that they will all be in the upper or lower half of a /65. Similarly with SLAAC or privacy extensions. They can be anywhere within a /64. There should never be a requirement to break a /64 for this reason as the wiki acknowledges. If a user has only one /64 that's being used by multiple types of hosts, it's a virtual certainty that there will be some combination of dhcp, EIA-64, SLAAC or privacy extensions. If the openvpn server relied upon the dhcp server on the network interface, the problem of address conflicts and routing would be eliminated and it would be much easier to configure.check that your NIC uses no addresses in the upper /65 block (in this case, addresses greater than 2001:db8:0:123:8000::/65). If you do, you can't use this setup until you eliminate those.