IPv6: Advertise a route-ipv6 on LAN pointing to an OpenVPN client?

How to customize and extend your OpenVPN installation.
Post Reply
OpenVpn Newbie
Posts: 1
Joined: Tue Mar 21, 2017 10:12 am

IPv6: Advertise a route-ipv6 on LAN pointing to an OpenVPN client?

Post by stepp » Tue Mar 21, 2017 11:40 am

My goal is to tunnel IPv6 traffic between my two sites through an existing (IPv4) openVPN link. Of course fallback would be good. If the openVPN link is down one should still be able to use the normal IPv6 path going through the public internet to reach the other site.
As the IPv6 topic is pretty new to me I'd appreciate some suggestions concerning what tools to use and what concepts of IPv6 (router advertisements, NDP, prefix delegation,...) I should investigate in detail to realize my goal.

I have successfully connected two sites using IPv4. Routing is not a problem as the subnets are private and static. Each machine in both subnets can reach every other on any subnet as long as the openVPN link is up an running. (For some services that should be available when the openVPN link is down there are some portforwardings on the NATting routers, but that is a more "manual" fallback.)
Now I'm trying to add IPv6 support. The sites themselves have IPv6 deployed already. Each machine on those networks can access the internet using IPv6 through the local router. So, even without using a VPN tunnel, I can ping and access IPv6-enabled machine between my two sites.

One of my sites, let's call it "site S" has as bunch of static /64 prefixes. The other "site D" has dynamic prefixes that change every couple of days. The openVPN server is located in "site D".
So my first idea that I want to be discussed is: How can I use the features of openVPN to tell all machines in site D: I have routes for the following %static prefixes% available ... please get yourself an IPv6-address out of %this% prefix, so that the site S knows where to send the answers.

I have not seen anything concerning Neighbor Discovery Protocol or Router Advertisements in the openVPN Manual 2.4. So I assume that I have to use a "client-connect" and "client-disconnect" script which handles all the details? I am a bit reluctant about going that way because that means that I have to control radvd (or dnsmasq, or whatever my openVPN server machine is already running) using my (still to write) client-connect and client-disconnect scripts. Are those correct assumptions? Or is there a way to follow that does not involve all those handwritten scripts? Is there a general command for the linux network stack to generically configure an interface so that it starts sending out router advertisements?

I read the feature request Integrate basic dhcpv6 client into OpenVPN with that is related technologywise but does not solve my task according to my first idea. But one can discuss a second idea, which I think is "more IPv6y": openVPN-Server gets (at least) two /64 prefixes from it's local router via DHCPv6-PrefixDelegation, it uses one of them for the addresses of the openVPN link. The openVPN client pulls a remaining /64 prefix from the openVPN server, again using DHCPv6-PrefixDelegation, and announces to site S: use this dynamic prefix I got for you. Of course the inverse should also be done. The openVPN client machine gets some static /64 prefixes from the local router to delegate using DHCPv6-PrefixDelegation, which in return are passed over the openVPN link to the openVPN server which delegates an unused static /64 prefix to be used in site D.
This setup seems how it is meant to be with IPv6. Each machine would have two IPv6 IP addresses (excluding the privacy extensions). Each machine would have two routes to the internet, one using the local router, the other going through the VPN. If the link goes down the RouterAdvertisements stop, the prefixes from the other side get invalid and routing for those is tried over the normal internet path of the local router.
Do I describe the correct and desired behavior of an IPv6 network, or am I missing a point?
And the bigger question is: How do I set something up like that? Do I just run radvd/dnsmasq/... on the openVPN server and client and I'm done? Or do I have to run some DHCPv6 client in addition that triggers the changes for advertising the routes? Why did I not speak of NDP, does the neighbor discovery protocol not play a role in all that, even though its name suggests it might be useful?

Any input is appreciated

Post Reply