Suppressing a protocol on a dual-stack server for specific clients

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Redhatter
OpenVpn Newbie
Posts: 1
Joined: Mon Sep 16, 2019 11:41 pm

Suppressing a protocol on a dual-stack server for specific clients

Post by Redhatter » Mon Sep 16, 2019 11:51 pm

Hi all,

I've got two very closely related questions, one hypothetical and one real. I'll start with the real issue first.

Our VPN server is set up to serve out both an IPv4 subnet and an IPv6 subnet over a tun-style link with Ubuntu Linux, the server itself is accessible over IPv4 only. The reasoning for the IPv6 subnet allocation for VPNs is in part because we'll be using the VPN to access devices which are IPv6-only (6LoWPAN) and also for future-proofing. The server makes use of the ccd directive to apply client-specific directives based on the clients' certificate Canonical Name field.

Now, it seems even today, there's a lot of protocol-deniers in the router manufacturer world: device makers that believe that RFC-791 is the only protocol that exists. I don't want to have to run two VPN servers, and there are use cases that actually do demand that some clients be accessible "dual-stack". How does one go about "disabling" IPv6 for a specific client?

Related to this, the 10.0.0.0/8 IPv4 address space is a highly popular subnet address, and our network internally (not just the VPNs) use a /17 allocation taken from this block chosen to hopefully not clash with other networks. That said, it has happened before that our network has clashed with someone else's, and there's nothing to say a customer network whom which we must link might not decide to just use the whole 10.0.0.0/8 subnet for their own uses. In this hypothetical situation, the VPN client on their network would be faced with an addressing clash between the local subnet and our VPN.

VPN clients which have an IPv6 address allocated from a ULA have an edge here. If we could tell the client to "ignore" the IPv4 allocation from the VPN and just use IPv6, we can work-around this clash. So How does one go about "disabling" IPv4 for a specific client?

Post Reply