Description: This article shows you three different options for assigning IPv6 addresses to VPN clients using your Access Server. Before we get into the steps you can follow, we provide some background on Access Server's limited IPv6 support.
Access Server's internet protocol support
Access Server is primarily an IPv4 system. It requires an IPv4 address for its OpenVPN daemons to process incoming connections. However, the VPN tunnels can transport IPv6 packets. It's helpful to understand these terms for this article:
- Tunnel layer: The data transported inside the VPN tunnel, also called the payload layer.
- Transport layer: The encrypted packets the OpenVPN daemon transports between the VPN client and VPN server.
Access Server 2.0 and newer supports IPv6 at the tunnel layer (but not the transport layer), which means you can send IPv6 packets through the VPN tunnel but not build a VPN tunnel based on IPv6.
Before you begin
Ensure the Linux machine hosting your Access Server has an interface with an IPv6 configured on it and an IPv6 default gateway.
Choose the option below based on how you want to assign the IPv6 addresses to clients: from a global address pool, from group address pools, or from public IPv6 addresses.
Option 1: Assign IPv6 IP addresses to VPN clients from a global pool
Follow these steps to use a global address pool to assign IPv6 IP addresses to your VPN clients.
- Connect to your Access Server's console with root privileges.
- Enable IPv6 routing:
sudo su
cd /usr/local/openvpn_as/scripts/
./sacli --key "vpn.routing6.enable" --value "true" ConfigPut - Route all IPv6 traffic through the tunnel (full tunnel):
./sacli --key "vpn.client.routing6.reroute_gw" --value "true" ConfigPut
- Create a default IPv6 address pool to assign to your VPN clients:
./sacli --key "vpn.server.daemon.vpn_network6.0" --value "fd4a:e7ae:b84b:2::/112" ConfigPut
- In this example, we use "fd4a:e7ae:b84b:2::/112". This is a unique local IPv6 address (IPv4 private IP equivalent) which means this IP is not routable over the internet.
- Configure SNAT so IPv6 traffic from the VPN client uses it to go to the internet:
./sacli --key "vpn.server.routing6.snat_source.0" --value "eth0:2604:a880:400:d0::189e:6005" ConfigPut
- Save the settings:
./sacli start
Testing the setup
If we connect to the VPN, we get an IP from "fd4a:e7ae:b84b:2::/112" as shown below:
If we try to ping "ipv6.google.com", that works:
+ Output from a Windows PC:
PS C:\Users\Brandon> ping ipv6.google.com
Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=30ms TTL=54
Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=30ms TTL=54
Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=29ms TTL=54
Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=30ms TTL=54
Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=31ms TTL=54
Ping statistics for 2607:f8b0:4006:81f::200e:
Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 29ms, Maximum = 31ms, Average = 30ms
+ Output from our Access Server while running a TCPDUMP where we could see the IPv6 traffic reaching it and the SNAT to redirect that traffic to the internet:
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# tcpdump -eni any host ipv6.google.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:47:31.114998 In ethertype IPv6 (0x86dd), length 96: fd4a:e7ae:b84b:2::8002 > 2607:f8b0:4006:81f::200e: ICMP6, echo request, seq 9, length 40
10:47:31.115031 Out d6:77:ce:97:8c:7c ethertype IPv6 (0x86dd), length 96: 2604:a880:400:d0::189e:6005 > 2607:f8b0:4006:81f::200e: ICMP6, echo request, seq 9, length 40
10:47:31.116589 In fe:00:00:00:01:01 ethertype IPv6 (0x86dd), length 96: 2607:f8b0:4006:81f::200e > 2604:a880:400:d0::189e:6005: ICMP6 echo reply, id 1, seq 9, length 40
10:47:31.116610 Out ethertype IPv6 (0x86dd), length 96: 2607:f8b0:4006:81f::200e > fd4a:e7ae:b84b:2::8002: ICMP6 echo reply, id 1, seq 9, length 40
Option 2: Assign IPv6 IP addresses to VPN clients from a group pool
Follow these steps to use a group address pool to assign IPv6 IP addresses to your VPN clients through their assigned group.
Note: In our example, we have a group named "Brandon-Test" and the VPN user named "test." The user, test is already assigned to the group, Brandong-Test.
- Connect to your Access Server's console with root privileges.
- Enable IPv6 routing:
sudo su
cd /usr/local/openvpn_as/scripts/
./sacli --key "vpn.routing6.enable" --value "true" ConfigPut - Create a pool of IPv6 addresses to assign to your VPN Clients on my "Brandon-Test" Group:
./sacli --user "Brandon-Test" --key "group_subnets6.0" --value "fd4a:e7ae:b84b:5::/112" UserPropPut
- In this example, we use "fd4a:e7ae:b84b:5::/112". This is a unique local IPv6 address (IPv4 private IP equivalent) which means this IP is not routable over the internet.
- Configure the IPv6 range so the user, test, and other users can grab IP addresses from there:
./sacli --user "Brandon-Test" --key "group_range6.0" --value "fd4a:e7ae:b84b:5::8005-fd4a:e7ae:b84b:5::8009" UserPropPut
- This assigns the range of IPv6 addresses from "fd4a:e7ae:b84b:5::8005" to ""fd4a:e7ae:b84b:5::8009" to VPN users.
- Save the settings:
./sacli start
Testing the setup
If we connect to the VPN, we get an IP from "fd4a:e7ae:b84b:5::/112" as shown below:
If we try to ping "ipv6.google.com", that works:
+ Output from a Windows PC:
PS C:\Users\Brandon> ping ipv6.google.com
Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=30ms TTL=54
Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=30ms TTL=54
Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=29ms TTL=54
Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=30ms TTL=54
Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=31ms TTL=54
Ping statistics for 2607:f8b0:4006:81f::200e:
Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 29ms, Maximum = 31ms, Average = 30ms
+ Output from our Access Server while running a TCPDUMP where we could see the IPv6 traffic reaching it and the SNAT to redirect that traffic to the internet:
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# tcpdump -eni any host 2607:f8b0:4006:81f::200e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:44:10.035937 In ethertype IPv6 (0x86dd), length 96: fd4a:e7ae:b84b:5::8005 > 2607:f8b0:4006:81f::200e: ICMP6, echo request, seq 11, length 40
11:44:10.035983 Out d6:77:ce:97:8c:7c ethertype IPv6 (0x86dd), length 96: 2604:a880:400:d0::189e:6005 > 2607:f8b0:4006:81f::200e: ICMP6, echo request, seq 11, length 40
11:44:10.037937 In fe:00:00:00:01:01 ethertype IPv6 (0x86dd), length 96: 2607:f8b0:4006:81f::200e > 2604:a880:400:d0::189e:6005: ICMP6 echo reply, id 1, seq 11, length 40
11:44:10.037956 Out ethertype IPv6 (0x86dd), length 96: 2607:f8b0:4006:81f::200e > fd4a:e7ae:b84b:5::8005: ICMP6 echo reply, id 1, seq 11, length 40
Option 3: Assign public IPv6 IP addresses to VPN clients
Note: We recommend this configuration for cases where you have a whole public IPv6 subnet and want to assign public IPv6 addresses for VPN clients to reach internet resources directly (without NAT).
In this case let’s assume that our provider supplies subnet 2a01:XXXX:XXXX:963::/64. First usable IP address 2a01:XXXX:XXXX:963::1 will be assigned for the Access Server host. All other 18 quintillion IP addresses can be assigned to VPN clients, but we'll use a smaller subnet for four thousand addresses, for example: 2a01:XXXX:XXXX:963:0001::/116.
- Connect to your Access Server's console with root privileges.
- Enable IPv6 routing:
sudo su
cd /usr/local/openvpn_as/scripts/
./sacli --key "vpn.routing6.enable" --value "true" ConfigPut - Define the default pool of IPv6 addresses to assign to your VPN clients:
./sacli --key "vpn.server.daemon.vpn_network6.0" --value "2a01:XXXX:XXXX:963:0001::/116" ConfigPut
- Disable NAT for IPv6 as we're using public v6 addresses and want to provide direct access to internet resources without NAT:
./sacli -k "vpn.server.nat6" -v "false" ConfigPut
- Save the settings:
./sacli start
Testing the setup
If we connect to the VPN, we get an IP from "2a01:XXXX:XXXX:963:0001::/116" as shown below:
Now let’s check our public IPv6 address with a public service for detecting IP addresses like https://whatismyipaddress.com/ or https://test-ipv6.com/.
The same address displays on the IPv6 section:
For more info:
Limited IPv6 support built into the OpenVPN Access Server
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.