OpenVPN config with IPv6

That will work for my own devices but not for the guest clients where i have no direct controll over...
At the moment i have enabled VPN and disabled IPv6 assignment for my guest network but that is not a satisfactory configuration.

Under routes i can see that the VPN connection added a IPv6 route: 2a00:xx:xx:xx:xx:204::/112
I would like to try and test/use this route with one of my clients but i have no idea how to do so.
Any idea?

OpenVPN offers the facility to call a script upon creation and tear-down of the VPN tunnel. This facility is often used to call update-resolv-conf as part of blocking DNS leaks.

But what's to say that's the only possible script that could be called?

One thing that just sprang to mind is a script which modifies iptables to kill all IPv6 traffic if the VPN is up, and modifies iptables to permit IPv6 traffic if the VPN is down.

I haven't tested it; it's just a thought experiment at the moment.

I haven't made much progress but now i can tell fore sure that my VPN provider is capeable of IPv6.
This time i took the *ovpn file of my VPN provider (removed redirect-gateway def1) for the VPN setup and added a few options to the /etc/config/openvpn config myself.

If the VPN connectio is up and i type "traceroute6 google.com" in my router i can see that all the trafic is routed via the IPv6 address of my VPN provider...
I don't know why my router is now using the IPv6 of my VPN provider and not the one from my ISP anymore (i still have my WAN6 interface up and i revieve a valid IPv6 address from my provider (pppoe-wan)).
And the weird thing is that i'm not able to recieve any IPv6 with my clients anymore after i have reenabled IPv6 assignment length, set it to 64 and rebooted the router but still no IPv6 when connected over my ISP(WAN) connection...
My router is now using the VPN connection for anything right now and also for my clients, even tho i added the option route_nopull '1' to my config and removed redirect-gateway def1 from the *.ovpn file.

I'm so confused right now! :confused:

config openvpn 'cyberghost'
        option enabled '1'
        option config '/etc/openvpn/cyberghost.ovpn'
        option port '443'
        option route_nopull '1'
        option tun_ipv6 '1'

cyberghost.ovpn:

client
remote SERVERNAME 443
dev tun 
proto udp
auth-user-pass /etc/openvpn/userpass.txt


resolv-retry infinite 
persist-key
persist-tun
nobind
cipher AES-256-CBC
auth SHA256
ping 5
ping-exit 60
ping-timer-rem
explicit-exit-notify 2
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500 
fragment 1300
mssfix 1300
verb 4
comp-lzo


ca ca.crt

cert client.crt

key client.key

And i still have no idea how to tell my clients to use the VPN IPv6 connection when i force them to use the VPN connection via PBR.

Does your VPN provider give you a /56 or a /48?

If your VPN provider gives you a /112 then you won't be able to configure a /64.

In short, you can't magically create more IP addresses than your provider gives you. The only way to achieve that is with NAT.

It's /112...
What really bothers me at the moment is that my router is using the VPN connection by default and afaik that wasn't the case before with option route_nopull '1'.
I guess it's related to the default *.ovpn config of my VPN provider which i'm using right now.
Do you have any idea how to fix this?

edit: i've deleted the VPN connection, tun interface and firewall zone and try to configure it once again. ISP IPv6 is working again.
This VPN and IPv6 stuff is really driving me crazy... :wink:

It seem that i've found a working *.ovpn config with UDP and without my router using the VPN connection as default gatway.

client
remote SERVER-NAME 443
dev tun 
tun-ipv6
proto udp
auth-user-pass userpass.txt

route-nopull
pull
reneg-sec 0
remote-random
ping-restart 0
resolv-retry infinite
persist-key
persist-tun
nobind
cipher AES-256-CBC
auth SHA256
ping 5
ping-exit 60
ping-timer-rem
explicit-exit-notify 2
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500 
fragment 1300
mssfix 1300
comp-lzo
fast-io
verb 4

ca ca.crt
cert client.crt
key client.key

I'm not sure if tun-ipv6 makes sense but with this config i'm able to connection via proto udp and without my router using the VPN as the default connection/gateway.
In the PUSH: Received control message: I can also see tun-ipv6 so i guess it's fine to have it in my ovpn config.

Right now i'm trying to understand what's written in the OpenVPN wiki about IPv6: https://community.openvpn.net/openvpn/wiki/IPv6

To be honest, I don't necessarily need IPv6 when connected over VPN but I would like to use it when i'm connected over my normal WAN/ISP connection.
But i'm still trying to find a solution for the problem that the IPv6 address of my ISP is leaking if I have IPv6 assignment length configured and the clients are connected over VPN.
So basicaly I would like to block my IPv6 address when a client is connected over VPN but at the same time it IPv6 should be useable for other clients connected to my private and guest Network over my normal ISP connection.

This suggests your VPN provider is pretty much ignorant of ipv6. The smallest network that is ever supposed to be handed out by an infrastructure provider is /64. A VPN provider could get a /32 trivially from their numbering authority and then give you /64 easily even /60

1 Like

I think this is 100% true and i would even say that Cyberghost isn't a good VPN provider in the first place. They don't even have a guide on howto setup OpenVPN with OpenWrt...
The only reason that i'm using Cyberghost VPN is because my friend gifted me a prepaid Code for this provider.

My intention was to buy a VPN Access of Mullvad or azirevpn because i would like to try out wireguard but i think with my limited knowledge about VPN it wouldn't be a smart idea to go for Wireguard right now.
First of all i need to understand how everything works, including fixing any leaks and at the moment it seems that i'm even failing this stuff with OpenVPN but i'm not giving up so fast... :wink:

My impression of wireguard is the opposite. It's easier to config than OpenVPN by about an order of magnitude (not having used it this is just an impression though), and it's less CPU intensive. if you want a working config quickly, go with one of your other choices that offers wireguard and ipv6 done right.

I also heared good things about Wireguard, that's why i wanted to try it out.
And to be honest, i dont need IPv6 when connected over VPN, i just thought it would be a lil bonus.
What i realy need is a non leaking VPN connection with a working killswitch if the VPN goes down and it would be great if i could use the IPv6 address of my ISP for the clients which are connected over my normal WAN but in the same network as some clients which are connected over the VPN.

I hope that you understand what i mean. :wink:

Here's the thing about multi-homed and ipv6 connections: you can have multiple prefixes advertised on your network, and it's up to the client which one they decide to use for outgoing connections.

From a relevant RFC: https://tools.ietf.org/html/rfc6724#page-22

The policy table they configure is on the client so that the client uses a particular source address for the outgoing connections.

If you want a particular set of clients on your LAN to use VPN, and other clients to use regular WAN you either need

  1. To split them by VLANs and advertise different prefixes
  2. To configure the clients to use different source addresses and configure the router to use policy routing.
1 Like

Here's a quick discussion on how to deprecate addresses in linux: http://www.davidc.net/networking/ipv6-source-address-selection-linux

But in general I think this is not going to work well for you. In particular, any typical IoT device will give you zero control over address selection. So practically speaking you're going to want to advertise a single ipv6 prefix on a VLAN designed for those types of devices.

1 Like

Thanks for your input and the Links. I guess i have to think about a few more vlans or disable IPv6 completely...
I would not have not thought that IPv6 will be so much trouble for my setup and i was quite happy that my ISP is using IPv6 via Dual-Stack but it's pretty much an action killer when it comes down to VPN and leaks. :frowning:

Nah, it's not ipv6's fault, it's your VPN provider :wink:

It only works at all in ipv4 because of NAT. Otherwise you'd have the same issues in ipv4.

I think these are the questions you should answer to move forward:

  1. what devices need to be VPN only?
  2. what devices need to be nonVPN only?
  3. what devices need to be VPN + fallback?
  4. Is there a way to segment your LAN into VLANs for 1,2,3 above?
  5. Do you care about traffic other than http/https for VPN usage? (if not, perhaps a proxy is in order?)
  6. how do you control prefix advertisement in OpenWRT? (I use dnsmasq directly on my LAN for router advertisement in a non-OpenWRT router)
1 Like

I know it sounds noobish but for me it feels like a fault of the IPv6 because i cannot controll it so easy as IPv4.
The thing is that i have almost none expirience with these things and i think that's why it feels like this... :wink:

  1. Most of my guest clients (some IoT devices) and devices from people that visit me and use my guest wifi.
  2. That would be my TV (guest Network), my PS4(guest network) , one Desktop PC and a VoIP adapter.
  3. I'm not sure what you exactly mean with fallback.
    If you are talking about that a device should fallback to my normal WAN connection if the VPN goes down i would say that i don't want any device to use my WAN connection as a fallback if it's configured to use the VPN. That's why i want to implement a Killswitch if the VPN goes down.
  4. That should be no problem... Do yo remember when u helped me with my isolated guest network? It still running fine and i can easy add a few more vlans (and interfaces) because i was able to understand how it works (thanks to your help).
    And if I need access between some devices in different vlans i can work with traffic rules. For example i have set up a few traffic rules for some guest clients (vlan3-6) that are allowed to access the printer at my private network(vlan1).
  5. For the most devices any type of traffic should be routed through the VPN and for a few devices i would like to set up policies via "VPN Policy Based Routing".
  6. I only use dnsmasq (full version because of VPN PBR) on my main OpenWRT router but sadly i have no idea how to correctly handle those prefix advertisement and IPv6 is still a mysterium for me.
    In the past (without VPN) i've just set the IPv6 assignment length to 64 for my private and guest network and every IPv6 capable device was able to use IPv6+IPv4. The rest was default...

This is not even a whole standard subnet. It seems IPv6 addresses are issued for a single-client setup only, not routers. That's about 65,000 IPs. You need to verify that they've all been issued to you.

It feels like a fault of the IPv6 because i cannot controll it so easy as IPv4

Well, you need to pay more to get get proper ipv6 at a vps or a dedicated server. The good ones will give you /56 or /48. You can't have everything for dollar a month. Good ones will cost at least 10-20 bucks a month at the low end. Linode and online.net are two options.

1 Like

It seems like you are most of the way there. Your guest network is all ready for a "VPN only" solution, it just needs to have an ipv6 prefix from a proper VPN provider advertised... then all the devices use only VPN for ipv6 because that's all they know. Killswitch is more or less automatic: if the VPN goes down, there is nowhere for your packets to go.

As for the non-guest devices like TV or PS4 or VOIP etc, just put them all on their own VPN routed VLAN.

OpenWRT has its own ipv6 daemon odhcpd and unfortunately I don't know how it works. It is however the software responsible for advertising prefixes I think. I don't know how to tell it to advertise just one prefix rather than one for each network it knows about. In LUCI this is the "prefix delegation length" thingy it tells odhcp to shave off n bits from every prefix for delegating to a particular VLAN/subnet but you want to just advertise the right number of bits from just your VPN or just your WAN not both... and that I don't know how to do.

2 Likes

Well for now i have disabled IPv6 for all my clients via IPv6 assignment length and my primary goal will be to modify my networks and create a VPN only and a nonVPN vlan.
But i do have a big problem with PBR because i can't enable "strict policy enforcement" without loosing access to my VDSL modem...
I figured out that PBR reports my modem with 0.0.0.0 because i haven't set a Gateway IP at the Modem Interface and if i set my modem IP as IPv4 gateway for the modem interface i completly loose the connection to the internet because my openwrt router wants to use the IP of the modem interface for the internet connection.
It seems that i never run out of problems with my setup... :frowning: