OpenVPN: Dynamically assign client IPv6 GUA with dynamic WAN IPv6-prefix?

mm28ajos · August 25, 2021, 8:35pm

Hey there,

I am currently trying to automatically and dynamically assign an IPv6 GUA /64-subnet to my OpenVPN server running on my OpenWRT router. I successfully tested the setup manually by assigning a remaining /64 subnet of the /58-GUA subnet delegated to the OpenWRT router in the OpenVPN config like so:

	option server_ipv6 '2xxx:cxx:cxx:xxx::/64'

The issue now is twofold: 1) my ISP changes the /58-GUA subnet from time to time and 2) I have several interfaces which get a /64-GUA automatically assigned by OpenWRT from the /58-GUA received on WAN (so I must ensure not to have overlapping /64-GUA subnets).

My three question now are:

Is there any elegant solution for this problem you might now?
If no, my idea is to write a hotplug script (/etc/hotplug.d/iface/) triggered when a new IPv6 prefix is received which calculates a free /64-subnet based on the new received /58-GUA and to let the script assign this /64-GUA subnet to the OpenVPN config and reload the OpenVPN server.
To make 2) work, I need a way to calculate the /64-GUA subnet for the OpenVPN server. Do you know a good library for that? My naive, dirty approach would be, to create a temporary dummy interface and let OpenWRT calculate a /64-GUA subnet and take this for the OpenVPN server and to delete the temporary interface again by the script.

Thank you for your ideas/remarks!

vgaetera · August 25, 2021, 9:20pm

Specify a unique fixed ip6hint for each downstream interface including the VPN.
Then fetch the prefix on hotplug and apply the configured ip6hint for the VPN interface:

NET_HINT6="$(uci get network.vpn.ip6hint)"
NET_VPN6="${NET_PFX6%%?::*}${NET_HINT6}::/64"

mm28ajos · August 26, 2021, 5:14pm

Thanks! But I made a mistake in my post.. I receive a /58-prefix so subnetting based on the pure digits is not working if you have several interfaces (/56 prefix is on the upstream FB router, I mixed that up while writing the post).

mm28ajos · August 28, 2021, 10:30pm

mh, but with this solution I can only have 16 /64 subnets instead of the 64 available ipv6 subnets in this specific setting. I am looking to a more robust/general way of assign the IPv6 subnet to OpenVPN (i.e. which can consider different subnet sizes on the other interfaces which take a chunk of the available IPv6 prefix and ipv6hints > 16 etc.).

I just came up with the hotplug script below which I will test in the next days. I changed the OpenVPN interface from unmanaged to static. This way, I can configure the subnet hints and sizes as usual in /etc/config/interface and let OpenWRT handle the whole IPv6 subnetting and just grab the IPv6 subnet assigned to the OpenVPN interface by the hotplug script and assign it to the OpenVPN server config. Seems to work at the first glance, but I will test it in more detail.

/etc/config/network

config interface 'LANvpn'
	option ifname 'tun1'
	option proto 'static'
	option ip6assign '64'
	option ip6hint '14'

/etc/hotplug.d/iface/30-ipv6pdchange.sh

#!/bin/sh

# if ipv6 address has changed on WAN6 go for it
if [ "$INTERFACE" = "wan6" -a "$IFUPDATE_ADDRESSES" = "1" ]
then

    # source network functions
    source /lib/functions/network.sh

    # get IPv6 of openvpn interface
    network_get_ipaddr6 IPV6_OVPN "LANvpn"

    # get subnet size of OpenVPN interface
    NET_ASSIGN="$(uci get network.LANvpn.ip6assign)"

    # set openvpn server-ipv6 option
    uci set openvpn.LAN.server_ipv6="$IPV6_OVPN/$NET_ASSIGN"
    uci commit openvpn

    # reload openvpn
    /etc/init.d/openvpn reload
fi

mm28ajos · September 2, 2021, 10:50am

After some days with prefix updates, I can confirm the above is working.

system · September 12, 2021, 10:50am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.