IPv6 via OpenVPN

The installation script:

wget https://git.io/vpn -O openvpn-install.sh

assumes private IPv6 addresses (fc00::/7, specifically fddd:1194:1194:1194::/64) for VPN clients. In order to make use of IPv6 address-space available to the OpenVPN-server:

IPv6 Range

Choose an IPv6 range that will be made available to VPN clients. It will be referred to as YOUR_VPN_IPv6_RANGE below.

If, for instance, you have been assigned an address space of 2a01:aaaa:bbbb:cccc::/64, you may split it and use one block on the host-level (e.g. 2a01:aaaa:bbbb:cccc::/65) and another one on the VPN-level (e.g. 2a01:aaaa:bbbb:cccc:8000::/65).

OpenVPN Server

In the file /etc/openvpn/server/server.conf:

• Remove the local address binding
• Modify proto by adding a trailing 6, e.g. udp6 - this makes the server to listen to both, the IPv4 and IPv6
• Add server-ipv6 YOUR_VPN_IPv6_RANGE
• Add ipv6 to the redirect-gateway-push-option, e.g. push "redirect-gateway def1 ipv6 bypass-dhcp"
• Consider adding push "route-ipv6 YOUR_ASSIGNED_RANGE::/64" if you share the assigned IP range between the host and the VPN clients (otherwise the host-segment won't be reachable by VPN clients)
• Consider providing IPv6-enabled DNS-servers to the client by adding/modifying push "dhcp-option DNS YOUR_DNS_HERE" lines

iptables

• Either modify the installation script or the persistent configuration of iptables under /etc/systemd/system/openvpn-iptables.service
• Remove SNAT from the POSTROUTING chain
• Modify accepted FORWARD rule to use your public IPv6 space.
• Reload configs with systemctl daemon-reload
• Restart the openvpn-iptables service systemctl restart openvpn-iptables.service

Next: InfluxDB Corrupted Data

Previous: Secure DNS service

Main Menu