Access Server and IPv6 Support

Abstract

Read this structured overview on Access Server's IPv6 support to understand capabilities.

Access Server primarily operates on IPv4 but offers partial support for IPv6. This topic explains how it works and links you to a tutorial with IPv6 configuration options.

IPv4 as the primary protocol

Access Server requires an IPv4 address to accept incoming VPN connections. Built on the robust OpenVPN core, Access Server fully supports IPv6 within the VPN tunnel. However, while the OpenVPN core also supports IPv6 at the transport layer, Access Server currently focuses on IPv4 for transport but continues to evolve with features that prioritize flexibility and performance across network environments. This means that clients cannot initiate VPN connections via IPv6 addresses directly.

IPv6 in the VPN tunnel

Access Server supports IPv6 at the tunnel layer. Once a VPN connection is established over IPv4, IPv6 traffic can be routed through the VPN tunnel. Another way of putting it: Access Server enables IPv6 packet transmission within an encrypted VPN tunnel, allowing clients to transport IPv6 data over a VPN session initiated by IPv4.

Key terminology:

Transport layer: The encrypted VPN packets exchanged between the client and server. These rely on IPv4 for Access Server.
Tunnel layer: The data transmitted within the VPN tunnel, which can be IPv4 or IPv6 packets.

Requirements for IPv6:

The Linux server hosting Access Server must have an IPv6 interface and a properly configured IPv6 default gateway.
A valid IPv6 address range should be selected for your VPN client assignments.

Example setups

Example 1: Public IPv6 address assignment

Assign public IPv6 addresses to VPN clients and provide direct access to the internet via IPv6.

Tutorial: Assign Public IPv6 Addresses to VPN Clients

Example 2: Private global address pool

Assign clients unique, local IPv6 addresses (equivalent to private IPv4) that aren't routable over the internet, but you can configure Source NAT (SNAT) to allow internet access.

Tutorial: Assign IPv6 IP Addresses to VPN Clients From A Global Pool

Example 3: Private group-based IPv6 assignment

Assign separate IPv6 address pools to different user groups, enabling more granular control over client networking.

Tutorial: Assign IPv6 Addresses to VPN Clients from a Group Pool

IPv6 configuration keys

Use the following configuration keys to work with IPv6 in Access Server.

Configuration Key	Type	Description
vpn.routing6.enable	bool	Enable IPv6 routing.
vpn.server.nat6	bool	Enable IPv6 NAT.
vpn.server.nat6.masquerade	bool	Enable IPv6 masquerade.
vpn.client.routing6.reroute_gw	bool	Route all IPv6 traffic through the tunnel.
vpn.server.daemon.vpn_network6	list of subnets	Default IPv6 VPN subnets to be subdivided among OpenVPN daemons: These are used by clients as VPN routing gateways and allocated to non-group clients.
vpn.client.routing6.inter_client	bool	Enable client-to-client IPv6 traffic.
vpn.server.routing6.private_access	string	Controls how to route private traffic: nat route none
vpn.server.routing6.gateway_access	bool (default=true)	If true, clients may access the server-side tun gateway IPv6 address.
vpn.server.routing6.allow_private_nets_to_clients	bool	If true, all IPv6 addresses in vpn.server.routing6.private_network will be allowed to initiate client connections.
vpn.server.routing6.private_network	list of subnets	Access granted to private server-side subnets.
vpn.server.routing6.incoming_network	list of subnets	IPv6 addresses within this range may initiate connections with VPN clients.
vpn.server.routing6.routed_subnets	list of subnets	Subnets that should be routed rather than NATed (when NAT is enabled).
vpn.server.group_pool6	list of subnets	Optional pool of VPN IPv6 addresses to be subdivided across groups that don't define group_subnets6 or group_range6.
vpn.server.routing6.snat_source	list of SNA spec strings	This defines how to perform Source Network Address Translation (SNAT) for outgoing IPv6 packets. When NAT is enabled, SNAT ensures that VPN client traffic uses a specific IPv6 address or range for outgoing traffic. Specify a range of IPv6 addresses for SNAT on each outgoing network interface.
vpn.server.custom_snat6_chain	string	Define a custom ip6tables chain to handle all outgoing NAT.

In this section: