Tutorial: Assign Public IPv6 IP Addresses to VPN Clients
How to enable and test IPv6 routing in Access Server | OpenVPN.
Overview
This tutorial explains enabling and configuring IPv6 routing in Access Server. Although Access Server requires IPv4 for incoming connections, it supports IPv6 routing inside the VPN tunnel. This means that clients connected over IPv4 can send and receive IPv6 packets through the VPN.
Tip
We recommend this configuration for use cases where you have an entire public IPv6 subnet and want to assign public IPv6 addresses for VPN clients to reach internet resources directly without NAT.
Note
The IPv6 address 2001:db8 used in our examples is reserved for documentation use.
Replace it with a valid IPv6 address for your network.
Prerequisites
An installed Access Server.
An IPv6 interface with an IPv6 default gateway configured on the Linux machines hosting Access Server.
A valid IPv6 address range to assign to VPN clients (can be from a public, private global, or group-specific access pool).
Console access.
Note
For this tutorial, our provider supplies subnet 2001:db8:XXXX:963::/64.
The first usable IP address, 2001:db8:XXXX:963::1, is assigned to the Access Server host.
We'll assign 2001:db8:XXXX:963:0001::/116 as the subnet for assigning IP addresses to VPN clients.
Connect to the console and get root privileges:
sudo su
Turn on IPv6 routing:
./sacli --key "vpn.routing6.enable" --value "true" ConfigPut
Turn on full tunneling to route all IPv6 traffic through the tunnel:
./sacli --key "vpn.client.routing6.reroute_gw" --value "true" ConfigPut
Specify the IPv6 subnet you'll use to assign addresses to VPN clients:
./sacli --key "vpn.server.daemon.vpn_network6.0" --value "2001:db8:XXXX:963:0001::/116" ConfigPut
Note
The IPv6 address 2001:db8 used in our examples is reserved for documentation use.
Replace it with a valid IPv6 address for your network.
Disable IPv6 NAT:
./sacli --key "vpn.server.nat6" --value "false" ConfigPut
After configuring IPv6 routing and addressing, save and apply the settings by restarting the server:
./sacli start
Connect to the VPN with a client (we recommend OpenVPN Connect).
The client should receive an IPv6 address from the IPv6 pool, 2001:db8:XXXX:963.0001::/116.
Check your public IPv6 address with a public service that detects IP addresses, such as https://whatismyipaddress.com/ or https://test-ipv6.com/.
Your IPv6 address displays.
Use the following configuration keys to work with IPv6 in Access Server.
Configuration Key | Type | Description |
|---|---|---|
vpn.routing6.enable | bool | Enable IPv6 routing. |
vpn.server.nat6 | bool | Enable IPv6 NAT. |
vpn.server.nat6.masquerade | bool | Enable IPv6 masquerade. |
vpn.client.routing6.reroute_gw | bool | Route all IPv6 traffic through the tunnel. |
vpn.server.daemon.vpn_network6 | list of subnets | Default IPv6 VPN subnets to be subdivided among OpenVPN daemons: These are used by clients as VPN routing gateways and allocated to non-group clients. |
vpn.client.routing6.inter_client | bool | Enable client-to-client IPv6 traffic. |
vpn.server.routing6.private_access | string | Controls how to route private traffic:
|
vpn.server.routing6.gateway_access | bool (default=true) | If true, clients may access the server-side tun gateway IPv6 address. |
vpn.server.routing6.allow_private_nets_to_clients | bool | If true, all IPv6 addresses in vpn.server.routing6.private_network will be allowed to initiate client connections. |
vpn.server.routing6.private_network | list of subnets | Access granted to private server-side subnets. |
vpn.server.routing6.incoming_network | list of subnets | IPv6 addresses within this range may initiate connections with VPN clients. |
vpn.server.routing6.routed_subnets | list of subnets | Subnets that should be routed rather than NATed (when NAT is enabled). |
vpn.server.group_pool6 | list of subnets | Optional pool of VPN IPv6 addresses to be subdivided across groups that don't define group_subnets6 or group_range6. |
vpn.server.routing6.snat_source | list of SNA spec strings | This defines how to perform Source Network Address Translation (SNAT) for outgoing IPv6 packets. When NAT is enabled, SNAT ensures that VPN client traffic uses a specific IPv6 address or range for outgoing traffic. Specify a range of IPv6 addresses for SNAT on each outgoing network interface. |
vpn.server.custom_snat6_chain | string | Define a custom ip6tables chain to handle all outgoing NAT. |