Tutorial: Assign IPv6 IP Addresses to VPN Clients From A Global Pool
Assign IPv6 IP addresses to your Access Server VPN clients from a global pool. OpenVPN tutorial
Overview
This tutorial explains enabling and configuring IPv6 in Access Server to assign IP addresses to VPN clients from a global IPv6 pool. Although Access Server requires IPv4 for incoming connections, it supports IPv6 routing inside the VPN tunnel. This means that clients connected over IPv4 can send and receive IPv6 packets through the VPN.
Note
The IPv6 address 2001:db8 used in our examples is reserved for documentation use.
Replace it with a valid IPv6 address for your network.
An installed Access Server.
An IPv6 interface and IPv6 default gateway configured on your Access Server host machine.
A valid IPv6 address range to assign to VPN clients.
Connect to the console and get root privileges.
Turn on IPv6 routing:
./sacli --key "vpn.routing6.enable" --value "true" ConfigPut
Turn on full tunneling to route all IPv6 traffic through the tunnel:
./sacli --key "vpn.client.routing6.reroute_gw" --value "true" ConfigPut
Create a default IPv6 address pool to assign to your VPN clients:
./sacli --key "vpn.server.daemon.vpn_network6.0" --value "2001:db8:b84b:2::/112" ConfigPut
In this example, we use "2001:db8:b84b:2::/112". This is a unique local IPv6 address (IPv4 private IP equivalent), which means this IP is not routable over the internet.
Configure SNAT so IPv6 traffic from the VPN client uses it to go to the internet:
./sacli --key "vpn.server.routing6.snat_source.0" --value "eth0:2001:db8::963::1" ConfigPut
Save and apply the settings by restarting the server:
./sacli start
From a client machine, connect to the VPN (we recommend using OpenVPN Connect).
The client should receive an IPv6 address, such as 2001:db8:b84b:2:://112, from the global pool.
Ping an external IPv6 site:
ping ipv6.google.com
Output from a Windows PC:
PS C:\Users\AUser> ping ipv6.google.com Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=30ms TTL=54 Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=30ms TTL=54 Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=29ms TTL=54 Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=30ms TTL=54 Reply from 2607:f8b0:4006:81f::200e: bytes=1500 time=31ms TTL=54 Ping statistics for 2607:f8b0:4006:81f::200e: Packets: Sent = 5, Received = 5, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 29ms, Maximum = 31ms, Average = 30ms
Monitor the traffic on the server using
tcpdump:tcpdump -eni any host ipv6.google.com
Here's an example output showing how the IPv6 traffic is processed and redirected using SNAT:
root@openvpn-access-server-AUser:/usr/local/openvpn_as/scripts# tcpdump -eni any host ipv6.google.com tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 10:47:31.114998 In ethertype IPv6 (0x86dd), length 96: 2001:db8:b84b:2::8002 > 2607:f8b0:4006:81f::200e: ICMP6, echo request, seq 9, length 40 10:47:31.115031 Out d6:77:ce:97:8c:7c ethertype IPv6 (0x86dd), length 96: 2604:a880:400:d0::189e:6005 > 2607:f8b0:4006:81f::200e: ICMP6, echo request, seq 9, length 40 10:47:31.116589 In fe:00:00:00:01:01 ethertype IPv6 (0x86dd), length 96: 2607:f8b0:4006:81f::200e > 2604:a880:400:d0::189e:6005: ICMP6 echo reply, id 1, seq 9, length 40 10:47:31.116610 Out ethertype IPv6 (0x86dd), length 96: 2607:f8b0:4006:81f::200e > 2001:db8:b84b:2::8002: ICMP6 echo reply, id 1, seq 9, length 40
Use the following configuration keys to work with IPv6 in Access Server.
Configuration Key | Type | Description |
|---|---|---|
vpn.routing6.enable | bool | Enable IPv6 routing. |
vpn.server.nat6 | bool | Enable IPv6 NAT. |
vpn.server.nat6.masquerade | bool | Enable IPv6 masquerade. |
vpn.client.routing6.reroute_gw | bool | Route all IPv6 traffic through the tunnel. |
vpn.server.daemon.vpn_network6 | list of subnets | Default IPv6 VPN subnets to be subdivided among OpenVPN daemons: These are used by clients as VPN routing gateways and allocated to non-group clients. |
vpn.client.routing6.inter_client | bool | Enable client-to-client IPv6 traffic. |
vpn.server.routing6.private_access | string | Controls how to route private traffic:
|
vpn.server.routing6.gateway_access | bool (default=true) | If true, clients may access the server-side tun gateway IPv6 address. |
vpn.server.routing6.allow_private_nets_to_clients | bool | If true, all IPv6 addresses in vpn.server.routing6.private_network will be allowed to initiate client connections. |
vpn.server.routing6.private_network | list of subnets | Access granted to private server-side subnets. |
vpn.server.routing6.incoming_network | list of subnets | IPv6 addresses within this range may initiate connections with VPN clients. |
vpn.server.routing6.routed_subnets | list of subnets | Subnets that should be routed rather than NATed (when NAT is enabled). |
vpn.server.group_pool6 | list of subnets | Optional pool of VPN IPv6 addresses to be subdivided across groups that don't define group_subnets6 or group_range6. |
vpn.server.routing6.snat_source | list of SNA spec strings | This defines how to perform Source Network Address Translation (SNAT) for outgoing IPv6 packets. When NAT is enabled, SNAT ensures that VPN client traffic uses a specific IPv6 address or range for outgoing traffic. Specify a range of IPv6 addresses for SNAT on each outgoing network interface. |
vpn.server.custom_snat6_chain | string | Define a custom ip6tables chain to handle all outgoing NAT. |