Tutorial: Assign IPv6 Addresses to VPN Clients from a Group Pool
This tutorial provides a step-by-step guide for assigning IPv6 addresses to VPN clients from a group pool and testing the setup to ensure functionality.
Overview
Access Server primarily uses IPv4 for incoming VPN connections but also supports IPv6 routing within the VPN tunnel. This tutorial will guide you through assigning IPv6 addresses to VPN clients using a group-specific address pool. You’ll configure IPv6 routing and assign a pool of IPv6 addresses to VPN clients within a specific group.
By the end of this tutorial, you'll have set up IPv6 routing for a group of VPN clients and tested the configuration by ensuring that clients can access external IPv6 resources.
Note
The IPv6 address 2001:db8 used in our examples is reserved for documentation use.
Replace it with a valid IPv6 address for your network.
An installed Access Server.
An IPv6 interface and default IPv6 gateway configured on the Access Server host system.
A VPN group and at least one user assigned to it. In this tutorial, we use a group named
group-test.A valid IPv6 address pool to assign to your clients.
Connect to the console and get root privileges.
Turn on IPv6 routing:
./sacli --key "vpn.routing6.enable" --value "true" ConfigPut
Turn on full tunneling to route all IPv6 traffic through the tunnel:
./sacli --key "vpn.client.routing6.reroute_gw" --value "true" ConfigPut
Create a pool of IPv6 addresses to assign to clients in your group. In this example, we use the group
group-testand assign the subnet2001:db8:b84b:5::/112../sacli --user "group-test" --key "group_subnets6.0" --value "2001:db8:b84b:5::/112" UserPropPut
This subnet is a unique local IPv6 address range (similar to private IPv4 ranges) and is not routable over the internet.
Specify the range of IPv6 addresses that can be assigned to users in the group. For example, use addresses from
2001:db8:b84b:5::8005to2001:db8:b84b:5::8009:./sacli --user "group-test" --key "group_range6.0" --value "2001:db8:b84b:5::8005-2001:db8:b84b:5::8009" UserPropPut
This assigns the IPv6 range
2001:db8:b84b:5::8005to2001:db8:b84b:5::8009for VPN users in thegroup-testgroup. The2001:db8::block is reserved for documentation, so replace it with your actual network IPv6 range for real-world applications.
Save and apply the settings by restarting the server:
./sacli start
Connect a VPN client that belongs to the
group-testgroup. (We recommend using OpenVPN Connect.)The client app shows an IPv6 address assigned from the pool.
Run a ping test to a public IPv6 address:
ping ipv6.google.com
Expected output:
Reply from 2001:db8:4006:81f::200e: bytes=1500 time=30ms TTL=54
Verify the IPv6 traffic reaches the server by running
tcpdumpon the server:tcpdump -eni any host ipv6.google.com
Example output from the server while running
tcpdump:root@openvpn-access-server:/usr/local/openvpn_as/scripts# tcpdump -eni any host ipv6.google.com tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 11:44:10.035937 In ethertype IPv6 (0x86dd), length 96: 2001:db8:b84b:5::8005 > 2607:f8b0:4006:81f::200e: ICMP6, echo request, seq 11, length 40 11:44:10.035983 Out d6:77:ce:97:8c:7c ethertype IPv6 (0x86dd), length 96: 2604:a880:400:d0::189e:6005 > 2607:f8b0:4006:81f::200e: ICMP6, echo request, seq 11, length 40 11:44:10.037937 In fe:00:00:00:01:01 ethertype IPv6 (0x86dd), length 96: 2607:f8b0:4006:81f::200e > 2001:db8:b84b:5::8005: ICMP6 echo reply, id 1, seq 11, length 40
The VPN client's IPv6 address is
2001:db8:b84b:5::8005.The public IPv6 address
2607:f8b0:4006:81f::200ecorresponds to Google's IPv6 server (ipv6.google.com).
Use the following configuration keys to work with IPv6 in Access Server.
Configuration Key | Type | Description |
|---|---|---|
vpn.routing6.enable | bool | Enable IPv6 routing. |
vpn.server.nat6 | bool | Enable IPv6 NAT. |
vpn.server.nat6.masquerade | bool | Enable IPv6 masquerade. |
vpn.client.routing6.reroute_gw | bool | Route all IPv6 traffic through the tunnel. |
vpn.server.daemon.vpn_network6 | list of subnets | Default IPv6 VPN subnets to be subdivided among OpenVPN daemons: These are used by clients as VPN routing gateways and allocated to non-group clients. |
vpn.client.routing6.inter_client | bool | Enable client-to-client IPv6 traffic. |
vpn.server.routing6.private_access | string | Controls how to route private traffic:
|
vpn.server.routing6.gateway_access | bool (default=true) | If true, clients may access the server-side tun gateway IPv6 address. |
vpn.server.routing6.allow_private_nets_to_clients | bool | If true, all IPv6 addresses in vpn.server.routing6.private_network will be allowed to initiate client connections. |
vpn.server.routing6.private_network | list of subnets | Access granted to private server-side subnets. |
vpn.server.routing6.incoming_network | list of subnets | IPv6 addresses within this range may initiate connections with VPN clients. |
vpn.server.routing6.routed_subnets | list of subnets | Subnets that should be routed rather than NATed (when NAT is enabled). |
vpn.server.group_pool6 | list of subnets | Optional pool of VPN IPv6 addresses to be subdivided across groups that don't define group_subnets6 or group_range6. |
vpn.server.routing6.snat_source | list of SNA spec strings | This defines how to perform Source Network Address Translation (SNAT) for outgoing IPv6 packets. When NAT is enabled, SNAT ensures that VPN client traffic uses a specific IPv6 address or range for outgoing traffic. Specify a range of IPv6 addresses for SNAT on each outgoing network interface. |
vpn.server.custom_snat6_chain | string | Define a custom ip6tables chain to handle all outgoing NAT. |