Providing ipv6 access through openvpn part 1: assigning ipv6 addresses to openvpn clients

While ipv6 is becoming more common, not many ISP’s do provide ipv6 addresses to their customers. But what if you have some ipv6 /64 subnets, e.g. on a hosted server, and you want to provide ipv6 access to locations that only have ipv4? Simply become your own ipv6 provider, using OpenVPN!

In this post, we explain how openvpn can be used to add ipv6 access to clients that only have an ipv4 connection to internet. The next post extends this example to routing ipv6 subnets through openvpn, allowing every machine in the office network behind the openvpn client to have ipv6 access.

To provide openvpn clients with ipv6, you need a server that has both an ipv4 address and some unused ipv6 /64 subnets. The OpenVPN server will be accessible through ipv4, and an ipv6 /64 subnet can be routed through the OpenVPN Tunnel.

Providing IPv6 internet access to OpenVPN Clients

In this example, the OpenVPN server has

  • ipv4 address (This is an example ipv4 address. Use your own real, publicly accessible address if you want to implement this yourself)
  • an ipv6 address for itself (the exact address does not matter)
  • an extra ipv6 /48 subnet: 2001:db8:f00::/48. Out or this subnet, a /64 subnet is assigned for use by the openvpn tunnel, in this case 2001:db8:f00:bebe::/64

OpenVPN server configuration

Assuming that ipv6 traffic for 2001:db8:f00::/48 is routed to the OpenVPN server,  the openvpn configuration for the server becomes:

# general settings for openvpn server
proto udp
dev tun
# setting up an openvpn server with certificates is covered here:
ca myca.crt
cert myserver.crt
key myserver.key
dh dh1024.pem
# use for the openvpn tunnel ipv4
# adittional settings for ipv6:
server-ipv6 2001:db8:f00:bebe::/64
push "route-ipv6 ::/0"
push "route-metric 2000"

The last three lines contain special options for ipv6. Let us look them in detail.

server-ipv6 2001:db8:f00:bebe::/64

Here, we take a /64 subnet out of our larger 2001:db8:f00::/48 subnet. OpenVPN will use it for assigning  addresses to tunnel the endpoints . The server itself takes address 2001:db8:f00:bebe::1/64, and a client is assigned for example the address 2001:db8:f00:bebe::1006/64.

push "route-ipv6 ::/0"

This option makes the server instruct the client to route ipv6 traffic to ::/0 (that is, the entire ipv6 internet) through the vpn.

push "route-metric 2000"

In the last line, we set the default route metric to 2000 for any networks that are  routed through the VPN (both ipv4 and ipv6). 2000 is a very high value, and as a result, the route through openvpn to ipv6 internet will not be used if the client has a better ipv6 connection available. This line is optional.

Finally, we need to make sure  the linux kernel will allow ipv6 packets to be routed: execute the following command on the server:


To make this option permanent across reboots, add a line to /etc/sysctl.conf:


Client configuration

For safety, first a little firewalling: allow connections to the loopback interface, allow connections that are initiated from the client, and drop all the rest. That’s just three lines:

ip6tables -P INPUT DROP
ip6tables -I lo -j ACCEPT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "accept traffic for established connections" -j ACCEPT

Now we need a client config, and that is simply the following:

dev tun-ipv6
ca myca.crt
cert myclient.crt
key myclient.key

The only special setting here is the naming of the tun-device. Here, it is named ’tun-ipv6′. If no name is specified, openvpn names tunnel devices tunN, so a host with multiple tunnels would have a tun0, tun1, and so on. By  explicitly naming the tunnel ’tun-ipv6′, we can be reasonably sure the network device is really called ’tun-ipv6′. This facilitates writing simple ipv6 firewalling with ip6tables.

After the OpenVPN connection is established, the client is assigned an ipv6 address through OpenVPN and the client is ipv6-enabled!

But what if the client in question is the gateway for an office network? To enable ipv6 on the network behind it, read on to part 2.