amuck-landowner

Any working tutorials for a OpenVPN server with IPv4 & IPv6?

Gang Starr

New Member
Hello fellas,

I have a KVM box with DDos protection in France by Verelox and been very happy with their service. Got a single IPv6 address of a /64 recently.

I want to setup a VPN server with OpenVPN. I did it hundreds of time with IPv4 and everything always worked but I never managed to setup one with IPv6 (I have native IPv6).

Do you guys know proper guides that would help me to setup IPv6 on the OpenVPN server? I hate IPv6 leaking VPNs.

According to OpenVPN wiki: 

Requirements
A few things must be met in order to use IPv6:

  • An existing and functional OpenVPN configuration (use the official howto if you don't yet have this.) - CHECK
  • Both client and server must support IPv6; most modern systems these-days include this support already - CHECK
Additionally:

  • Recommended A routed IPv6 network block that will reach the host configured as the OpenVPN server - I have 1 address of a /64
  • alternatively, check section "Splitting a single routable IPv6 netblock" below - 
 

hxQ&S8ZaVn9e

New Member
Subscribed :)

I am curious too. IPv6 is new to me and I usually disable it on anything that has it since I don't know what to do with it yet.
 

Gang Starr

New Member
drmike I have read this study and it was one of the reason why I got a IPv6 on my KVM box to make a proper VPN that does not leak IPv6.

I used to use FrootVPN (by some friends of TPB) and they actually did have a proper VPN with IPv6 addresses (no IPv6 leak and no DNS leak), but... they ended their free service.

I wonder how they made it work. I know that OpenVPN supports IPv6 since like 2.3.0. If I really need a routed block I guess I can get Tunnel Broker France tunnel up and simply get my routed /64 instead of 1 IP address out of the providers /64.

Not quite sure about the setup though because it's OVH and... you know.

The wiki entry on OpenVPN for IPv6 explains how to do it but it never worked for me however I recall I never actually really had a routed /64 with all my other VPSs. Only either one or few more IPv6 addresses (SolusVM sucks hard...). Virtualizor supports giving out whole ranges of IPv6 but Verelox only provided me 1 IPv6.
 

texteditor

Premium Buffalo-based Hosting
I'm running Firefox with shadowsocks over tinc to VPSs with IPv4 & v6 with no leaks

I have network.dns.disableIPv6 set to false in Firefox's about:config, but have network.dns.disablePrefetch & network.proxy.socks_remote_dns set to true. Seems to do the trick

If you need something more complex, setup a dns server on the VPS
 

drmike

100% Tier-1 Gogent
I don't know if you've even read what I posted...


OpenVPN! I said nothing about any other software.
Well @texteditor 's points will help on a dual IP stack to clean up leaking a bit from the identified areas. 

But such won't address an IPv6-only or dual IPv4 + IPv6 OpenVPN config.
 

Gang Starr

New Member
Try giving this a read for the solution:

http://www.tecmint.com/install-openvpn-in-debian/

"This article details how to obtain IPv6 connectivity on OpenVPN using Debian Linux. The process has been tested on Debian 7 on a KVM VPS with IPv6 connectivity as the server, and a Debian 7 desktop. The commands are to be run as root."
I tried that but to be honest the guide is quite a mess and the VPN isn't working at all. His IPv6 configuration is totally screwed or something. All kind of different IP addresses appearing in the files. A mess. The whole guide is just full of mistakes.
 

Nyr

Active Member
The guide linked by @drmike is very outdated and should not be used.

@Gang Starr IPv6 leaks have nothing to do with your server supporting IPv6.

That said, setting up IPv6 for OpenVPN is easy if you have a routed subnet as you should if you provider has any clue about how IPv6 works. This is not exactly what you want, but enough to understand: https://wiki.nyr.es/ipv6_tunnel_broker_openvpn_openvz

If you have a single IPv6 available, you are only left with some nasty workarounds.
 

Gang Starr

New Member
The guide linked by @drmike is very outdated and should not be used.

@Gang Starr IPv6 leaks have nothing to do with your server supporting IPv6.

That said, setting up IPv6 for OpenVPN is easy if you have a routed subnet as you should if you provider has any clue about how IPv6 works. This is not exactly what you want, but enough to understand: https://wiki.nyr.es/ipv6_tunnel_broker_openvpn_openvz

If you have a single IPv6 available, you are only left with some nasty workarounds.

Well, IPv6 leaks have a strong relation to a server having IPv6 or not and whether the OpenVPN server is setup for IPv6.

1) The server does not have IPv6 and a IPv4 VPN is running but client has both: client IPv6 leaks on sites that explicit request IPv6. Been there, done that multiple times.

2) The server has IPv6 but is not configured to use it via VPN: client IPv6 also leaks. Also had that because I so far never really managed to setup IPv6 with OpenVPN.

The server I have is KVM though and another one XenHVM. I have got myself a /64 from Tunnel Broker by HE routed to the VPS.
 

Nyr

Active Member
The guide linked by @drmike is very outdated and should not be used.

@Gang Starr IPv6 leaks have nothing to do with your server supporting IPv6.

That said, setting up IPv6 for OpenVPN is easy if you have a routed subnet as you should if you provider has any clue about how IPv6 works. This is not exactly what you want, but enough to understand: https://wiki.nyr.es/ipv6_tunnel_broker_openvpn_openvz

If you have a single IPv6 available, you are only left with some nasty workarounds.

Well, IPv6 leaks have a strong relation to a server having IPv6 or not and whether the OpenVPN server is setup for IPv6.

1) The server does not have IPv6 and a IPv4 VPN is running but client has both: client IPv6 leaks on sites that explicit request IPv6. Been there, done that multiple times.

2) The server has IPv6 but is not configured to use it via VPN: client IPv6 also leaks. Also had that because I so far never really managed to setup IPv6 with OpenVPN.

The server I have is KVM though and another one XenHVM. I have got myself a /64 from Tunnel Broker by HE routed to the VPS.
No, IPv6 leaks have a strong relation to how your client routes IPv6 (or doesn't) when connected to the VPN. Nothing to do with the server, even if you can avoid them by pushing routes to the client.

Also, nearly no sites will "request" IPv6 by default.. This is again a client side decision if both of them are available for a record.
 
Top
amuck-landowner