As mentioned before, when switching to IPv6 (or more realistically, to dual stack) one of the things that might not work out of the box is VPNs. I decided to put some effort in it to get it to work anyway.

Since we currently already have an OpenVPN tunnel, I preferred to stay with OpenVPN rather than switch to a different stack. Turns out OpenVPN supports IPv6, but under a series of assumptions. Among others, you need OpenVPN 2.3 on both the client and the server to be able to use the new config directives such as route-ipv6. At this moment, 2.3 is still beta. While I enjoy beta-software on a daily basis, rolling it out as a production VPN seems a bit to risky.

To provide maximal compatibility, I decided to stay with OpenVPN 2.2 and use the tap-interface. I wrote my own up-scripts to take care of the required IPv6 configuration steps.

Communicating the parameters

OpenVPN has a setenv config directive, which sets additional environment variables for the up-script. Its brother setenv-safe (which prefixes all variables with OPENVPN_) can also be pushed from server to client, allowing arbitrary parameters to be communicated from server to client. I use these three:

push "setenv-safe IP6_PREFIX 2001:db8:0:1::/64"
push "setenv-safe IP6_GW 2001:db8:0:1::1"
push "setenv-safe IP6_ROUTES '2001:db8:0:0::/48 2001:db8:1234::/48'"

Configuring the client

The client now has all the information it needs to enable IPv6 on the tunnel-connection. It just needs to apply that knowledge. I wrote some very basic shell scripts to accomplish this. Basically, the script looks for the MAC-address of the (virtual) VPN interface, which it uses to form a SLAAC address together with the supplied prefix. At this moment, it does not check for duplicate IP addressing. Next, it configures the calculated IP onto the interface and adds the supplied routes to the routing table.

For those interested, I provide, without any warranty <insert legalese disclamer here>


  1. ICMP VPN says:

    Nice, I finally found a tutorial for IPv6 that works. Can you also create a tutorial for tun mode?

  2. uke-eda says:

    Thanks. Very much appreciated.

    Unfortunately the last link (The Windows version,… under Configuring the Client) is not working. Would it be possible to restore it? That would be nice.

  3. Niobos says:

    The link is working fine. It’s probably your anti-virus (or similar) that is preventing you from downloading the CMD-file. Unfortunately, there is not much that I can do about that on the server-end.
    I did add a text-file with the exact same content. You could try to download that, and manually rename it?

  4. uke-eda says:

    @ Niobos

    I was surfing with secure http. Your download server doesn’t support this it seems. Sorry for not realising it earlier (before posting).

    Got your file now. Thanks again!

  5. Niobos says:

    This server supports HTTPS just fine. I do use a certificate from CAcert, so you might get a security warning on the first page you visit over HTTPS. What led you to the conclusion that https isn’t working?

  6. fangfufu says:

    I have written up a method that doesn’t require a script. I think it is slightly more elegant. It is basically an OpenVPN TAP bridge.

Leave a Reply

Anti-Spam Quiz: