As mentioned before, when switching to IPv6 (or more realistically, to dual stack) one of the things that might not work out of the box is VPNs. I decided to put some effort in it to get it to work anyway.
Since we currently already have an OpenVPN tunnel, I preferred to stay with OpenVPN rather than switch to a different stack. Turns out OpenVPN supports IPv6, but under a series of assumptions. Among others, you need OpenVPN 2.3 on both the client and the server to be able to use the new config directives such as route-ipv6. At this moment, 2.3 is still beta. While I enjoy beta-software on a daily basis, rolling it out as a production VPN seems a bit to risky.
To provide maximal compatibility, I decided to stay with OpenVPN 2.2 and use the tap-interface. I wrote my own up-scripts to take care of the required IPv6 configuration steps.
Communicating the parameters
OpenVPN has a setenv config directive, which sets additional environment variables for the up-script. Its brother setenv-safe (which prefixes all variables with OPENVPN_) can also be pushed from server to client, allowing arbitrary parameters to be communicated from server to client. I use these three:
push "setenv-safe IP6_PREFIX 2001:db8:0:1::/64" push "setenv-safe IP6_GW 2001:db8:0:1::1" push "setenv-safe IP6_ROUTES '2001:db8:0:0::/48 2001:db8:1234::/48'"
Configuring the client
The client now has all the information it needs to enable IPv6 on the tunnel-connection. It just needs to apply that knowledge. I wrote some very basic shell scripts to accomplish this. Basically, the script looks for the MAC-address of the (virtual) VPN interface, which it uses to form a SLAAC address together with the supplied prefix. At this moment, it does not check for duplicate IP addressing. Next, it configures the calculated IP onto the interface and adds the supplied routes to the routing table.
For those interested, I provide, without any warranty <insert legalese disclamer here>
- The MacOSX version, written in bash
- The Linux version, written in bash
- The Windows version, a batch-file and powershell hacked together. If you are stuck with a broken OS that won’t let you download this file, try the same content, but pretending to be a text-file, and rename it yourself.