How to setup a dual stack OpenVPN with a /128 public address ?
What dual stack is ?
According to WhatIsMyIPAddress :
ISPs have chosen an IP address transition method called dual stack. With the dual stack solution, every networking device, server, switch, router and firewall in an ISP's network will be configured with both IPv4 and IPv6 connectivity capabilities. Most importantly, dual stack technology allows ISPs to process IPv4 and IPv6 data traffic simultaneously.
What does this mean to you? You'll be able to keep surfing the Internet without wondering if your connection will stop working because of the IP address conversion.
Why use a dual stack VPN ?
Configure a dual stack VPN avoid possible leaks and brings you an ipv6 connectivity.
Before starting
Of course you need an ipv6 connectivity on your VPN server.
To check if your ipv6 is configured, you can do an ip a
and look at the inet6
part of your public interface, and of course you can simply check with a ping.
For example, on my server :
$ ping6 -c 4 google.com
PING google.com(par10s34-in-x0e.1e100.net (2a00:1450:4007:817::200e)) 56 data bytes
64 bytes from par10s34-in-x0e.1e100.net (2a00:1450:4007:817::200e): icmp_seq=1 ttl=55 time=1.12 ms
64 bytes from par10s34-in-x0e.1e100.net (2a00:1450:4007:817::200e): icmp_seq=2 ttl=55 time=1.21 ms
64 bytes from par10s34-in-x0e.1e100.net (2a00:1450:4007:817::200e): icmp_seq=3 ttl=55 time=1.43 ms
64 bytes from par10s34-in-x0e.1e100.net (2a00:1450:4007:817::200e): icmp_seq=4 ttl=55 time=1.22 ms
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 1.126/1.249/1.437/0.122 ms
How to configure OpenVPN in dual stack mode with a single ipv6 ?
Some providers bring you only one ipv6 (/128
). I agree, it's not good, but whatever... you can use NAT to have a neat dual stack also.
We will choose a private ipv6 pool, for example 2001:10:240:ab::a/64
.
At first enable the forwarding for ipv6 :
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
Edit the OpenVPN configuration :
vi /etc/openvpn/server.conf
Change the proto
parameter:
proto udp6
Add the subnet and the route (this configuration will send all the trafic through the VPN) :
server-ipv6 2001:10:240:ab::a/64
push "route-ipv6 2000::/3"
If you want to push ipv6 DNS (these are Cloudflare and Google IPV6 DNS) :
push "dhcp-option DNS6 2001:4860:4860::8888"
push "dhcp-option DNS6 2606:4700:4700::1111"
And finish with the ip6tables
rules :
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
ip6tables -t nat -A POSTROUTING -s 2001:10:240:ab::a -o eth0 -j SNAT --to-source $PUBLIC_BLOCK
Replace eth0
with your public network interface if it's different.
The result
When you're connected to your VPN you will be able to join any ipv6 address.
Feel free to correct me if you see any typo or if something seems wrong to you.
You can send me an email or comment below.