What dual stack is ?
According to WhatIsMyIPAddress :
ISPs have chosen an IP address transition method called dual stack. With the dual stack solution, every networking device, server, switch, router and firewall in an ISP's network will be configured with both IPv4 and IPv6 connectivity capabilities. Most importantly, dual stack technology allows ISPs to process IPv4 and IPv6 data traffic simultaneously.
What does this mean to you? You'll be able to keep surfing the Internet without wondering if your connection will stop working because of the IP address conversion.
Why use a dual stack VPN ?
Configure a dual stack VPN avoid possible leaks and brings you an ipv6 connectivity.
Of course you need an ipv6 connectivity on your VPN server.
To check if your ipv6 is configured, you can do an
ip a and look at the
inet6 part of your public interface, and of course you can simply check with a ping.
For example, on my server :
$ ping6 -c 4 google.com PING google.com(par10s34-in-x0e.1e100.net (2a00:1450:4007:817::200e)) 56 data bytes 64 bytes from par10s34-in-x0e.1e100.net (2a00:1450:4007:817::200e): icmp_seq=1 ttl=55 time=1.12 ms 64 bytes from par10s34-in-x0e.1e100.net (2a00:1450:4007:817::200e): icmp_seq=2 ttl=55 time=1.21 ms 64 bytes from par10s34-in-x0e.1e100.net (2a00:1450:4007:817::200e): icmp_seq=3 ttl=55 time=1.43 ms 64 bytes from par10s34-in-x0e.1e100.net (2a00:1450:4007:817::200e): icmp_seq=4 ttl=55 time=1.22 ms --- google.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 1.126/1.249/1.437/0.122 ms
How to configure OpenVPN in dual stack mode with a single ipv6 ?
Some providers bring you only one ipv6 (
/128). I agree, it's not good, but whatever... you can use NAT to have a neat dual stack also.
We will choose a private ipv6 pool, for example
At first enable the forwarding for ipv6 :
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
Edit the OpenVPN configuration :
Add the subnet and the route (this configuration will send all the trafic through the VPN) :
server-ipv6 2001:10:240:ab::a/64 push "route-ipv6 2000::/3"
If you want to push ipv6 DNS (these are Cloudflare and Google IPV6 DNS) :
push "dhcp-option DNS6 2001:4860:4860::8888" push "dhcp-option DNS6 2606:4700:4700::1111"
And finish with the
ip6tables rules :
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT ip6tables -t nat -A POSTROUTING -s 2001:10:240:ab::a -o eth0 -j SNAT --to-source $PUBLIC_BLOCK
eth0 with your public network interface if it's different.
When you're connected to your VPN you will be able to join any ipv6 address.
Feel free to correct me if you see any typo or if something seems wrong to you.
You can send me an email or comment below.