Answer the question
In order to leave comments, you need to log in
Native IPv6 for each client through Openvpn how to do?
Essence of the question: there is a VPS with support for native IPv6. There are customers in Russia and Ukraine who, of course, do not have IP6.
The hoster issued an ipv6 subnet with the /64 prefix. Let's conditionally call it 1234:5678:90ab:cdef::/64
Task: distribute native ip6 addresses to clients.
I bound one address from the 1234:5678:90ab:cdef::2 subnet to the external interface on the server. On the server, therefore, there is ip6, sites with both protocols normally respond. Installed the Openvpn server with tun. Everything works fine with IPv4. Added additional lines to the server config file:
==============================
server-ipv6 1234:5678:90ab:cdef :1::/80
push "route-ipv6 2000::/3"
push "dhcp-option DNS 2606:4700:4700::1111"
================== =============
I also activate forwarding on the server net.ipv6.conf.all.forwarding=1
That is, the server distributes addresses from the /80 block to clients.
I connect the client, the client receives the ipv6 address, but only the server can ping. External addresses like ipv6.google.com cannot be pinged from the client.
You can do ip6table -t nat POSTROUTING ... on the server, but in this case, clients receive the server's ip6 address 1234:5678:90ab:cdef::2, and those from the /80 block that the server gave them are useless, hidden behind nat6. Naturally, from the Internet, clients do not respond to the addresses given to them, since they are behind nat.
Having studied the Openvpn mana, I found out that addresses from the /80 subnet must be routed to the server from the hoster. So yes, tunnel brokers give out exactly that, one network per server and one routed subnet for clients. I asked my hoster a question - he cannot do this. For the sake of interest, I asked other hosters - they do not understand at all what I want from them.
Is it possible to somehow assign clients to each their own native IP6 without the participation of a hoster? And it turns out that the hoster issues a huge block / 64, and from this block I need only one address for the external interface, and the rest are useless.
Answer the question
In order to leave comments, you need to log in
You need to tap instead of tun, then bridge it with an external interface and terminate ipv6 / 64 on the bridge
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question