Join Log in
Score:0
avatar Server

OpenVPN IPv6 address-less tap interface

ye flag
Patrick Aszody

I am trying to upgrade an openvpn server and I have an issue regarding IPv6 config. I can't figure how to configure a tap interface without an IPv6 address, and still be able to assign IPv6 addresses to the connected clients.

For reasons linked to the structure or our network, the VPN has to be in bridge mode (tap interface), and all routing from / to VPN clients is done on a separate router device (the openvpn server is a dedicated linux box that I only use to offload VPN processing from that router, it does no routing / forwarding by itself).

In my current setup, the tap virtual interfaces have no IPv4 nor IPv6 addresses, they are bridged with physical or VLAN interfaces, and the only addresses clients see are those of the router. The openvpn box just distributes IPv4/IPv6 addresses to the clients when they connect.

Excerpt of my current server config (only relevant parts) :

dev tap-vpn
[...]
server-bridge 192.0.2.1 255.255.255.128 192.0.2.11 192.0.2.40
tun-ipv6
ifconfig-ipv6 2001:db8:1234:5678::1/64 2001:db8:1234:5678::1
ifconfig-ipv6-pool 2001:db8:1234:5678::11/64
[...]
push "tun-ipv6"
push "route 192.x.y.z"
push "route-ipv6 2001:db8:1234:4321::/64"

This works exactly as expected in OpenVPN 2.3 : the box has no address attached to the tap-vpn interface, and distributes addresses IPv4 192.0.2.11 - 192.0.2.40 and IPv6 starting from 2001:db8:1234:5678::11 , and it pushes routes as expected to the clients, with gateways 192.0.2.1 and 2001:db8:1234:5678::1 .

For security reasons, I disable IPv6 at kernel level on that interface :

echo 1 >/proc/sys/net/ipv6/conf/tap-vpn/disable_ipv6

Upgrading to a more recent version breaks this setup, in the sense that ifconfig-ipv6 now wants to assign an IPv6 address to the interface, and having IPv6 disabled at kernel level simply prevents openvpn from starting. Removing the ifconfig-ipv6 directive is also not possible, as ifconfig-ipv6-pool needs it.

I know that tun-ipv6 is now deprecated, but removing / adding it doesn't seem to change anything. I have read various documentation, including of course the man page, and reviewed this, this and this thread, but none of these seems to address my concern.

If it is really impossible to achieve the setup I am intending, then I will find other ways to secure the VPN machine, like a local firewall, but I would find more elegant to just have no IPv6 address on the tap (like I have no IPv4) and just use it as a bridging component.

FWIW, I am using slackware64 15.0 on a PCEngines APU mini-PC, but the issue is probably not at OS layer.

Any help or pointer to a working example would be much appreciated.

93
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.