OpenVPN both with IPv4 and IPv6

This article is about some tips to setup OpenVPN both with IPv4 and IPv6. Before continuing, it’re recommended to read another post about 《Install OpenVPN with IPv6 on Ubuntu》

For the Server side:

– ONLY ONE keys set. including ca.crt, server.crt, server.key, dh1024.pem and potential ta.key.
– TWO different configuration files, for example server-v4.conf and server-v6.conf.
– The difference between two server configuration files:
– > different protocols, udp for IPv4 and udp6 for IPv6.
– > different ports for different protocols.
– > different subnet address, for example for IPv4 and for IPv6, both with as netmask.

For the Client side:
– TWO different configuration files, for example client-v4.conf and client-v6.conf.
– The difference between two client configuration files:
– > different protocols, udp for IPv4 and udp6 for IPv6.
– > different remote addresses and port numbers.


Install OpenVPN with IPv6 on Ubuntu

This article gives out the process of install OpenVPN with IPv6, and to be more specific, it will foucus on the difference with the Ubuntu official document about OpenVPN installation [1]. Before start, You need to check whether your server has IPv6 address. And if you are looking for tips about OpenVPN both with IPv4 and IPv6, you are supposed to read another post about 《OpenVPN both with IPv4 and IPv6》.

Currently the lastest stable version of OpenVPN is 2.2.2 and for Ubuntu repo is still 2.2.1, both of them are only IPv4 supported. But thankfully the 2.3 version which supports IPv6 is already in RC stage and there is an official apt repo [2] so that we can achieve it easily.

Most of commands need superuser privilege, so just use root to make everything easy.

1) Install OpenVPN 2.3_rc1 (Both on server and client)
wget -O – | apt-key add –
cd /etc/apt/sources.list.d
apt-get update && apt-get install openvpn easy-rsa
Note that we install easy-rsa more than openvpn only because easy-rsa examples used to be in OpenVPN doc directory never exist in OpenVPN 2.3_rc1.

2) Generate Certificate Authority
cp -r /usr/share/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/
Note that the location of easy-rsa directory has changed.

Edit the “vars” file by vim or nano or something else (I will use vim for following examples), be sure to change following variables:
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_CNc=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
Note that there are two duplicate KEY_EMAIL, feel free to delete one. All these variables are required when building all crts and keys, make sure to change it which will make them as default value so that you can press Enter all the way.
source vars

3) Generate Server Certificates
./build-key-server servername
# change servername to whatever you like, just make it corresponding with configuration.
cd /etc/openvpn/easy-rsa/keys
cp servername.crt servername.key ca.crt dh1024.pem /etc/openvpn/

4) Generate tls auth key (Add more security to OpenVPN port)
cd /etc/openvpn
openvpn –genkey –secret ta.key

5) Server Configuration
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz
vim /etc/openvpn/server.conf
Following is the change list by the default configure file. “A -> B # C” meaning change A to B, while C is the comment for more easy reading and you can just ignore it.
port 1194 -> port XXXX # Choose one not fucked by GFW
proto udp -> proto udp6 # IPv6
cert server.crt -> cert servername.crt # Same with the name of Server Certificates
key server.key -> key server.key # ditto
;push “redirect-gateway def1 bypass-dhcp” -> push “redirect-gateway def1 bypass-dhcp” # IP redirect
;tls-auth ta.key 0 -> tls-auth ta.key 0 # tls auth

6) iptables Configuration
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables-save > /etc/iptables.rules
vim /etc/network/if-up.d/iptables
This will be a new file and you should press following in it.
iptables-restore < /etc/iptables.rules [/sh] After saving the file you need to make it executeable. [sh] chmod +x /etc/network/if-up.d/iptables vim /etc/sysctl.conf [/sh] All following listings are commented in default configure file, just uncomment them. [sh] net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 [/sh] Note that the important difference is here. which make IP forward also work for IPv6. the parameter is different from IPv4, but fortunately it has been already listed in default configure file. At last, just make all related restart. [sh] sysctl -p /etc/init.d/openvpn restart /etc/init.d/networking restart [/sh] Now the server side should be working, a simple confirmation is to check whether tun0 or tun1 exists in ifconfig, then let's go for clients. 7) Generate Client Certificates [sh] cd /etc/openvpn/easy-rsa/ source vars ./build-key clientname # change clientname to whatever you like, just make it corresponding with configuration. [/sh] 8) Client Configuration Following are needed files for client, be careful to download them by scp or something else from server. And this is the last thing you need to do on the server. all things left should be done on the cliet besides step 1). Make sure to copy all needed files under the /etc/openvpn/ so that you can run it as daemon easily. [sh] /etc/openvpn/ca.crt /etc/openvpn/ta.key /etc/openvpn/easy-rsa/keys/clientname.crt /etc/openvpn/easy-rsa/keys/clientname.key [/sh] Copy the default client configure file to /etc/openvpn/ [sh] cd /etc/openvpn cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf . [/sh] Following is the change list by the default configure file. Just the same with Server Configuration in step 5) [sh] proto udp -> proto udp6
remote my-server-1 1194 -> remote ::1 XXXX # Same IPv6 Address and Port Number
cert client.crt -> cert clientname.crt # Same with the name of Client Certificates
key client.key -> key clientname.key # ditto
;tls-auth ta.key 1 -> tls-auth ta.key 1

9) Confirmation
Now you can just start the openvpn by
opevpn /etc/openvpn/client.conf
if you can ping successfully then everything should be ok. after that you can make it working as daemon by
update-rc.d openvpn defaults

10) Reference: