This article gives out the process of install OpenVPN with IPv6, and to be more specific, it will foucus on the difference with the Ubuntu official document about OpenVPN installation . Before start, You need to check whether your server has IPv6 address. And if you are looking for tips about OpenVPN both with IPv4 and IPv6, you are supposed to read another post about 《OpenVPN both with IPv4 and IPv6》.
Currently the lastest stable version of OpenVPN is 2.2.2 and for Ubuntu repo is still 2.2.1, both of them are only IPv4 supported. But thankfully the 2.3 version which supports IPv6 is already in RC stage and there is an official apt repo  so that we can achieve it easily.
Most of commands need superuser privilege, so just use root to make everything easy.
1) Install OpenVPN 2.3_rc1 (Both on server and client)
wget -O – http://repos.openvpn.net/repos/repo-public.gpg | apt-key add –
apt-get update && apt-get install openvpn easy-rsa
Note that we install easy-rsa more than openvpn only because easy-rsa examples used to be in OpenVPN doc directory never exist in OpenVPN 2.3_rc1.
2) Generate Certificate Authority
cp -r /usr/share/easy-rsa/ /etc/openvpn/
Note that the location of easy-rsa directory has changed.
Edit the “vars” file by vim or nano or something else (I will use vim for following examples), be sure to change following variables:
Note that there are two duplicate KEY_EMAIL, feel free to delete one. All these variables are required when building all crts and keys, make sure to change it which will make them as default value so that you can press Enter all the way.
3) Generate Server Certificates
# change servername to whatever you like, just make it corresponding with configuration.
cp servername.crt servername.key ca.crt dh1024.pem /etc/openvpn/
4) Generate tls auth key (Add more security to OpenVPN port)
openvpn –genkey –secret ta.key
5) Server Configuration
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz
Following is the change list by the default configure file. “A -> B # C” meaning change A to B, while C is the comment for more easy reading and you can just ignore it.
port 1194 -> port XXXX # Choose one not fucked by GFW
proto udp -> proto udp6 # IPv6
cert server.crt -> cert servername.crt # Same with the name of Server Certificates
key server.key -> key server.key # ditto
;push “redirect-gateway def1 bypass-dhcp” -> push “redirect-gateway def1 bypass-dhcp” # IP redirect
;tls-auth ta.key 0 -> tls-auth ta.key 0 # tls auth
6) iptables Configuration
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables-save > /etc/iptables.rules
This will be a new file and you should press following in it.
iptables-restore < /etc/iptables.rules [/sh] After saving the file you need to make it executeable. [sh] chmod +x /etc/network/if-up.d/iptables vim /etc/sysctl.conf [/sh] All following listings are commented in default configure file, just uncomment them. [sh] net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 [/sh] Note that the important difference is here. which make IP forward also work for IPv6. the parameter is different from IPv4, but fortunately it has been already listed in default configure file. At last, just make all related restart. [sh] sysctl -p /etc/init.d/openvpn restart /etc/init.d/networking restart [/sh] Now the server side should be working, a simple confirmation is to check whether tun0 or tun1 exists in ifconfig, then let's go for clients. 7) Generate Client Certificates [sh] cd /etc/openvpn/easy-rsa/ source vars ./build-key clientname # change clientname to whatever you like, just make it corresponding with configuration. [/sh] 8) Client Configuration Following are needed files for client, be careful to download them by scp or something else from server. And this is the last thing you need to do on the server. all things left should be done on the cliet besides step 1). Make sure to copy all needed files under the /etc/openvpn/ so that you can run it as daemon easily. [sh] /etc/openvpn/ca.crt /etc/openvpn/ta.key /etc/openvpn/easy-rsa/keys/clientname.crt /etc/openvpn/easy-rsa/keys/clientname.key [/sh] Copy the default client configure file to /etc/openvpn/ [sh] cd /etc/openvpn cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf . [/sh] Following is the change list by the default configure file. Just the same with Server Configuration in step 5) [sh] proto udp -> proto udp6
remote my-server-1 1194 -> remote ::1 XXXX # Same IPv6 Address and Port Number
cert client.crt -> cert clientname.crt # Same with the name of Client Certificates
key client.key -> key clientname.key # ditto
;tls-auth ta.key 1 -> tls-auth ta.key 1
Now you can just start the openvpn by
if you can ping 10.8.0.1 successfully then everything should be ok. after that you can make it working as daemon by
update-rc.d openvpn defaults