OpenVPN both with IPv4 and IPv6

This article is about some tips to setup OpenVPN both with IPv4 and IPv6. Before continuing, it’re recommended to read another post about 《Install OpenVPN with IPv6 on Ubuntu》

For the Server side:

– ONLY ONE keys set. including ca.crt, server.crt, server.key, dh1024.pem and potential ta.key.
– TWO different configuration files, for example server-v4.conf and server-v6.conf.
– The difference between two server configuration files:
– > different protocols, udp for IPv4 and udp6 for IPv6.
– > different ports for different protocols.
– > different subnet address, for example for IPv4 and for IPv6, both with as netmask.

For the Client side:
– TWO different configuration files, for example client-v4.conf and client-v6.conf.
– The difference between two client configuration files:
– > different protocols, udp for IPv4 and udp6 for IPv6.
– > different remote addresses and port numbers.


Install OpenVPN with IPv6 on Ubuntu

This article gives out the process of install OpenVPN with IPv6, and to be more specific, it will foucus on the difference with the Ubuntu official document about OpenVPN installation [1]. Before start, You need to check whether your server has IPv6 address. And if you are looking for tips about OpenVPN both with IPv4 and IPv6, you are supposed to read another post about 《OpenVPN both with IPv4 and IPv6》.

Currently the lastest stable version of OpenVPN is 2.2.2 and for Ubuntu repo is still 2.2.1, both of them are only IPv4 supported. But thankfully the 2.3 version which supports IPv6 is already in RC stage and there is an official apt repo [2] so that we can achieve it easily.

Most of commands need superuser privilege, so just use root to make everything easy.

1) Install OpenVPN 2.3_rc1 (Both on server and client)

Note that we install easy-rsa more than openvpn only because easy-rsa examples used to be in OpenVPN doc directory never exist in OpenVPN 2.3_rc1.

2) Generate Certificate Authority

Note that the location of easy-rsa directory has changed.

Edit the “vars” file by vim or nano or something else (I will use vim for following examples), be sure to change following variables:

Note that there are two duplicate KEY_EMAIL, feel free to delete one. All these variables are required when building all crts and keys, make sure to change it which will make them as default value so that you can press Enter all the way.

3) Generate Server Certificates

4) Generate tls auth key (Add more security to OpenVPN port)

5) Server Configuration

Following is the change list by the default configure file. “A -> B # C” meaning change A to B, while C is the comment for more easy reading and you can just ignore it.

6) iptables Configuration

This will be a new file and you should press following in it.

After saving the file you need to make it executeable.

All following listings are commented in default configure file, just uncomment them.

Note that the important difference is here. which make IP forward also work for IPv6. the parameter is different from IPv4, but fortunately it has been already listed in default configure file. At last, just make all related restart.

Now the server side should be working, a simple confirmation is to check whether tun0 or tun1 exists in ifconfig, then let’s go for clients.

7) Generate Client Certificates

8) Client Configuration
Following are needed files for client, be careful to download them by scp or something else from server. And this is the last thing you need to do on the server. all things left should be done on the cliet besides step 1). Make sure to copy all needed files under the /etc/openvpn/ so that you can run it as daemon easily.

Copy the default client configure file to /etc/openvpn/

Following is the change list by the default configure file. Just the same with Server Configuration in step 5)

9) Confirmation
Now you can just start the openvpn by

if you can ping successfully then everything should be ok. after that you can make it working as daemon by

10) Reference:

Hello Linode!

上一篇写的还在推荐Rashost,没想到写这篇日志时,博客已经全部迁移到了Linode。非常感谢 lyxintranjiao,很感谢你们收留了我,以后能做的事情更多了。


虾米自动签到的脚本的Cron job也转移到了这里,这里也小广告一下,那个自动签到脚本已经无误运行70天了,如果你或者你周围的人有这个需求,欢迎自取。