AnswerBun.com

OpenVPN over dynamic IPv6

Server Fault Asked by Hellstorm on December 14, 2020

I have a dual stack IPv4/IPv6 home connection and want to create an OpenVPN server.
My ISP assigns me an /59 IPv6 block, which is not stable and can change at any point (not daily, but it still does). The server runs on a Raspberry Pi with Debian Buster.

Let’s say my current prefix assigned from the ISP is dead::beef::/59 and my server has two IPv6 addresses via SLAAC. The first host id is ::1234 (temporary) and the second one is ::9876 (stable). I have a DynDNS entry pointing to dead::beef::9876.

The OpenVPN client connects to dead::beef::9876 via UDP6, the OpenVPN server receives the initial packet but responds via dead::beef::1234. Therefore the connection does not work.

I have managed to bind the OpenVPN server to the stable address via

local dead::beef::9876

, which at least make the client connect. Unfortunately the block could change at any time, so I want to avoid this.

Is there any way to bind the server to the stable host id ::9876, but don’t specify the prefix in the host id?

In addition, if I want to use a /64 block for the clients (via the server directive), I can retrieve one via DHCPv6 Prefix delegation from my router. Unfortunately, then I also have to specify the fixed prefix in my config file.

Is there any way to make this specific, too?

Or should I somehow configure a trigger whenever the IP address changes, then generate a new config file and restart the server?

One Answer

I have fixed the first problem by adding the multihome and not specifying any local option.

From the docs:

Configure a multi-homed UDP server. This option needs to be used when a server has more than one IP address (e.g. multiple interfaces, or secondary IP addresses), and is not using –local to force binding to one specific address only. This option will add some extra lookups to the packet path to ensure that the UDP reply packets are always sent from the address that the client is talking to. This is not supported on all platforms, and it adds more processing, so it’s not enabled by default.Note: this option is only relevant for UDP servers.

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

I had the problem that binding with local to the IPv6 address disabled IPv4 connections.

Answered by Hellstorm on December 14, 2020

Add your own answers!

Related Questions

rsync unexpected remote arg: [email protected]:/path

2  Asked on July 21, 2020 by pdiracdelta

   

Ask a Question

Get help from others!

© 2022 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP