OpenVPN Server providing IPv6 to clients

RouterOS General
1

I am a little confused about the proper combination of the various config parameters to provide IPv6 for OpenVPN clients.
I run two CCR2216-1G-12XS-2XQ with RouterOS 7.12.1 (will update to 7.14 soon).

I already have a well working IPv4 setup which I only wanted to extend to IPv6.
The routers have IPv6 PI space of which I intend to use e.g. a /48 to have the OpenVPN server give out IPv6 prefixes to clients.

This is the relevant (lab) config I have so far …

/ipv6 pool
add name=ovpn-pool prefix=2001:db8:9999::/48 prefix-length=64

/ppp profile
add local-address=172.16.0.1 name=ovpn remote-address=ovpn-pool remote-ipv6-prefix-pool=ovpn-pool

/interface ovpn-server server
set auth=sha256,sha512 certificate=mikrotik-rt-01 cipher=blowfish128,aes128-cbc,aes256-cbc default-profile=ovpn enable-tun-ipv6=\
    yes enabled=yes ipv6-prefix-len=48 tun-server-ipv6=2001:db8:9999::1

I am a little confused about the required config options for IPv6 of the OpenVPN Server:

  1. What do ipv6-prefix-len and tun-server-ipv6 actually configure? How do they correlate? What relation is there to the prefix-length of the ipv6/pool?

  2. Is tun-server-ipv6 some relative address for each OpenVPN interface / connection, or global for the whole server? According to https://help.mikrotik.com/docs/display/ROS/OpenVPN#OpenVPN-Properties the default is “::”? I seem to be unable to restore it to the default:

[admin@mikrotik-rt-01] /interface/ovpn-server/server> set tun-server-ipv6="::"
failure: zero ipv6 device identifier is not supported

  1. According to https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--tun-ipv6Status:Ignoredpendingremoval tun-server-ipv6 seems deprecated even?

  2. Regarding ipv6-prefix-len:

a) If I set this to /48 I see OpenVPN client complaining:

Options error: ifconfig-ipv6: /netbits must be between 64 and 124, not ‘/48’

b) If I set this to /64 it works addressing-wise (and makes sense in relation to the ipv6/pool):

net_addr_v6_add: 2001:db8:9999:1::/64 dev tun0

but I cannot ping any interface on the router (OpenVPN server) (even if manually setting a route via the VPN tun) and also the configured GW / tun-server-ipv6 is not reachable as it’s not within the client’s /64.

2

I am trying the same; did you ever succeed in setting up your OpenVPN server on RouterOS to provide IPv6 to clients?

3

Unfortunately not. I opened a support ticket, but obviously Mikrotik does not provide this kind of support.
But I am still puzzled if this might simply be broken or got broken over time with OpenVPN option renaming …

4

Yes this is extremely poor implementation on Mikrotik’s part as well as a security risk, potentially allowing IPv6 traffic to leak onto the public network the client is attached to as you cannot fully configure the client to properly route IPv6 traffic. There is no ability to use “push-route-ipv6” in RouterOS even though it is a standard of OpenVPN.

Shame on Mikrotik for this, and not only NOT addressing it, but to allow these forum posts to sit here in silence and not even both putting a security disclaimer on their RouterOS guides that IPv6 leaks may occur because of their inability to properly implement OpenVPN on their equipment. Unfortunately they seem to be throwing their weight behind the amateur code of Wireguard (the code is lightweight because it cannot do much!) which has also barely thought about IPv6 implementation and cannot handle dynamic prefixes nor dynamic assignment of IPv4. It is good enough for home use, but is a nightmare for a large office.