OpenVPN server with IPv6 support

presianbg · June 1, 2017, 5:45pm

Dear Community,

Is it possible to assign IPv6 address via OpenVPN server on Mikrotik?
Before jumping in details, can somebody confirm that it’s possible at all ?!
So far I couldn’t find a right config to do that.

Best Regards,
Presian

Sob · June 1, 2017, 7:33pm

RouterOS does not have any direct support for IPv6 in OpenVPN. But if you run it in ethernet mode, it can transport anything, including IPv6.

presianbg · June 2, 2017, 7:30am

Thank you Sob. Your fast response is highly appreciated.
Just to be clear - the connection between Client and Server is IPv4. The server has IPv6 allocation and I want to assign IPv6 address to the client.

Are you aware of any future plans for supporting this, because I’ve managed to do it on Linux OpenVPN server and worked very well.

Sob · June 2, 2017, 6:10pm

Yes, it’s possible, I used RouterOS as tunnel broker for myself several years ago, with basic config like this:

/interface bridge
add name=openvpn
/interface ovpn-server
add name=ovpn-sob user=sob
/interface bridge port
add bridge=openvpn interface=ovpn-sob
/interface ovpn-server server
set mode=ethernet <other options>
/ipv6 address
add address=<prefix>::1/64 advertise=yes interface=openvpn

Client was Windows computer and it worked very well for my needs. One downside is that it’s just autoconfiguration, so there’s not much control over it. But still it’s ethernet, so you could bridge it to LAN with DHCPv6 server, or if you had e.g. RouterOS as client, you could probably use DHCPv6 to give bigger prefix to client (I didn’t test it, but I think it would work).

About the plans, only MikroTik knows. I hope that one day we’ll get support for every single feature from official OpenVPN client, but based on past development, I’m not holding my breath. At least according to last known info (which is no longer very fresh), MikroTik is less opposed to OpenVPN than they were in the past and we should get at least udp support in v7. So hope for the best, but don’t hold your breath either.

kevinds · June 4, 2017, 7:01am

Really?

I am looking at this right now actually.. Trying to give an OpenVPN client (Mikrotik as server) a static IPv4 and IPv6 address..

In the Profile setup.. There is “Remote IPv6 Prefix Pool” and “DHCPv6 PD Pool” Also ‘Protocols’ “Use IPv6”..

This indicates there is some support.. lol My trick is trying to figure out how to assign a specific IP from the prefix to the OpenVPN client..

Different issue, yes, but that is how I got here..

Sob · June 4, 2017, 1:22pm

PPP profiles are used for all VPN types. They do have IPv6 options, but so far those don’t do anything for OpenVPN.

kevinds · June 4, 2017, 6:51pm

Mine, RouterOS (server) to CentOS (client) is giving my CentOS VPS IPv6…

I’m still trying to figure out how to ‘push’ certain parameters to the client, but no issue with IPv6 over OpenVPN

[root@CentOS-VPS ~]# ping6 ipv6.google.com
PING ipv6.google.com(sea15s08-in-x0e.1e100.net) 56 data bytes
64 bytes from sea15s08-in-x0e.1e100.net: icmp_seq=1 ttl=57 time=105 ms
64 bytes from sea15s08-in-x0e.1e100.net: icmp_seq=2 ttl=57 time=68.8 ms
64 bytes from sea15s08-in-x0e.1e100.net: icmp_seq=3 ttl=57 time=67.9 ms
64 bytes from sea15s08-in-x0e.1e100.net: icmp_seq=4 ttl=57 time=69.3 ms
64 bytes from sea15s08-in-x0e.1e100.net: icmp_seq=5 ttl=57 time=68.7 ms
64 bytes from sea15s08-in-x0e.1e100.net: icmp_seq=6 ttl=57 time=72.6 ms

Sob · June 4, 2017, 8:20pm

Interesting. Would you mind sharing relevant parts of config? Just to make sure that it’s not the same (or similar) way as I described in my first post? I tried some tests with latest RC and I see no signs of IPv6 handled directly by RouterOS OpenVPN.

kevinds · June 4, 2017, 8:43pm

I shall try.. Tags with forum software is a weak point so hopefully this looks ok..

I am also still making small tweaks, so this won’t be my final config.. lol Still just a work-in-progress (My CentOS server needs to have static LAN IPs, so not using an IP pool, as an example)

CentOS.conf - OpenVPN Client configuration

dev tap0
pull
tls-client
dh dh8192.pem
ca ca.crt
cert CentOS.crt
key CentOS.key
remote-cert-tls server
tun-mtu 1452
remote RouterOS-Public-IP 1194 tcp-client
persist-key
script-security 3
cipher AES-256-CBC
auth-nocache
auth-user-pass OpenVPN-Connection-pass.txt
ping 15
ping-restart 45
ping-timer-rem
persist-tun
verb 3
log-append /var/log/openvpn.log

CentOS Server

[root@CentOS openvpn]# ifconfig
eth0      Link encap:Ethernet  HWaddr Sanitized
          inet addr: Sanitized Bcast:Sanitized  Mask:255.255.255.224
          inet6 addr: fe80::216:3cff:fe07:bd8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5915947 errors:0 dropped:0 overruns:0 frame:0
          TX packets:687151 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:788584801 (752.0 MiB)  TX bytes:149195789 (142.2 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:182 errors:0 dropped:0 overruns:0 frame:0
          TX packets:182 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:53174 (51.9 KiB)  TX bytes:53174 (51.9 KiB)

tap0      Link encap:Ethernet  HWaddr 8A:7A:AB:69:2F:80
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: 2001:Sanitized0/64 Scope:Global
          inet6 addr: 2001:Sanitized0/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1452  Metric:1
          RX packets:8869 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1436 errors:0 dropped:64 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:997927 (974.5 KiB)  TX bytes:169520 (165.5 KiB)

[root@CentOS openvpn]#

OVPN Server.jpg

kevinds · June 4, 2017, 8:49pm

But yes, it is ‘Ethernet’ mode..

So.. Possible to assign IPv6 with OpenVPN