I'd like to make this into a full-featured post at some point, but for now I'm just writing down the essentials for getting a working ipv4 openvpn setup to work using ipv6\. There are two steps:
1\. Use IPv6 as the protocol to communicate between client and sever
2\. Use IPv6 addresses for the clients
I had particular challenges with this because I'm using Cloud at Cost as my VPN server, and they provide a really small subnet. openvpn assumes you'll have a /64 or /112 netmask, but mine is /120 and I gave /124 to my vpn subnet.
I was a little rusty on ipv6 addressing and netmasks but https://masteripv6.com/introduction-to-ipv6-address-types/ helped.
Most of what I needed was covered by openvpn docs: https://community.openvpn.net/openvpn/wiki/IPv6\. The one thing I didn't catch on first read was that 2001:db8:0:123::/64 is an example subnet; I had to get my own subnet by inspecting the ip address and netmask of my VPS using the cloud at cost panel. https://www.reddit.com/r/CloudAtCost/comments/e3zp11/ipv6_configuration… was helpful for this.
I was able to get the UDP6 protocol working fairly seamlessly with my config. I wasn't able to start using my new ipv6 address on the vpn client right away though.
Luckily, https://superuser.com/questions/1151539/routing-problems-with-ipv6-over… got me started on a solution. I still need to figure out if I needed just the first answer, or both the first and second answers. I'm also fairly certain I needed the sysctl commands from https://www.ipsidixit.net/2010/03/24/239/ to make it work.
Openvpn docs also advised to run the client as "openvpn client.conf" so it was easier to see the output when things failed. That helped a lot, as did tail -f /var/log/syslog | grep ovpn.
Put it all together and here's what everything looks like now:
server.conf:
port 1194
proto udp6
dev tunca ca.crt
cert vpn.devinhoward.ca.crt
key vpn.devinhoward.ca.key
dh dh4096.pem
server 10.8.0.0 255.255.255.0
server-ipv6 2607:
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
#user nobody # temp disabled for script below to have sudo
#group nogroup
comp-lzo
persist-key
persist-tun
status openvpn-status.log
#log-append /var/log/openvpn.log
verb 3
# https://superuser.com/questions/1151539/routing-problems-with-ipv6-over…
script-security 3
client-connect /etc/openvpn/ipv6-client-connect.sh
client.conf:
client
dev tun
proto udp6
remote vpn.devinhoward.ca 1194
route-nopull
redirect-gateway def1 ipv6 bypass-dhcp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
comp-lzo
verb 3
remote-cert-tls server
key-direction 1
/etc/openvpn/ipv6-client-connect.sh
#!/bin/bash
ip -6 neigh add proxy $ifconfig_pool_remote_ip6 dev eth0
/etc/sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1