OpenVPN with OPNsense and IPv6

Started by ullbeking, November 10, 2018, 06:21:31 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 10, 2018, 06:21:31 PM Last Edit: November 12, 2018, 11:40:39 PM by ullbeking
Hello!

Months ago I made the decision to use OPNsense as the main, Internet-facing firewall service.  This is for publicly accessible computing infrastructure, where IPv6 is an assumed requirement for clients.  OPNsense will run on a bare metal server with 4 onboard NIC's.

(I had a delay in the meantime while I was attending to other concerns.  Thankfully now I'm able to return to this work.)

I read the following post recently: https://www.reddit.com/r/OPNsenseFirewall/comments/9tispi/ovpn_and_ipv6/  OpenVPN is not a foundation of my infrastructure but I do expect to use it extensively and depend on it for certain important applications.  I'd read here, for example, that IPv6 should be supported properly: https://wiki.opnsense.org/manual/ipv6.html

Is there some important concept that I'm missing?  For example, some specific edge case that I've gotten confused by?  Thanks for any help in straightening this out!

Kind regards.
November 11, 2018, 09:49:33 AM #1
While I can't give you any clear answer here, it might be useful to change the subject of this thread to include "OpenVPN" as IPv6 seems way too generic.
November 11, 2018, 10:12:23 AM #2
If you have a working IPv6 stack on your firewall (i.e. your workstations show a swimming turtle on https://cav6tf.org) then IPv6 on your OpenVPN tunnels only need a spare /64 each. Showstoppers are:

- Mean ISP's that give you only one /64 or
- Mean ISP's that give you a dynamic range

These are usually IPv4 knee-jerk reactions and show a profound misunderstanding of how stupendously large the address space is. Vote with your feet if you can.

If you want to avoid split tunnel on IPv6 clients you need to push the 2000::/3 route and offer an IPv6 DNS service.

Bart...
November 16, 2018, 02:46:34 AM #3
Quote from: loredo on November 11, 2018, 09:49:33 AM
While I can't give you any clear answer here, it might be useful to change the subject of this thread to include "OpenVPN" as IPv6 seems way too generic.

Good idea, and now done.  Thanks for the suggestion.
November 16, 2018, 02:52:00 AM #4
Quote from: bartjsmit on November 11, 2018, 10:12:23 AM
If you have a working IPv6 stack on your firewall (i.e. your workstations show a swimming turtle on https://cav6tf.org) then IPv6 on your OpenVPN tunnels only need a spare /64 each. Showstoppers are:

- Mean ISP's that give you only one /64 or
- Mean ISP's that give you a dynamic range

These are usually IPv4 knee-jerk reactions and show a profound misunderstanding of how stupendously large the address space is. Vote with your feet if you can.

OK, wow, this is very different to the kind of answer that I was expecting but much more informative and educational.  Thank you!!

When I finally send the cluster off to the colo facility, I don't expect them to be mean about IPv6 address space.  But it adds another dimension of things that I'll need to specify and take into consideration.

Quote
If you want to avoid split tunnel on IPv6 clients you need to push the 2000::/3 route and offer an IPv6 DNS service.

Thanks Bart.  Your answer is exactly the kind of thing that I need rather than playing into whatever misinformed notions I suspect that Reddit post had.
Print
Go Up Pages1
User actions