OpenVPN with OPNsense and IPv6

[ullbeking]

Hello!

Months ago I made the decision to use OPNsense as the main, Internet-facing firewall service.  This is for publicly accessible computing infrastructure, where IPv6 is an assumed requirement for clients.  OPNsense will run on a bare metal server with 4 onboard NIC's.

(I had a delay in the meantime while I was attending to other concerns.  Thankfully now I'm able to return to this work.)

I read the following post recently: https://www.reddit.com/r/OPNsenseFirewall/comments/9tispi/ovpn_and_ipv6/  OpenVPN is not a foundation of my infrastructure but I do expect to use it extensively and depend on it for certain important applications.  I'd read here, for example, that IPv6 should be supported properly: https://wiki.opnsense.org/manual/ipv6.html

Is there some important concept that I'm missing?  For example, some specific edge case that I've gotten confused by?  Thanks for any help in straightening this out!

Kind regards.

[loredo]

While I can't give you any clear answer here, it might be useful to change the subject of this thread to include "OpenVPN" as IPv6 seems way too generic.

[bartjsmit]

If you have a working IPv6 stack on your firewall (i.e. your workstations show a swimming turtle on https://cav6tf.org) then IPv6 on your OpenVPN tunnels only need a spare /64 each. Showstoppers are:

- Mean ISP's that give you only one /64 or
- Mean ISP's that give you a dynamic range

These are usually IPv4 knee-jerk reactions and show a profound misunderstanding of how stupendously large the address space is. Vote with your feet if you can.

If you want to avoid split tunnel on IPv6 clients you need to push the 2000::/3 route and offer an IPv6 DNS service.

Bart...

[ullbeking]

While I can't give you any clear answer here, it might be useful to change the subject of this thread to include "OpenVPN" as IPv6 seems way too generic.

Good idea, and now done.  Thanks for the suggestion.

[ullbeking]

If you have a working IPv6 stack on your firewall (i.e. your workstations show a swimming turtle on https://cav6tf.org) then IPv6 on your OpenVPN tunnels only need a spare /64 each. Showstoppers are:

- Mean ISP's that give you only one /64 or
- Mean ISP's that give you a dynamic range

These are usually IPv4 knee-jerk reactions and show a profound misunderstanding of how stupendously large the address space is. Vote with your feet if you can.

OK, wow, this is very different to the kind of answer that I was expecting but much more informative and educational.  Thank you!!

When I finally send the cluster off to the colo facility, I don't expect them to be mean about IPv6 address space.  But it adds another dimension of things that I'll need to specify and take into consideration.

If you want to avoid split tunnel on IPv6 clients you need to push the 2000::/3 route and offer an IPv6 DNS service.

Thanks Bart.  Your answer is exactly the kind of thing that I need rather than playing into whatever misinformed notions I suspect that Reddit post had.