OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.7 Legacy Series »
  • OpenVPN with OPNsense and IPv6
« previous next »
  • Print
Pages: [1]

Author Topic: OpenVPN with OPNsense and IPv6  (Read 3511 times)

ullbeking

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
OpenVPN with OPNsense and IPv6
« on: November 10, 2018, 06:21:31 pm »
Hello!

Months ago I made the decision to use OPNsense as the main, Internet-facing firewall service.  This is for publicly accessible computing infrastructure, where IPv6 is an assumed requirement for clients.  OPNsense will run on a bare metal server with 4 onboard NIC's.

(I had a delay in the meantime while I was attending to other concerns.  Thankfully now I'm able to return to this work.)

I read the following post recently: https://www.reddit.com/r/OPNsenseFirewall/comments/9tispi/ovpn_and_ipv6/  OpenVPN is not a foundation of my infrastructure but I do expect to use it extensively and depend on it for certain important applications.  I'd read here, for example, that IPv6 should be supported properly: https://wiki.opnsense.org/manual/ipv6.html

Is there some important concept that I'm missing?  For example, some specific edge case that I've gotten confused by?  Thanks for any help in straightening this out!

Kind regards.
« Last Edit: November 12, 2018, 11:40:39 pm by ullbeking »
Logged

loredo

  • Newbie
  • *
  • Posts: 38
  • Karma: 2
    • View Profile
Re: OPNsense and IPv6
« Reply #1 on: November 11, 2018, 09:49:33 am »
While I can't give you any clear answer here, it might be useful to change the subject of this thread to include "OpenVPN" as IPv6 seems way too generic.
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1538
  • Karma: 166
    • View Profile
Re: OPNsense and IPv6
« Reply #2 on: November 11, 2018, 10:12:23 am »
If you have a working IPv6 stack on your firewall (i.e. your workstations show a swimming turtle on https://cav6tf.org) then IPv6 on your OpenVPN tunnels only need a spare /64 each. Showstoppers are:

- Mean ISP's that give you only one /64 or
- Mean ISP's that give you a dynamic range

These are usually IPv4 knee-jerk reactions and show a profound misunderstanding of how stupendously large the address space is. Vote with your feet if you can.

If you want to avoid split tunnel on IPv6 clients you need to push the 2000::/3 route and offer an IPv6 DNS service.

Bart...
Logged

ullbeking

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: OpenVPN with OPNsense and IPv6
« Reply #3 on: November 16, 2018, 02:46:34 am »
Quote from: loredo on November 11, 2018, 09:49:33 am
While I can't give you any clear answer here, it might be useful to change the subject of this thread to include "OpenVPN" as IPv6 seems way too generic.

Good idea, and now done.  Thanks for the suggestion.
Logged

ullbeking

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: OpenVPN with OPNsense and IPv6
« Reply #4 on: November 16, 2018, 02:52:00 am »
Quote from: bartjsmit on November 11, 2018, 10:12:23 am
If you have a working IPv6 stack on your firewall (i.e. your workstations show a swimming turtle on https://cav6tf.org) then IPv6 on your OpenVPN tunnels only need a spare /64 each. Showstoppers are:

- Mean ISP's that give you only one /64 or
- Mean ISP's that give you a dynamic range

These are usually IPv4 knee-jerk reactions and show a profound misunderstanding of how stupendously large the address space is. Vote with your feet if you can.

OK, wow, this is very different to the kind of answer that I was expecting but much more informative and educational.  Thank you!!

When I finally send the cluster off to the colo facility, I don't expect them to be mean about IPv6 address space.  But it adds another dimension of things that I'll need to specify and take into consideration.

Quote
If you want to avoid split tunnel on IPv6 clients you need to push the 2000::/3 route and offer an IPv6 DNS service.

Thanks Bart.  Your answer is exactly the kind of thing that I need rather than playing into whatever misinformed notions I suspect that Reddit post had.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.7 Legacy Series »
  • OpenVPN with OPNsense and IPv6
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2