On Fri, Apr 04, 2025 at 02:47:42PM +1000, Stuart Longland VK4MSL wrote: > On 4/4/25 14:18, David Gwynne wrote: > > so linux has a feature where it will map ipv4 connections into the ipv4 > > mapped address space in ipv6 and let you handle them all with a single > > ipv6 listener. have a look for the doco around the "net.ipv6.bindv6only" > > sysctl on linux for a bit more explanaion. openbsd does not implement > > this. > > > > i'm guessing that openvpn is relying on this feature though. > > I'd say so. Normally IPv6 sockets are dual-stack unless you specify > IPV6_V6ONLY. > > > the right solution is to configure the software to bind separate sockets > > for each address family. i believe you can do this with openvpn by > > specifying multiple "--local" arguments to the daemon. you should be > > able to bind to ipv4 with "--local 0.0.0.0" and ipv6 with "--local ::". > > > > i could be completely wrong though. i havent tried this myself, so it > > may not work at all in practice. > > Well, it was worth a try, What happened is the --local specified last took > precedence. So `--local :: --local 0.0.0.0` yielded IPv4, reversing those > yielded IPv6.
You will need to run two instances of openvpn for this, using separate tun interfaces and client subnets. In a config I maintain, the differences are: -dev tun0 +dev tun1 dev-type tun -proto udp +proto udp6 -local (server's public IPv4-address) -server (IPv4 client subnet 1) -server-ipv6 (IPv6 client subnet 1) +local (server's public IPv6-address) +server (Ipv4 client subnet 2) +server-ipv6 (IPv6-client subnet 2) Then I start openvpn processes via /etc/rc.local like this: echo -n ' openvpn(udp)' /usr/local/sbin/openvpn /etc/openvpn/server.conf >/dev/null echo -n ' openvpn(udp6)' /usr/local/sbin/openvpn /etc/openvpn/server.ipv6.conf >/dev/null
