Hello folks, I've some hassle setting up OpenVPN "road warrior style". The task is simple: a) Provide a VPN for devices (laptop, smartphone - meaning: Windows, Linux, Android) in the field. b) Provide a default route, take care of leaks: All data has to go via the VPN.
While the IPv4-Part is up'n'running, I'm worried about IPv6. I need a configuration, that: i) Is dual-stack. Each client has IPv6 and IPv4 addresses. ii) Makes use of IPv6 for transport: Clients should be able to connect via IPv6 to overcome bottlenecks in DSLite setups (some providers' NAT seem to be overloaded at primetime). iii) Is agnostic to uplinks networks (aka: should work in bizarre hotel wifi networks, too). This means: 1) Turning off IPv6 or IPv6 autoconfiguration for the non-VPN-network is not an option. 2) We cannot assume radv-Announcements to be sane (default-route priority, misc routes, etc.) 3) Clients have multiple, public IPv6-addresses. They must use the VPN ones, once the OpenVPN is started (hence b) ). 4) Nice-To-Have: If OpenVPN is running, but no connection is established yet, outgoing traffic should be blocked. How can I configure OpenVPN to do so? In our test setup, the server is using 2001:470:5093:1::/64 for the VPN. Thus: server-ipv6 2001:470:5093:1::/64 push "route-ipv6 2001:470:5093:1:/48" #Full address range push "route-ipv6 2000::/3" But ... this doesn't seem to do the trick. - If a hotel wifi network is using 2001:470:5093:3::/64 for auto configuration - traffic will leak, since /64 is more specific, than /48 - right? - How does this make sure, that the client is using the VPN for _all_ uplink traffic? I'm somewhat confused - can you help me here? Thanks, Greetings, Jan ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
