OpenVPN – IPv6 with tun device

Note: IPv6 is not supported using OpenVPN on Debian Squeeze (stable). The version used by Debian Wheezy (testing) supports IPv6.

Network setup:
- 192.168.1.0/24 - Local IPv4 network
- 2001:412:abcd::/48 - Local IPv6 network
- 192.168.2.0/24 - Tunnel IPv4 network
- 2001:412:abcd:2::/64 - Tunnel IPv6 network

I have included only the sections of config files which need ammending to enable IPv6 over OpenVPN.

Client Config
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun
# enable ipv6
tun-ipv6

Server Config
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun0
# Enable TUN IPv6 module
tun-ipv6

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 192.168.2.0 255.255.255.0
server-ipv6 2001:412:abcd:2::/64

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.1.0 255.255.255.0"
push "route-ipv6 2001:412:abcd::/48

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# Enable to make openvpn the default route for ipv6 connectivity?
;push "route-ipv6 2000::/3"