I've been successfuly using OpenVPN with IPv4 for a while and recently decided to use IPv6 for various reasons.
The OpenVPN is running on an AWS Lightsail server (Ubuntu 22), the IPv6 address/protocol is enabled on the AWS Lightsail GUI. Also, UDP 1194 has been added to the IPv6 firewall on AWS (same as IPv4).
Client config:
client
proto udp6
remote [AWS-Lightsail-IPv6-Address] 1194
redirect-gateway ipv6 def1
.
.
.
(There is more config of course, but these probably are the relevant ones.)
Server config:
port 1194
proto udp6
push "redirect-gateway ipv6 def1 bypass-dhcp"
server-ipv6 [AWS-Lightsail-IPv6-Address-First-4-Octets]::/64
.
.
.
(There is more config of course, but these probably are the relevant ones.)
I'm able to connect to the OpenVPN Server from the OpenVPN Client (Windows) and it shows like:
Your private IP: 10.70.0.2
Your IP: [AWS-Lightsail-IPv6-Address-First-4-Octets]::1000 (Not sure if this is right)
Server Public IP: [AWS-Lightsail-IPv6-Address]
Port: 1194
Protocol: UDPv6
But when I go to the internet and make an IP check, it shows this:
It seems to be using the IPv4 OpenVPN still and the IPv6 is not detected at all.
Do I miss any config that is specifically needed for IPv6 or is something correct? I wasnt really able to find up-to-date information for OpenVPN with Ipv6.
Ive tried multiple different config changes but it didn't help. I'm expecting to browser on the internet with the OpenVPN IPv6 address (AWS lightsail server IP).
Thanks in advance!
But why does that work for IPv4 then? For IPv4 the client config is remote [AWS-Lightsail-IPv4-Address] 1194 and i just did the same for IPv6
For IPv4 it works because your v4 server option specifies an appropriate address range. (And also because there's additional configuration (NAT) outside OpenVPN.)
when I connect on IPv4, the YOU (on the client) shows a private IP while the IPv6 shows the ipv6 IP from the server, not sure why it does that
Literally because your server and server-ipv6 options told OpenVPN to assign those IPs to clients. That's what these options do.
Actually not the very same, the private one on client
It's not "the private one" – your client actually has a public address. (Though not a correct one, in your situation, but a public address nevertheless.)
shows "386d" at the end while public one shows "286d", idk how that's possible
The client's address is supposed to be different from the server's. They're two separate machines; connecting to a VPN does not actually change the client's address like that.
Overall – you're skipping way too many steps here.
To begin with, OpenVPN is not an "IP changer"; unlike e.g. proxy apps, the ability of a VPN to change IP addresses like you expect is really just a side-effect of a side-effect. (And said changing is not actually done through OpenVPN itself, it's done by the server OS long after the packet exits the VPN software.) Unlike proxy software, you need to think of a VPN as a virtual network first and foremost; you're essentially setting up a router.
In more detail:
Having your IP "change" to the server's IP is not actually built-in VPN functionality; it's a very distant side effect.
The client's IP address never actually changes to the server's address. The VPN works just like your home LAN – each client has its own unique private address, and the reason its connections appear to be coming from the server's address is because the server (being a router for the VPN) has had NAT deliberately configured in it, again just like your home router does NAT.
And the original reason the server does NAT is because clients are being assigned private IPv4 addresses, and the reason for using private addresses is because public ones are scarce and expensive... but that's usually not the case in IPv6 where it is more typical to use public addresses for LAN devices (and likewise for VPN devices).
So with IPv6, normally you'd be assigning public addresses and would be seeing websites report the client's own IPv6 address that it gets assigned via OpenVPN – not the server's address. (Though not in your case specifically, as you don't have any public IPv6 addresses to assign.)
A network needs IP addresses for all connected devices, and you can (should) only use an IP address range that you're permitted to use. (All theory is the same for IPv4 and IPv6.)
Your guess of server-ipv6 [AWS-Lightsail-IPv6-Address-First-4-Octets]::/64 would indeed be correct at many other VPS providers – it's fairly reasonable to expect to get a /64 as a customer – but unfortunately not all VPS providers offer that. At Lightsail, it seems, you don't have the entire /64 all to yourself; instead your VPS is placed in a shared subnet where you only get a single IPv6 address (and it's already in use by the server so it cannot be re-used for clients).
Sure, your ip addr is showing a /64, but that only means you're in a network that uses /64 as its "subnet mask" – that's the same as with IPv4, where it probably shows a /24 or similar and it only means that your subnet mask is /24, not that you have the /24 all to yourself.
(Some other providers do the same; e.g. at Linode you also get just a single address initially and then have to claim a separate /64 through the control panel.)
So this means you'll need to assign VPN client IPv6 addresses from a private range, just like you currently do for IPv4 – and you'll need to do NAT, just like you do for IPv4. The private range for IPv6 is fd00::/8, aka the "ULA" range, and the usual practice is to choose a randomized /48 out of the range (e.g. by visiting https://unique-local-ipv6.com/) and then use /64 subnets out of that.
For example, I got fdec:3368:d3fb::/48, so I would use fdec:3368:d3fb:0::/64 or fdec:3368:d3fb:abcd::/64 with OpenVPN's server-ipv6.
The components of an IPv6 address are better called 'hextets', not octets, as they're 16 bits (4 hex digits × 4 bits) each.