I am trying to upgrade an openvpn server and I have an issue regarding IPv6 config. I can't figure how to configure a tap interface without an IPv6 address, and still be able to assign IPv6 addresses to the connected clients.
For reasons linked to the structure or our network, the VPN has to be in bridge mode (tap interface), and all routing from / to VPN clients is done on a separate router device (the openvpn server is a dedicated linux box that I only use to offload VPN processing from that router, it does no routing / forwarding by itself).
In my current setup, the tap virtual interfaces have no IPv4 nor IPv6 addresses, they are bridged with physical or VLAN interfaces, and the only addresses clients see are those of the router. The openvpn box just distributes IPv4/IPv6 addresses to the clients when they connect.
Excerpt of my current server config (only relevant parts) :
dev tap-vpn
[...]
server-bridge 192.0.2.1 255.255.255.128 192.0.2.11 192.0.2.40
tun-ipv6
ifconfig-ipv6 2001:db8:1234:5678::1/64 2001:db8:1234:5678::1
ifconfig-ipv6-pool 2001:db8:1234:5678::11/64
[...]
push "tun-ipv6"
push "route 192.x.y.z"
push "route-ipv6 2001:db8:1234:4321::/64"
This works exactly as expected in OpenVPN 2.3 : the box has no address attached to the tap-vpn interface, and distributes addresses IPv4 192.0.2.11 - 192.0.2.40 and IPv6 starting from 2001:db8:1234:5678::11 , and it pushes routes as expected to the clients, with gateways 192.0.2.1 and 2001:db8:1234:5678::1 .
For security reasons, I disable IPv6 at kernel level on that interface :
echo 1 >/proc/sys/net/ipv6/conf/tap-vpn/disable_ipv6
Upgrading to a more recent version breaks this setup, in the sense that ifconfig-ipv6 now wants to assign an IPv6 address to the interface, and having IPv6 disabled at kernel level simply prevents openvpn from starting. Removing the ifconfig-ipv6 directive is also not possible, as ifconfig-ipv6-pool needs it.
I know that tun-ipv6 is now deprecated, but removing / adding it doesn't seem to change anything. I have read various documentation, including of course the man page, and reviewed this, this and this thread, but none of these seems to address my concern.
If it is really impossible to achieve the setup I am intending, then I will find other ways to secure the VPN machine, like a local firewall, but I would find more elegant to just have no IPv6 address on the tap (like I have no IPv4) and just use it as a bridging component.
FWIW, I am using slackware64 15.0 on a PCEngines APU mini-PC, but the issue is probably not at OS layer.
Any help or pointer to a working example would be much appreciated.
