2
1
My OpenVPN IPv6 clients are getting assigned addresses sequentially from 1000. For example, client 1 gets: 2006:xxxx:xxxx:xxxx::1000 and client 2 gets 1001 and so on. Also, they keep getting the same IPs. If I comment out the ifconfig-pool-persist they may not, but they still start from 1000.
OpenVPN recommends a /64 routed block:
In a routed setup, you cannot use your on-link network; you must use a unique routed network range, just like when routing with IPv4. Most ISPs should have a facility to obtain a routed block on request, or sometimes provided as part of DHCPv6-PD; these concepts are outside the scope of this document. Speak to your ISP or use other IPv6 learning resources for further information.
This is fine. I have a routed block. No issues there. But there are two things that I expect to happen that are not happening when OpenVPN assigns addresses to the clients:
1) Each client should get a semi-permanent global IPv6 address AND a global temporary address that changes every 24 hours or so.
2) Both of those addresses (at least the temporary one) should be random within the /64 block.
Is there something I'm doing wrong in the configuration? I cannot figure out why these features only work with SLAAC. When OpenVPN has a whole pool of addresses (2^64), why is it just sitting there at the bottom and using repetitive and predictable addresses?
ts90
Posted 2018-07-09T22:33:37.390
Reputation: 135
It's a good question, but I think this is something you should ask the OpenVPN developers themselves, as most other answers will be just speculation. (Maybe they just wanted to reuse their IPv4 pool code?) – user1686 – 2018-07-10T04:56:19.803
Though at the same time, regarding your expectations that addresses should be random, SLAAC does this mainly for collision avoidance (as it doesn't have a central authority), but many of the same reasons don't apply to VPN servers with central assignment. – user1686 – 2018-07-10T05:00:40.167
@grawity - your first point could be true. And even the SLAAC point makes sense. Although, I did read in an RFC somewhere that not only is that for collision avoidance, but also for some host obfuscation (even though the hosts are coming from a known common prefix) with regards to the Temporary Global address. But, yes, I was worried that I was not understanding something. It would be nice to see those global temporary addresses appear on VPN clients. But definitely not a show-stopper. – ts90 – 2018-07-10T12:33:17.263