If I understand correctly, you're trying to do an OpenVPN connection using IPv6 as a transport for the tunnel traffic.  I'm not sure if this is supported in OpenVPN or not.

I'm not doing the same thing.  My OpenVPN connection is over IPv4, and simply allows IPv6 and IPv4 to be tunneled across the VPN.  I'm not trying to actually establish a tunnel link over IPv6.  That's still transported via IPv4.

In situations where IPv4 addresses are hard coded into application layer protocol, there's really nothing you can do in an IPv6 only situation.  You'd have either find a chat protocol which is IPv6 friendly, or run dual stack, or dual stack lite.

• Establish separate IPv6 and IPv4 networks on both sides.  Assign IPv6 and IPv4 addresses to all hosts on each side.
• Establish a 6in4 tunnel between the streaming server and tunnel server using a separate IPv6 /64 for the tunnel end points.
• Establish routes through the tunnel on each side pointing to the appropriate IPv6 network.
• 
• Profit!

There was a pretty big flame-thread in the NANOG list about this, with the president of the ARIN even getting involved.  

Got a link?  Sounds like entertaining reading.  

http://mailman.nanog.org/pipermail/nanog/

I'm pretty sure this is the thread: http://mailman.nanog.org/pipermail/nanog/2011-September/039958.html

It's an entertaining, and sometimes informative list.   

There was a pretty big flame-thread in the NANOG list about this, with the president of the ARIN even getting involved. 

yeah, after brief testing with ecdysis, I moved to tayga as well, seemed to work better.

Searching around I think I spotted two other nat64 implementations on sourceforge, but they seem very idle and have little to no documentation.

I also think there's a NAT64 target for netfilter out there, but it hasn't made it into the mainstream kernel yet.  That'd probably ultimately be the ideal way to handle it, since it would be directly integrated with netfilter/iptables.  But for now, Tayga + netfilter seems to work well for me.

I got NAT64/DNS64 working on my gentoo linux based router box.  The combination of NAT64 and DNS64 allows IPv6 only hosts to communicate with IPv4 only hosts on the internet.

I looked around for various solutions for linux, and found that the most well known solution from Ecdysis wasn't compatible with the kernel I'm running on my router box (2.6.38-11), so I decided to give Tayga a try.  

Tayga is a simple "stateless" 1:1 NAT64 translator daemon which runs in user space, and makes use of a TUN interface to interface with the network.

My goal was to allow IPv6 only hosts on my LAN communicate with the IPv4 internet using a single public IPv4.  Since Tayga does simple one-to-one IPv6 -> IPv4 translation, with every IPv6 address requiring a corresponding IPv4 address, it essentially requires a double NAT (unless you have a large chunk of public IPv4s you can use for the NAT64 address pool).  So, to achieve this goal, the source translation goes something like this:

LAN IPv6 source address -> Private IPv4 pool address (NAT64 by Tayga) -> Public IPv4 address (NAT44 by iptables)

The return packets go through the reverse process.  This approach works very well, since it allows iptables/netfilter to do what it does well, instead of having some nat64 kernel module do everything, including keep connection state information, while keeping the nat64 process a simple operation.

Here are the configuration for the NAT64 half (addresses obfuscated):

/etc/tayga.conf:

tun-device nat64
ipv4-addr 192.168.255.1
prefix 2001:db8:1234:ffff::/96
dynamic-pool 192.168.255.0/24


This uses "nat64" for the name of the tun interface hooked up to Tayga, 192.168.255.1 is the IPv6 address Tayga itself uses, the NAT64 IPv6 prefix is part of my /48, and is used to represent IPv4 addresses as an IPv6 address, and the dynamic-pool is a pool of IPv4 addresses which Tayga translate IPv6 addresses to using the RFC defined algorithm.

To initialize the tun interface, one first issues the command tayga -mktun which simply creates the tun interface, then the interface must be assigned IPv4 and IPv6 addresses, and brought up, like so:

ip link set nat64 up
ip addr add 192.168.0.1 dev nat64
ip addr add 2001:db8:1234::1 dev nat64
ip route add 192.168.255.0/24 dev nat64
ip route add 2001:db8:1234:ffff::/96 dev nat64


The IPv4 and IPv6 addresses put on the tun interface are the same as the inside addresses on the ethernet interface, set as a /32 and /128 respectively, but this works just fine under linux.  The routes direct traffic for the IPv6 NAT64 range and IPv4 pool to the tun interface and thus into the Tayga deamon.  The interface and routes looks like this afterward:

ip addr:

8: nat64: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 500
    link/none
    inet 192.168.0.1/32 scope global nat64
    inet6 2001:db8:1234::1/128 scope global
       valid_lft forever preferred_lft forever

ip route:

192.168.255.0/24 dev nat64  scope link
2001:470:8332:ffff::/96 dev nat64  metric 1024


At this point, Tayga will translate my LAN hosts' source IPv6 addresses to an IPv4 address in the pool 192.168.255.0/24, and back.  But this wont get us to the internet yet.  The second part is setting up a iptables/netfilter NAT44 rule to translate from the NAT64 private IPv4 pool range to our public IPv4 address, and a filter table rule to allow the traffic.  This is a simple two liner (public IPs obfuscated):

iptables -A POSTROUTING -s 192.168.255.0/24 -j SNAT --to-source 198.51.100.1
iptables -A FORWARD -s 192.168.255.0/24 -i nat64 -j ACCEPT

Now I can actually send packets to the IPv4 internet from an IPv6 address on my LAN by using the NAT64 IPv6 prefix like so (a google IPv4 in this case):

{jimb@r51jimb/pts/1}~> ping6 -n 2001:db8:1234:ffff::74.125.224.116
PING 2001:db8:1234:ffff::74.125.224.116(2001:db8:1234:ffff::4a7d:e074) 56 data bytes
64 bytes from 2001:db8:1234:ffff::4a7d:e074: icmp_seq=1 ttl=52 time=64.2 ms
64 bytes from 2001:db8:1234:ffff::4a7d:e074: icmp_seq=2 ttl=52 time=14.1 ms
64 bytes from 2001:db8:1234:ffff::4a7d:e074: icmp_seq=3 ttl=52 time=13.7 ms


Now we need a DNS64 server to return our NAT64 prefixed IPv6 addresses in place of IPv4 addresses.  For this, I just turned on the functionality in BIND 9.8 with the following config section:

options {
      . . .

   dns64 2001:db8:1234:ffff::/96 {
      clients { 192.168.0.8/32; 2001:db8:1234:0:211:25ff:fe32:76; 2001:db8:1234::8; };
   };

     . . .
};


This directive tells BIND to return synthesized IPv6 addresses when a AAAA record is requested for a host on the internet which only has an IPv4 address by prepending our NAT64 prefix to the IPv4 address placed in the lower 32 bits of the NAT64 IPv6 prefix.  The "clients" section restricts this behavior to only my test clients.  The result are DNS answer such as this:

{jimb@r51jimb/pts/1}~> dig www.google.com aaaa
; <<>> DiG 9.7.3 <<>> www.google.com aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38149
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.                        IN      AAAA

;; ANSWER SECTION:
www.google.com.         599918  IN      CNAME   www.l.google.com.
www.l.google.com.       296     IN      AAAA    2001:db8:1234:ffff::4a7d:e071
www.l.google.com.       296     IN      AAAA    2001:db8:1234:ffff::4a7d:e072
www.l.google.com.       296     IN      AAAA    2001:db8:1234:ffff::4a7d:e073
www.l.google.com.       296     IN      AAAA    2001:db8:1234:ffff::4a7d:e074
www.l.google.com.       296     IN      AAAA    2001:db8:1234:ffff::4a7d:e070


Putting it all together, I can now do things like this:

{jimb@r51jimb/pts/1}~> ping6 www.google.com
PING www.google.com(2001:470:8332:ffff::4a7d:e072) 56 data bytes
64 bytes from 2001:470:8332:ffff::4a7d:e072: icmp_seq=1 ttl=52 time=15.6 ms
64 bytes from 2001:470:8332:ffff::4a7d:e072: icmp_seq=2 ttl=52 time=14.9 ms
64 bytes from 2001:470:8332:ffff::4a7d:e072: icmp_seq=3 ttl=52 time=32.4 ms
64 bytes from 2001:470:8332:ffff::4a7d:e072: icmp_seq=4 ttl=52 time=15.6 ms

{jimb@r51jimb/pts/1}~> wget -6 www.google.com -O /dev/null
--2011-09-18 00:19:46--  http://www.google.com/
Resolving www.google.com... 2001:db8:1234:ffff::4a7d:e074, 2001:db8:1234:ffff::4a7d:e070, 2001:db8:1234:ffff::4a7d:e071, ...
Connecting to www.google.com|2001:db8:1234:ffff::4a7d:e074|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `/dev/null'

    [ <=>                                   ] 10,286      --.-K/s   in 0s      

2011-09-18 00:19:46 (167 MB/s) - `/dev/null' saved [10286]

{jimb@r51jimb/pts/1}~> lftp ftp.mozilla.org
lftp ftp.mozilla.org:~> debug
lftp ftp.mozilla.org:~> dir
---- Connecting to ftp.mozilla.org (2001:db8:1234:ffff::3ff5:d189) port 21
<--- 230 Login successful.
---> PWD
<--- 257 "/"
---> EPSV
<--- 229 Extended Passive Mode Entered (|||51300|)
---- Connecting data socket to (2001:db8:1234:ffff::3ff5:d189) port 51300
---- Data connection established
---> LIST
<--- 150 Here comes the directory listing.
---- Got EOF on data connection
---- Closing data socket
<--- 226 Directory send OK.
-rw-r--r--    1 ftp      ftp           528 Nov 01  2007 README
-rw-r--r--    1 ftp      ftp           560 Sep 28  2007 index.html
drwxr-xr-x   35 ftp      ftp          4096 Nov 10  2010 pub
lftp ftp.mozilla.org:~>

Firefox watching a youtube video over NAT64 (you'll need IPv6 to see this):



(yes I obfuscated the IPv6)

So far everything works as expected except for port mode FTP.  I suppose that's because of the double NAT, but it could just be some iptables settings I need.  Oddly, I get DROP log entries from the FTP NAT helper module on outgoing packets originating from my real public IP going to the FTP server.  Weird eh?

Anyway, this was a lot easier than I thought it'd be.  Maybe it should be a new HE test.  

Because it is hard to email ipv6@he.net and ask

Hardware being funky, working to de-funk it.

I did actually, although I didn't ask what was actually going on.  I figured hardware.

Seems to be up-and-down.  My guess is that they're having hardware issues.

Yeah they're having some trouble with that server it looks like.  It was down for a while last night, then again today.  Just started responding to pings again.

They're working on it.

Looks like it's failing on the Link Local.  Are there any other machines, or other interfaces on the same box which have the same MAC address?  Or perhaps the interface is being presented to the IPv6 stack (or the LAN) twice or something like that?

Hrm.  I should check to see if my WRT-610 N has IPv6 stuff now.  Although it'd be a bit moot for me since I only use it as a L2 access point.

I just noticed while browsing around on the Xbox sites that they now all seem to be IPv6 enabled.  Some of the addresses:

live.gtm.xbox.com.      30      IN      CNAME   live-origin.gtm.xbox.com.
live-origin.gtm.xbox.com. 30    IN      AAAA    2a01:111:f009::ace
marketplace.xbox.com.   300     IN      CNAME   marketplace.gtm.xbox.com.
marketplace.gtm.xbox.com. 30    IN      CNAME   marketplace-origin.gtm.xbox.com.
marketplace-origin.gtm.xbox.com. 30 IN  AAAA    2a01:111:f009::fab:fab

Hehe.  "ace" and "fab fab".

The xbox.com stuff flips around a lot, sometimes pointing to edgesuite, sometimes to akamai, etc.  All are using IPv6 though:

www.xbox.com.           66      IN      CNAME   www.gtm.xbox.com.
www.gtm.xbox.com.       30      IN      CNAME   msxbwsd.vo.llnwd.net.
msxbwsd.vo.llnwd.net.   116     IN      AAAA    2607:f4e8:110:104:225:90ff:fe09:66e2
msxbwsd.vo.llnwd.net.   116     IN      AAAA    2607:f4e8:110:104:230:48ff:fe89:8c3e

www.xbox.com.           141     IN      CNAME   www.gtm.xbox.com.
www.gtm.xbox.com.       14      IN      CNAME   www.xbox.com.edgesuite.net.
www.xbox.com.edgesuite.net. 285 IN      CNAME   a1123.dsw2.akamai.net.
a1123.dsw2.akamai.net.  5       IN      AAAA    2001:418:1c01::8cae:183a
a1123.dsw2.akamai.net.  5       IN      AAAA    2001:418:1c01::8cae:1851

Yeh tserv3.fmt2 went down last night for a while.  Think it was a few hours.

Yeah came back up last night.