K. I got this working w/ Gert's branch of the code. It wasn't easy though.
Gert's code (http://www.greenie.net/ipv6/openvpn.html
) provides a few new config items, including the "server" workalike for IPv6 called "server-ipv6". It allows one to set up an IPv6 range to hand to VPN clients (that's the primary use I have for OpenVPN, as a VPN remote access service). I believe the newest versions have IPv6 support built in for a site-to-site manually configured tunnel, but not for VPN clients. Gert's page has more info on that.
Anyway, I tried to apply the Gert's IPv6 payload patch, but none of the versions I could download would take the patch, and I couldn't find the 2.1.1b version which Gert used to download anywhere). So I wound up using git to grab the modified branch like so:git clone -b gert-ipv6 git://git.birkenwald.de/openvpn.git
This doesn't have a configure script, so I had to create one from the source configure.ac file using autoconf, etc. It was also missing an install-sh script, so I grabbed that out of the archive for openvpn-2.1.3 and put it into the dir.
I wound up having to do a few extra things to get a working ./configure script. autoupdate
Once I was done with that, I was able to run configure../configure --enable-iproute2
(do a ./configure --help to see if you might want to add or remove other features)make
This was on a gentoo system. (You might find binaries or something for whatever you're running.)
I didn't feel like setting up support scripts, etc, for it, so I just mv'ed my existing openvpn executable to openvpn.orig, then symlinked to the new exe which was placed in /usr/local/sbin. This allowed me to use the gentoo init scripts and such to bring it up, shut it down, etc.
I added these lines to the server configuration to have it configure IPv6 addresses on my VPN client:server-ipv6 2001:db8:1234:1::/64
push "route-ipv6 2001:db8:1234::/64"
push "route-ipv6 2000::/3"
The first line defines the IPv6 subnet (carved out of my /48) which will be passed out to the clients (2001:db8:1234:1::/64). The second pushes a route for my LAN IPv6 to the client (sort of redundant really, but I wanted it there in case I want to omit the third line in certain situations), and the third is basically a default route for IPv6 traffic. In cases where I already have IPv6 connectivity, I can easily delete the "default route" on the client side so I just use the VPN for my IPv6 LAN only.
On the client side, I got the modified windows install from Gert's site which supports IPv6 transport and installed that on my Win 7 laptop. The configuration file that works for IPv4 can pretty much be left alone and work.
But unfortunately for whatever reason, the IPv6 address and route for the VPN client network is not removed when disconnecting, so I created a simple "down" script to remove these upon disconnection. If you don't do this, you have to remove them by hand before trying to connect again, or the client will fail when it can't add the routes and addresses ('cause they're already there).
I call the down script with this config line:down clear_ipv6.bat
The batch file is really simple:@echo off
REM Hose out the ipv6 config on the TAP interface since openvpn doesn't seem to do it
REM TAP interface is "Local Area Connection 2"
REM delete the IPv6 address from the TAP interface
netsh int ipv6 delete addr "Local Area Connection 2" 2001:db8:1234:1::1:0
REM delete the left over route
netsh int ipv6 delete route 2001:db8:1234:1::/64 "Local Area Connection 2"
(for some reason Gert's mods use the 7th quad for the host address instead of the last)
Because I am using a down script, I also had to add this line to my VPN client configuration file which allows OpenVPN to use scripts:script-security 2
That's pretty much it. I can now use openVPN to get secure IPv4 and IPv6 access to my LAN, and
IPv6 access to the internet (via my LAN and home internet connection) when I need it.