OpenVPN as IPv6 Tunnel Broker

Long story short: add "server-ipv6 network/netmask" (for example a /80 of your server's /64) to your existing openvpn config and install npd6.

The modification of the OpenVPN config is trivial. It seems to be made primarily for the tun mode but works fine with tap (Layer 2 tunelling) as well. This makes OpenVPN assign each client one IPv6 address which is based on the IPv4 VPN address in the following way: \$prefix:fff + last-octet-of-ipv4-addr. The server itself uses \$prefix:2.

Internal IPv6 communication amongst VPN clients should already work now. To get your clients to talk to the rest of the v6 Internet the addresses of the clients have to be announced to the Router. This is normally accomplished using the Neighbour Discovery Protocol (NDP) which could be called the IPv6 equivalent of ARP. Since the Neighbour Solicitations (\~= ARP requests) and Announcements are a Layer 2 thing they won't pass through the VPN server. To announce the VPN IPs to the router in front of your VPN gateway you could of course try to just bridge your VPN and Ethernet adapters. This requires a Layer 2 VPN though and the more important matter: do you even want your VPN clients to be on some open network without a possibility of firewalling? The solution is to use a NDP proxy daemon, that responds to Neighbour Solicitations (NS) in place of the clients themselves. I run npd6, but there's ndppd too. Setting it up is quite simple: just configure your VPN's IPv6 network prefix and network adapter (usually eth0) and fire it up.

Your broker should be ready to go now, but you might want to add an ip6tables rule to block incoming connections to your VPN clients.

: If you don't want to prefer IPv6 over IPv4 edit /etc/gai.conf and add the following line:
precedence ::ffff:0:0/96 100