FYI: [Openvpn-users] [Openvpn-devel] [ANNOUNCE] IPv6 payload patch

Eugen Leitl eugen at
Sun Oct 31 18:59:43 CET 2010

----- Forwarded message from Bernhard Schmidt <berni at> -----

From: Bernhard Schmidt <berni at>
Date: Mon, 18 Jan 2010 23:09:52 +0100
To: openvpn-users at,
	openvpn-devel at
Subject: [Openvpn-users] [Openvpn-devel] [ANNOUNCE] IPv6 payload patch
User-Agent: Mutt/1.5.20 (2009-06-14)

Hello everyone,

up to now OpenVPN only supports transporting IPv6 data through a
point-to-multipoint (tls-server/tls-client mode) using tap-interfaces,
which emulate a virtual ethernet device. The preferred tun-mode does not
support any IPv6, because the in-process routing engine does not
understand IPv6 addressing.

After planning to force a student to write this part of code (who
unfortunately sensed our plot and ran for his life) Gert Doering finally
yielded to our begging and promises of beer and wrote the code.

So here we go. This patch implements pretty much everything you need for
a decent IPv6 VPN-concentrator setup, including autoconfiguration of the
client and routing of arbitrary subnets from the client to the server or
from the server to the client.

The patch (on stock upstream OpenVPN) and some rough documentation can
be found at . We are also
maintaining the code in git to ease development. There are a public
git-repository on my personal git server

git:// with the following branches:
* upstream (fetched from stock
  branch, which again comes from git-svn from the OpenVPN repository)
* jjo-ipv6 (fetched again from jjo master branch, which is upstream 
  with the additional patches for IPv6 _transport_ (not related to this
* gert-ipv6 (upstream + gert's patches for IPv6 payload)

There is also a jjo+gert branch which merges both branches.  There was a
small conflict in one function in mroute.c, but that is only cosmetical.
We're working on getting that aligned.

Additionally I have built Debian/Ubuntu binary packages (no guarantees
whatsoever) which are available on my Launchpad PPA at . They say Ubuntu
Intrepid/Karmic but run on Debian Lenny just fine. They are however
based on the Debian OpenVPN package from testing (which also includes
jjo's IPv6 transport patch), so they might introduce additional bugs not
present in the stable series. Use at your own risk.

The patched binaries have been tested on a number of OpenVPN installations,
with a large number of different clients (mostly unpatched, some with
IPv6 patches) connecting to patched servers, and we have not seen any
instabilities yet.  So we consider this "safe for more wider-scale testing
and peer review".

So what's left to do? Windows support for IPv6 is completely
unimplemented at the moment, that part of the code would love to see
someone familiar with the platform. Documentation (which is my primary
responsibility, so I'd love to see patches from all of you :-) ) is
pretty much missing.  And of course, testing, testing, testing...

We would love to hear your thoughts and results about it.

Best Regards,
Bernhard and Gert

Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
Openvpn-devel mailing list
Openvpn-devel at

Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
Openvpn-users mailing list
Openvpn-users at

----- End forwarded message -----
Eugen* Leitl <a href="">leitl</a>
ICBM: 48.07100, 11.36820
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the ipv6-ops mailing list