After finally taking the time to get tunnelled IPv6 into the homelab via Hurricane Electric I thought it would be nice to extend out the routing to my VPN clients, after all they connect in an appear like local devices to the rest of the network, why not?
What I thought was a simple configuration change has been puzzling me for the last few days, what I didn’t realise is that after switching on IPv6 in the OpenVPN server all IPv4 traffic hasn’t been correctly routed via the VPN. It turns out a small issue in either the OpenVPN client, iOS or something in-between has broke the configuration, but thankfully it only requires a small fix.
The solution finally came from the OpenVPN bug tracker, ticket 614:
IPv4 routing on iOS 9 is broken if IPv6 is enabled inside the tunnel. The tests were done with tun-ipv6 and redirect-gateway activated and all the IPv4 traffic bypasses VPN gateway, while IPv6 works fine. Works as expected without tun-ipv6. Doesn’t work with tun-ipv6 but no IPv6 address.
Exactly what I was experiencing. Thankfully
fkooman came across an entry in the FAQ which mentioned an undocumented option called
redirect-gateway ipv6. Injecting this option in the OpenVPN server resolves the routing issues.
On pfSense you just need to add
push "redirect-gateway ipv6" into the “Advanced Options” section of the OpenVPN server configuration