On 16/02/2022 15:51, Mark Rogers wrote:
Just playing with ideas really but I would like to try setting up a VPN, accessed over IPv4, but where everything within it is IPv6. There's a few reasons, but they're mostly that I don't know enough IPv6 so it would force me to get to grips with it when working within the VPN.
Er....
I'm not an expert on VPNs or IPV6. Bear that in mind.
AFAIK, devices on an IPV6 network have a private IP6 address, and can have a public IP6 address if you required. The public address should be globally unique, so that you can access a device from out in the internet without having to do NAT (network address translation) like you have to do in IPV4. This is basically the part of the point of IP6. Obviously there has to be a route set up somewhere (via a VPN) and access through any firewalls.
This suggests to me that you should access the VPN that you want to set up using IP6 throughout. If you want to access it from IPV4, you'll have to do NAT, and/or do something like "tunnelling" IP6 over IP4, or do some sort of transfer process to map IP4 to IP6. But why? Why do that when IP6 is designed to avoid the need.
(My objective is to host a VPN to which devices (typically things like Raspberry Pi's) and "users" connect, with users having access to the devices but devices not having access to each other or anything else. No doubt this might change in future to require that some devices can access specific other services but they'd always be tied down.)
This paragraph suggests to me that what you're trying to set up a DMZ, as often seen on routers. A DMZ is a "De Militarised Zone". Basically an area of your network that has highly restricted access. Alternatively, just firewall all the devices on your network and only open ports that you need. To me (not an expert), this doesn't sound like a job for the VPN to me.
Does this sound plausible? As an OpenVPN novice, is this something I should park until I know OpenVPN better?
Yes.
I've used PiVPN which created a simple wrapper over OpenVPN. Presumably this was done because OpenVPN was hard to configure easily.
I'd suggest that you just install PiVPN on a Pi and go with that. PiVPN now defaults to using Wireguard. If you want to use OpenVPN, make sure you install it with the right option to pick OpenVPN.
If you want to learn how to use IPV6, I suggest that you just make sure that most/all of the machines on your network have IP6 enabled, and check that they're using it. If/when it's working, check it's working by turning off IP4 (by firewalling it?).
Anyway, that's my 2p FWIW. Not a expert, as I said.
Hope it helps.
Steve