On Wed, 16 Feb 2022 at 20:49, steve-ALUG@hst.me.uk wrote:
AFAIK, devices on an IPV6 network have a private IP6 address, and can have a public IP6 address if you required.
No public IP needed. The VPN is only for the purposes of accessing resources on the VPN.
So my laptop would join the VPN, get an IPv6 address on the VPN, and would then be able to access devices which had similarly connected to the VPN, using IPv6.
This suggests to me that you should access the VPN that you want to set up using IP6 throughout.
I don't see any reason why the VPN server host IP can't be IPv4; the oVPN config on my laptop would use IPv4 to connect to it and establish the VPN connection, but the VPN interface that was thus created would only have an IPv6 address.
I don't know how routing works with IPv6 (so I don't know how my laptop would work out to use the VPN connection to access certain IPv6 addresses and my default gateway for others) but that's because I am stuck in an IPv4 mindset and part of the rationale for doing this is to force myself to gain those skills; as long as there's an IPv4 option for connecting to something I'm going to use that because I don't have to think about it. (I don't want to use IPv6 to access the VPN, primarily because my ISP doesn't support it, and some of the devices will be using SIM cards from mobile providers who don't support it.)
This paragraph suggests to me that what you're trying to set up a DMZ, as often seen on routers.
That comment suggests I misled you as to my goal!
The architecture would be: - Server1 - cloud hosted oVPN server - PC1, PC2, PC3 - laptops and PCs that use IPv4 to connect to Server1 where they obtain IPv6 addresses (local to that VPN) - Dev1, Dev2, Dev3 - devices which similarly connect using IPv4 (eg via mobile network) to Server1 where they also get an IPv6 address - Once connected, PC1 would be able to access (eg SSH into) Dev1, Dev2, Dev3. Dev1/2/3 would not be able to access each other or anything else.
I'd suggest that you just install PiVPN on a Pi and go with that. PiVPN now defaults to using Wireguard.
I need to remain hardware agnostic. Whilst I have several Pi's I also have some OpenWrt devices that support oVPN which I'd want to include.
If you want to learn how to use IPV6, I suggest that you just make sure that most/all of the machines on your network have IP6 enabled, and check that they're using it. If/when it's working, check it's working by turning off IP4 (by firewalling it?).
I've done that in the past (without disabling IPv4) but I always fall back to IPv4. I can't disable IPv4 as it would affect other people. This VPN would be a new thing so baking IPv6 in from the start means nothing gets broken by trying to transition to IPv6 later.