Feature #16822
open
DHCPv6 PD track interface support for OpenVPN IPv6 tunnel network
0%
Description
WAN interfaces configured for DHCPv6 prefix delegation have a known prefix structure that can be used when configuring OpenVPN server tunnels, but unlike 6rd (resolved in #16706), there is no equivalent option for DHCPv6-PD. Users with delegated prefixes (e.g. Comcast /60) must hardcode an IPv6 tunnel network prefix, which breaks silently when the delegated prefix changes.
Add an option to the OpenVPN Server IPv6 tunnel network settings to track a DHCPv6-PD WAN interface and prefix ID, deriving the /64 dynamically at config-write time and updating automatically via rc.newwanipv6 when the delegation changes.
A working patch against 25.07.1-RELEASE has been tested and verified on pfSense Plus (arm64) with a Comcast /60 delegation.
Screenshot of what my config UI now looks like also attached.
Files
| pfsense-openvpn-dhcp6pd.patch (12.1 KB) pfsense-openvpn-dhcp6pd.patch | Patch | ||
| Screenshot 2026-05-02 at 1.59.47 PM.png (252 KB) Screenshot 2026-05-02 at 1.59.47 PM.png | Screenshot of Config Gui |
Updated by Kris Phillips about 2 months ago
It seems it would be better to be able to assign a subnet to the OpenVPN network beyond a /64 when using the drop down, rather than defining what the WAN interface has for a PD, as this should be known from other settings available.
This would, however, greatly help with OpenVPN and IPv6 delivered via DHCPv6 PD.
Updated by Dan Mahoney about 2 months ago
Yeah, I brought this up on the forum a little bit ago, for more context: https://forum.netgate.com/topic/199185/openvpn-with-ipv6-delegated-prefix
Updated by Dan Mahoney about 2 months ago
In ipv6 land, pretty much all network subnets are /64s, unless you're doing a weird point-to-point link (i.e. a /127), but most hosts receiving an IP address will assume it's on a /64 boundary. This is the way router advertisements work as well. You're never going to have a subnet that's, say, a /68 or something, even though it's technically possible to configure.
Updated by Dan Mahoney about 2 months ago
Oh, I'm actively using this at home, so if there are any diagnostics you need or anything, let me know. (I'm due to move in a month or so, to the land of Zayo Fiber, and they may do things differently). I may also attempt to upgrade to 26.03 and confirm it reapplies clean.