Stouts · tricovictor · Feb 19, 2020 · Feb 27, 2020 · Mar 3, 2020 · Mar 4, 2020
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -80,6 +80,22 @@ openvpn_route_traffic: false
 # Whether to create an iptables rule to allow connections to the openvpn server.
 openvpn_open_firewall: true
 
+# Listening also for IPv6
+openvpn_ipv6_enabled: false
+
+openvpn_ipv6_server: ''
+# 2001:1::/64
+
+openvpn_ipv6_ifconfig: ''
+# 2001:1:1 2001:1::2
+
+openvpn_ipv6_route_default: ''
+# 2001:1::1
+
+openvpn_ipv6_route_ranges: []
+# - 2000:1::/64
+# - 2000:3::/64
+
 # The interface that traffic will come in from. This is used when creating
 # firewall rules to allow the vpn server to successfully forward traffic (see
 # `openvpn_route_traffic`). The interface you specify here will limit these

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -23,14 +23,14 @@
       command: /etc/init.d/iptables-persistent save
       when:
         - ansible_os_family == "Debian"
-        - ansible_lsb.codename == "trusty"
+        - ansible_distribution_release == "trusty"
       listen: openvpn save iptables
 
     - name: Save the rules (Ubuntu)
       command: netfilter-persistent save
       when:
         - ansible_os_family == "Debian"
-        - ansible_lsb.codename != "trusty"
+        - ansible_distribution_release != "trusty"
       listen: openvpn save iptables
 
 - name: Restart OpenVPN service

diff --git a/tasks/openvpn.yml b/tasks/openvpn.yml
@@ -42,6 +42,4 @@
 
 - include_tasks: "system/bridge/{{ ansible_os_family }}.yml"
 
-- include_tasks: "system/bridge/{{ ansible_os_family }}.yml"
-
 - include_tasks: service.yml
diff --git a/tasks/system/forwarding.yml b/tasks/system/forwarding.yml
@@ -8,3 +8,12 @@
     state: present
     reload: true
   when: not lookup('env', 'IN_MOLECULE') | d(true, true) | bool
+
+- name: Set IPv6 forwarding in the sysctl file and reload if necessary
+  sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: '1'
+    sysctl_set: true
+    state: present
+    reload: true
+  when: not lookup('env', 'IN_MOLECULE') | d(true, true) | bool and openvpn_ipv6_server is defined
diff --git a/templates/server.conf.j2 b/templates/server.conf.j2
@@ -4,7 +4,8 @@
 {% if openvpn_local is defined -%}
 local {{ openvpn_local }}
 {% else -%}
-;local a.b.c.d {% endif %}
+;local a.b.c.d 
+{% endif %}
 
 # Which TCP/UDP port should OpenVPN listen on? If you want to run multiple
 # OpenVPN instances on the same machine, use a different port number for each
@@ -14,6 +15,10 @@ port {{ openvpn_port }}
 # TCP or UDP server?
 proto {{ openvpn_proto }}
 
+{% if openvpn_ipv6_enabled %}
+proto {{ openvpn_proto }}6
+{% endif %}
+
 {% if openvpn_portshare is defined %}
 # Port sharing
 port-share 127.0.0.1 {{ openvpn_portshare }}
@@ -31,6 +36,9 @@ cipher {{ openvpn_cipher }}
 # most systems, the VPN will not function unless you partially or fully disable
 # the firewall for the TUN/TAP interface.
 dev {{ openvpn_dev }}
+{% if openvpn_ipv6_enabled %}
+dev {{ openvpn_dev }}-ipv6
+{% endif %}
 
 # SSL/TLS root certificate (ca), certificate (cert), and private key (key).
 # Each client and the server must have their own cert and key file.  The server
@@ -73,6 +81,11 @@ topology {{ openvpn_topology }}
 # 10.8.0.1. Comment this line out if you are ethernet bridging. See the man
 # page for more info.
 server {{ openvpn_server }}
+{% if openvpn_ipv6_enabled and openvpn_ipv6_server is defined %}
+server-ipv6 {{ openvpn_ipv6_server }}
+ifconfig-ipv6 {{ openvpn_ipv6_ifconfig }}
+push "route-ipv6-default {{ openvpn_ipv6_route_default }}"
+{% endif %}
 {% endif %}
 {% if openvpn_bridge %}
 # Configure server mode for ethernet bridging.
@@ -190,3 +203,7 @@ push "dhcp-option DNS {{ dns }}"
 {% for push_route in openvpn_route_ranges %}
 push "route {{ push_route }}"
 {% endfor %}
+
+{% for push_route_ipv6 in openvpn_ipv6_route_ranges %}
+push "route-ipv6 {{ push_route_ipv6 }}"
+{% endfor %}