I'm starting to provide Chinese / English versions of some articles, switch with the Language menu above. 我开始提供部分文章的中文、英文翻译,请使用顶部语言菜单切换。

Remove OpenVPN's Stable-privacy IPv6 Addresses

On my VPSes, the TAP network interface created by OpenVPN has a randomly-generated IPv6 address with scope stable-privacy.

This address itself is created randomly to prevent tracking users by their IPv6 addresses. But when building a network in DN42, BGP handshakes may originate from this address (rather than your manually assigned link-local address), and fail for mismatching origin/IP.

The solution is to configure the TAP interfaces with sysctl, and disable the automatic address generation options. OpenVPN can be configured to run sysctl automatically when creating the interface:

# Add to OpenVPN's config file
script-security 2
up "/bin/sh -c '/sbin/sysctl -w net.ipv6.conf.$dev.autoconf=0 && /sbin/sysctl -w net.ipv6.conf.$dev.accept_ra=0 && /sbin/sysctl -w net.ipv6.conf.$dev.addr_gen_mode=1'"

Depending on your Linux distribution, you may need to adjust the path of /bin/sh aand /sbin/sysctl.