Simple NDP Proxy to Route Your IPv6 VPN Addresses
If you tried setting up an IPv6-capable VPN on a VPS provider that gave you an IP range to play with, perhaps a /64 or larger, you would want to assign some of the IPv6 addresses you have to your clients. In this post, we suppose that you have the range 2001:db8::/64.
This should be a simple process: enable the sysctl option net.ipv6.conf.all.forwarding to 1 (or whatever the equivalent is on your system), use DHCPv6 or SLAAC to assign the addresses to the clients, and then your client should have working IPv6.
Unfortunately, this is not so simple. Most VPS providers are not actually routing the entire subnet 2001:db8::/64 to you. Rather, they just connect a number of VPSes onto the same virtual Ethernet network and rely on the Neighbour Discovery Protocol (NDP) to find the router.
So for example, your VPS has a public interface eth0 with public IPv6 address 2001:db8::1, and a private VPN interface tap_vpn. Your VPN client is assigned the IPv6 address 2001:db8::2. When the VPS provider receives a packet for 2001:db8::2, their router sends out a neighbour solicitation request over NDP, basically asking “who has IP 2001:db8::2?”
