That sounds reasonsable, I haven't thought of that.
I guess I do not need a second /64 net, private addresses should also work, or?
I tried the following now:
openvpn vtun0 {
description "OpenVPN server"
local-port 443
mode server
openvpn-option --tls-server
openvpn-option --persist-key
openvpn-option --persist-tun
openvpn-option "--keepalive 10 120"
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
openvpn-option "--comp-lzo yes"
openvpn-option "--push redirect-gateway def1"
openvpn-option --tun-ipv6
openvpn-option "--server-ipv6 fd48:f7fd:0339:5349::/64"
openvpn-option "--push redirect-gateway-ipv6 def1"
openvpn-option "--push route-ipv6 ::/0"
server {
name-server 192.168.89.1
push-route 192.168.89.0/24
subnet 10.8.0.0/24
}But it's still the same - I can connect to devices via IPv6 in my internal network, but not outside.