OpenVPN: incapaz de alcançar clientes através do IPv6

Configuração atual: servidor OpenVPN com IPv4 e IPv6:

[...]
port 1234
proto udp6
dev tun
server 10.9.8.0 255.255.255.0
server-ipv6 2001:1af8:3100:a00a:0021:a:b:0000/112
client-to-client
[...]

Clientes recebem IPs via CCD:

ifconfig-ipv6-push 2001:1af8:3100:a00a:21:a:b:0006
ifconfig-push 10.9.8.6 10.9.8.5

Em uma nota lateral: isto parece funcionar apenas no Linux (incluindo 2.2 oVPN no Debian); a linha IPv6 quebra tudo no Tunnelblick (OS X) e no Windows (os clientes = > não conseguem nem pingar uns nos outros pelo IPv4).

Os clientes conectados recebem dois IPs; um endereço IPv4 e um endereço IPv6:

10.9.8.6,pc1,::ffff:212.3.2.1,Fri Dec 19 23:26:02 2014
2001:1af8:3100:a00a:21:a:b:6,pc1,::ffff:212.3.2.1,Fri Dec 19 23:21:22 2014

10.9.8.102,pc2,2001:1af8:b:a00a:21::4,Fri Dec 19 23:25:34 2014
2001:1af8:3100:a00a:21:a:b:102,pc2,2001:1af8:b:a00a:21::4,Fri Dec 19 23:06:11 2014

O ping do endereço IPv6 (por exemplo: 2001: 1af8: 3100: a00a: 21: a: b: 102) do servidor VPN funciona bem. Ping entre clientes não funciona:

pc1 ~ # ping6 2001:1af8:3100:a00a:21:a:b:102
PING 2001:1af8:3100:a00a:21:a:b:102 (2001:1af8:3100:a00a:21:a:b:102): 56 data bytes
64 bytes from 2a02:578:854f:100:7271:a:1b11: Destination unreachable: Address unreachable
64 bytes from 2a02:578:854f:100:7271:a:1b11: Destination unreachable: Address unreachable
64 bytes from 2a02:578:854f:100:7271:a:1b11: Destination unreachable: Address unreachable
^C--- 2001:1af8:3100:a00a:21:a:b:102 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

Mas o IPv4 funciona:

pc1 ~ # ping 10.9.8.102
PING 10.9.8.102 (10.9.8.102): 56 data bytes
64 bytes from 10.9.8.102: icmp_seq=0 ttl=64 time=32.217 ms
64 bytes from 10.9.8.102: icmp_seq=1 ttl=64 time=31.641 ms
^C--- 10.9.8.102 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 31.641/31.929/32.217/0.288 ms

O que estou perdendo? iptables? alguma opção sysctl? Obrigado.

vpn-server # cat /proc/sys/net/ipv6/conf/all/forwarding
1

trace (chega até o meu próprio endereço IPv6):

pc1 ~ # traceroute6 2001:1af8:3100:a00a:21:a:b:102
traceroute to 2001:1af8:3100:a00a:21:a:b:102 (2001:1af8:3100:a00a:21:a:b:102), 30 hops max, 80 byte packets
 1  2a02:578:854f:100:7271:bcff:f:1b11 (2a02:578:854f:100:7271:bcff:f:1b11)  3008.038 ms !H  3008.020 ms !H  3007.985 ms !H
pc1 ~ #

rotas:

pc1 ~ # ip -6 route show
2001:1af8:3100:a00a::/64 dev eth0  proto kernel  metric 256  expires 51sec mtu 1492 advmss 1432 hoplimit 0
2001:1af8:3100:a00a::/64 dev wlan0  proto kernel  metric 256  expires 51sec mtu 1492 advmss 1432 hoplimit 0
2001:1af8:3100:a00a::/64 dev tun0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
2a02:578:854f:100::/64 dev eth0  proto kernel  metric 256  expires 7177sec mtu 1492 advmss 1432 hoplimit 0
2a02:578:854f:100::/64 dev wlan0  proto kernel  metric 256  expires 7177sec mtu 1492 advmss 1432 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1492 advmss 1432 hoplimit 0
fe80::/64 dev wlan0  proto kernel  metric 256  mtu 1492 advmss 1432 hoplimit 0
fe80::/64 dev tun0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
default via fe80::3631:c4ff:fe3d:eac2 dev eth0  proto kernel  metric 1024  expires 1777sec mtu 1492 advmss 1432 hoplimit 255
default via fe80::3631:c4ff:fe3d:eac2 dev wlan0  proto kernel  metric 1024  expires 1777sec mtu 1492 advmss 1432 hoplimit 255