diff --git a/CHANGES b/CHANGES
index efcb5ac1d..902ae16b0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2445,4 +2445,5 @@
 [7.1.4]
 * wildcard dns: fix handling of ENODATA
 * cloudflare: fix error handling
+* openvpn: ipv6 support
 
diff --git a/src/docker.js b/src/docker.js
index a4f7f564a..7f94f2279 100644
--- a/src/docker.js
+++ b/src/docker.js
@@ -355,7 +355,8 @@ async function createSubcontainer(app, name, cmd, options) {
             VolumesFrom: isAppContainer ? null : [ app.containerId + ':rw' ],
             SecurityOpt: [ 'apparmor=docker-cloudron-app' ],
             CapAdd: [],
-            CapDrop: []
+            CapDrop: [],
+            Sysctls: {}
         }
     };
 
@@ -388,7 +389,12 @@ async function createSubcontainer(app, name, cmd, options) {
     const capabilities = manifest.capabilities || [];
 
     // https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
-    if (capabilities.includes('net_admin')) containerOptions.HostConfig.CapAdd.push('NET_ADMIN', 'NET_RAW');
+    if (capabilities.includes('net_admin')) {
+        containerOptions.HostConfig.CapAdd.push('NET_ADMIN', 'NET_RAW');
+        // ipv6 for new interfaces is disabled in the container. this prevents the openvpn tun device having ipv6
+        // See https://github.com/moby/moby/issues/20569 and https://github.com/moby/moby/issues/33099
+        containerOptions.HostConfig.Sysctls['net.ipv6.conf.all.disable_ipv6'] = '0';
+    }
     if (capabilities.includes('mlock')) containerOptions.HostConfig.CapAdd.push('IPC_LOCK'); // mlock prevents swapping
     if (!capabilities.includes('ping')) containerOptions.HostConfig.CapDrop.push('NET_RAW'); // NET_RAW is included by default by Docker