OpenWRT does not route ipv6 internet traffic over OpenVPN.

[Levent]

I am trying to route ipv6 internet traffic of all the devices connected to my OpenWRT router through OpenVPN. Same VPN connection is able to route ipv4 and ipv6 traffic through VPN when my devices are connect to VPN via their local client software.

• Server has working ipv6 dns server, all DNS requests on my router is routed through VPN to the server.
• Router has working ipv6 connection to the VPN. I am able to ping ipv6 addresses on it (such as ipv6.google.com)
• Devices connected to the network are unable to ping ipv6 addresses.
• Devices connected to the network are able to lookup ipv6 addresses.
• Devices connected to the network are assigned ipv6 addresses are able to ping each other just fine.
• When devices connect to VPN server via openvpn client, they have ipv6 connectivity.

This to me sounds like either Ipv6 DHCP server on the router is configured wrong or the default ipv6 routes are. Any ideas?

[Donut417]

15 hours ago, Levent said:

Any ideas?

ISP's have a few ways of implementing IPv6 from what I read. You might need to go on their website to find the "Proper" config. I know with my ISP Comcast they had a webpage dedicated to what settings needed to be, thats how I set up IPv6 on my router. 

[Levent]

7 hours ago, Donut417 said:

ISP's have a few ways of implementing IPv6 from what I read. You might need to go on their website to find the "Proper" config. I know with my ISP Comcast they had a webpage dedicated to what settings needed to be, thats how I set up IPv6 on my router. 

My ISP does not provide me with ipv6. 

[Donut417]

4 hours ago, Levent said:

My ISP does not provide me with ipv6. 

Keep in mind our DHCP info all comes from your ISP. While you are connected thru a VPN server, your ISP's ISP is used to make that connection. Essential all a VPN is, is a secure tunnel between your network/computer and a server that sits on the VPN's network. Your ISP's IP address is still used to make the connection possible. DHCPv6 on your router will have to pull settings from your ISP. If your ISP is not providing the address then thats not the issue you are having. 

 

Sounds like you can ping Google and things like that. My guess is the stuff thats not pingable might be set not to respond to such requests. Because that is defiantly an option that can be set. 

[Levent]

23 minutes ago, Donut417 said:

Keep in mind our DHCP info all comes from your ISP. While you are connected thru a VPN server, your ISP's ISP is used to make that connection. Essential all a VPN is, is a secure tunnel between your network/computer and a server that sits on the VPN's network. Your ISP's IP address is still used to make the connection possible. DHCPv6 on your router will have to pull settings from your ISP. If your ISP is not providing the address then thats not the issue you are having. 

 

Sounds like you can ping Google and things like that. My guess is the stuff thats not pingable might be set not to respond to such requests. Because that is defiantly an option that can be set. 

Yes I am aware of how that works. I am not sure if you understand what I am asking here. Everything works fine on the router, router has working ipv6 internet connection provided via OVPN. If I ssh tunnel into the router, I get working ipv6 internet just like I would if I connected my device to the vpn via its windows client. Router is able to share openvpn internet connection via ipv4 however not ipv6. Both ipv4 and ipv6 dhcp configuration is default and router assings devices with ipv4 and ipv6 IP and ipv6 connectivity between the devices in the network are working (like computer to phone). At this point I am almost certain this due to ipv6 routes for some reason not working.

Edited the title.

[Julien Robin]

Hi, I had hard times finding the answer to the exact same question. Found this topic while searching for help. After months I finally tried again and found the solution!

At least on OpenWrt 22.03, so it may be useful for people reading this topic.

EDIT: This works only on 22.03 but not on previous versions (I tried on 21.02, IPv6 masquerading didn't work)

 

First, in the case where IPv6 addresses of the OpenVPN clients aren't real Internet ones (in my case the fd42:feed:feed:feed::/64 subnet), IPv6 NAT, and masquerading (for both IPv4 and IPv6) should be configured.

Useful lines extracted from my /etc/config/firewall file:

config zone
    option name 'lan'
    [...]
    option masq_src '10.8.0.0/24 fd42:feed:feed:feed::/64'
    option masq '1'
    option masq6 '1'


config zone
    option name 'wan'
    [...]
    option masq '1'
    option masq_src 'fd42:feed:feed:feed::/64'
    option masq6 '1'
    [...]
    
config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'vpn0'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config rule
	option name 'Allow-OpenVPN'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '1194'

Explanations about what is masquerading (masq options): the goal is that LAN and WAN destinations can see packets from OpenVPN clients as "originating from the router", to be able to answer to something that exists from their point of view (to the router). In OpenWrt this setting has to be applied on the "outgoing" side. By default this is enabled on wan for IPv4 (as for example when reaching google servers from 192.168.1.173, google shouldn't answer to 192.168.1.173, but to the IPv4 of your WAN). Most of the time, this is not useful for IPv6 (as most of the time, the ISP give you a huge range of IPv6 addresses that are directly valid from the Internet). But in the case of my OpenVPN IPv6 setting, I'm in the same situation as IPv4 (I have to enable masquerading, but only for OpenVPN addresses range.

 

In a similar way, when reaching LAN devices as VPN client (when I'm 10.8.0.6 or for example or fd42:feed:feed:feed::1000), LAN devices should answer to the router IP address.

 

IPv6 NAT should be installed (because by default, it is not, as rarely used).

opkg update
opkg install kmod-ipt-nat6

Then, for having Internet IPv6 connectivity through the OpenVPN server on OpenWrt, a fixed/manual route to IPv6 WAN should be added for packets originating from 'fd42:feed:feed:feed::/64'.

 

To clarify, when having an IPv6-PD on WAN, of course, OpenWrt automatically adds a route to any IPv6 through the 'wan6' interface. But he restricts this route to a minimum range of origins/source (only the part of the IPv6-PD that is granted to your LAN devices, and nothing else). This can be seen from the WebUI at "status", "routing", and "IPv6 routing". As my OpenVPN clients are using another subnet/range of IPv6, this route doesn't apply to them. Attempts for those OpenVPN clients to send anything to an Internet IPv6 address returns a "no route to host" error.

 

This is why a copy of this automatically added route should be made, but for "'fd42:feed:feed:feed::/64'" as source. This can be done by the WebUI through "Network", and "Routing", and "Static IPv6 Routes".

ssh command "ip -f inet6 route" command can be used to list running routes on the OpenWrt router (before and after). It helped me to create the correct route through the WebUI.

 

Resulting added block into /etc/config/network:

config route6
    option interface 'WAN6'
    option target '::/0'
    option metric '512'
    option table 'main'
    option source 'fd42:feed:feed:feed::/64'
    option gateway 'fe80::5555'

 

And here we go!

By the way, in case someone reading this struggle with OpenVPN setup on OpenWrt, this is just my custom case, but here is the content of my /etc/config/openvpn file

config openvpn 'custom_config'
    option config '/etc/openvpn/server.conf'
    option enabled '1'

/etc/openvpn/server.conf:

dev tun
proto udp6
port 1194

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server-key.crt
key /etc/openvpn/keys/server-key.key
dh /etc/openvpn/keys/dh2048.pem

#VPN IP range :
server 10.8.0.0 255.255.255.0
server-ipv6 fd42:feed:feed:feed::/64

push "redirect-gateway def1"
push "route-ipv6 2000::/3"

client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
cipher AES-256-GCM

user nobody
group nogroup
persist-key
persist-tun

log /var/log/openvpn.log
verb 1
explicit-exit-notify 1

 

Also, when installed OpenVPN, I had to add the following lines into /etc/config/network

config interface 'vpn0'
    option proto 'none'
    option auto '1'
    option device 'tun0'