Add IPv6 to a Wireguard IPv4 VPN

Installing and Using OpenWrt Network and Wireless Configuration
1

I use a commercial VPN provider and everything in IPv4 works as expected (even a few forwarded ports).

My Internet provider gives me CG-NAT IPv4 and IPv6. I have been able to have IPv6 working (in relay mode only because there is no Prefix Delegation and the router receives a /64 only).

But having a public IPv6 from my Internet provider ruins the privacy I intend to have with a VPN.

My Wireguard vpn0 interface receives an IPv4 and an IPv6 address but the WAN6 is always the default route. What I did was disable WAN6 then I can ping and traceroute in IPv6 from the router to the vpn provider.
Now on the client side, a windows PC, I have to provide a local IPv6 that will be routed in the VPN but I don’t know how. I tried to enable DHCP for IPv6 on the LAN interface and my windows PC receives a ULA IPv6 but no default route for IPv6. After countless hours for weeks on this subject I’m lost (with IPv6 at least).

Diagnostics
Diagnostics1136×773 43 KB

Interfaces
Interfaces1149×1340 108 KB

ipconfig
ipconfig904×775 23.5 KB

2

How I setup a VPN client including instructions for IPv6 see:
WireGuard Client Setup Guide

About your lan clients even using ULA addresses might already work.

3

Thank you. I re-enabled WAN6 (like the initial OpenWrt configuration) and an improvement is that from the windows client it can resolve IPs from command ping and tracert but cannot ping anything outside the router.

Example:

D:>tracert -6 one.one.one.one

Tracing route to one.one.one.one [2606:4700:4700::1111]
over a maximum of 30 hops:

1    <1 ms    <1 ms    <1 ms  OpenWrt.lan [fd00::1]
2     *        *        *     Request timed out.
3     *        *        *     Request timed out.
4     *        *        *     Request timed out.
5     *        *        *     Request timed out.
6     *        *        *     Request timed out.

I still think that having a public IPv6 isn’t mandatory.

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix  . : lan
Description . . . . . . . . . . . : Intel(R) Ethernet Controller I226-V #2
Physical Address. . . . . . . . . : BLAH-BLAH-8B-E3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : MY REAL PUBLIC IPv6 :fb06(Preferred)
Temporary IPv6 Address. . . . . . : MY REAL PUBLIC IPv6 :9305(Preferred)
Link-local IPv6 Address . . . . . : fe80::5024:a9ff:7b87:d35f%2(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.4.133(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 22 April 2026 10:10:34
Lease Expires . . . . . . . . . . : 22 April 2026 22:56:41
Default Gateway . . . . . . . . . : fe80::5a47:caff:fe75:8320%2
192.168.4.1
DHCP Server . . . . . . . . . . . : 192.168.4.1
DHCPv6 IAID . . . . . . . . . . . : 46727103
DHCPv6 Client DUID. . . . . . . . : 00-01-01-00-31-5C-27-95-C8-FF-BF-0D-8B-E2
DNS Servers . . . . . . . . . . . : 192.168.4.1
ONE OF MY ISP IPv6 DNS :682f
NetBIOS over Tcpip. . . . . . . . : Enabled

The downside of re-enabling WAN6 if that ipleak now sees my real public IPv6 through WebRTC detection.

When I disable WAN6, my windows client needs a source for it’s IPv6 parameters. I tried to activate a server mode on the LAN interface or on the vpn0 without success probably because default IPv6 gateway seems missing:

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . : lan
Description . . . . . . . . . . . : Intel(R) Ethernet Controller I226-V #2
Physical Address. . . . . . . . . : C8-FF-BF-0D-8B-E3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5024:a9ff:7b87:d35f%2(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.4.133(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 22 April 2026 10:10:34
Lease Expires . . . . . . . . . . : 22 April 2026 23:11:59
Default Gateway . . . . . . . . . : 192.168.4.1
DHCP Server . . . . . . . . . . . : 192.168.4.1
DHCPv6 IAID . . . . . . . . . . . : 46727103
DHCPv6 Client DUID. . . . . . . . : 00-01-01-00-31-5C-27-95-C8-FF-BF-0D-8B-E2
DNS Servers . . . . . . . . . . . : 192.168.4.1
NetBIOS over Tcpip. . . . . . . . : Enabled

At least the real public WAN6 IP doesn’t appear anymore in the routing table.

IPv6 Routes
IPv6 Routes2175×1570 143 KB

But still no IPv6 connectivity from the windows PC.

4

It was close but the LAN client didn’t receive its IPv6 Default Gateway and it’s really necessary.
I made the changes shown below in the LAN IPv6 RA Settings and restarted the windows Ethernet link and voila. I suspect that only one or two changes were necessary and I’ll continue testing.

Now, the OpenWrt router doesn’t have a public IPv6 address but the two IPv4 and IPv6 VPN provider addresses are displayed on ipleak.net on a chrome clone but on a firefox clone it displays IPv6 test not reachable. (error).

I still have an issue with DNS leak with both browsers. It’s far from perfect at this stage.

IPv6_RA
IPv6_RA2227×1986 295 KB