Best approach for openvpn server on a sub-router with ipv6 traffic?

Sorry if this subject seems like other ones but there seems to be a lack of normalization on ipv6 for home service that make each solution context specific. I want to setup a ipv4 vpn tunnel that tunnels ipv4 & ipv6.
The first option I've seen is to use the WAN/LAN approach on the sub-router on this official guide:.
[https://openwrt.org/docs/guide-user/services/vpn/openvpn/server]
Unfortunately in spite of trying the solutions from this article (and guessing more):
IPv6 ok on router, not routed for LAN
I was unsuccessful in routing ipv6 traffic from the LAN.

Would it be better then to configure the sub-router as a "dumb ap" instead and then do some routing magic from the VPN to make vpn clients appear as local stations from the point of view of hte main router?

Here is the ipv6 info I could gather from the ISP router (not running openwrt)


With default configuration the LAN clients on the sub-router only get a adress based on the global IPv6 ULA-Prefix. The DHCPv6 mode cannot be changed but I can enable the ULA prefix from RADVD.

It should be possible to setup a VPN server ( be it WireGuard or OpenVPN) on a Dumb AP.

The VPN server on the Dumb AP can listen on the IPv4 address and its GUA IPv6 address.

On the main router port forward the IPv4 address and open the port for the IPv6 address.
Furthermore set a static route on the main router to route the IPv4 and IPv6 ULA subnet of the VPN server to the dumb AP or easier NAT44 and NAT66 the VPN server traffic out of the Dumb AP.

Most endpoint devices will not use a ULA for Internet access, i.e. if only provisioned with a ULA it will not try to reach the Internet on IPv6. They need a GUA or something that looks like a GUA.

I do see you have one GUA IP on a /64 and an additional delegated /64 that could be forwarded to one LAN. Without a larger prefix you'll need to use relay mode or NAT6 to have multiple LANs or VPN tunnels.

Thank for the insights!

Am I right to assume that since:

  1. all my equipments are connected to the main router
  2. the sub-router I intend to use will be used only for VPN
    I could forward the one an only delegated prefix to my VPN router? And how would I do that ?

*** update: Based on your input I tried relaying based on the instructions found here:
And indeed that one delagated prefix seems to work perfectly in my context: the sub-router clients now have full ipv6 access. All that's left hopefully is to setup the VPN with the "basic" guide (WAN/LAN solution)

My ISP router does not have provision for redirecting port in ipv6 buut I don' t think I will need to redirect port in ipv6 since I am looking for a ipv4 VPN that tunnels 4/6 traffic. The static route looks promising but I need to refresh my memory on how to configure that properly (it's been 5-6 years I looked into that!) and NAT6 is something completely new for me.

(Sorry for the deleted posts, the forum post interface is new to me)

I am following up on this project.

Based on the fact that relaying the additional delagated/64 prefix to the sub-router was working on its client connections, I installed the openvpn server and confirmed that it worked fine with ipv4 (meaning LAN + internet accces). But after reading tons of docs about ipv6 inside a tunnel, I am now even more confused about what magical directives in server.conf in conjonction with network configurations will let the ipv6 go through the tunnel.

The goal is to dedicate my mini-router (gl-inet 6416) as a vpn server only, connecting it through the WAN port and leaving the LAN port for (ipv4) administration purpose only. That means that I could use the delagated prefix entirely to the VPN but how do I do that? Should I go NAT6 instead?

Just like you use a private IPv4 subnet for the OpenVPN server you can use a private IPv6 subnet (ULA address), you then NAT66 out of the router if you want internet access.
If it is only for local access to the LAN you can also set a static IPv6 route on the main router back to your OpenVPN server

I have 2 "lab" routers: one currently setup for wan/lan approach with prefix delegation and the other one configured as "dumb ap" . I'll try the NAT66 on this second one. I'll keep you posted on the results; it look simple enough though :slight_smile:

What looked simple was not at all. I have been doing a lot of reading and experimenting with these configurations for the last 2 weeks. OpenPVN with IPv4 is no trouble but with IPv6 it still eludes me. It seems that prefix sub-delagation from my ISP modem/router is clippled somehow. In the mean time the mini router planned for this use is dying so I have to use another one currently in operation with different constraints. I am closing this thread and opening a new one with another title with more specific questions.

1 Like

There is a saying in french that that only crazy guys don't change their mind, so I am reopening this thread and closing the other one instead. Why? I finally found how to make all approaches proposed so far work! The other thread just focus on a single configuration so it's better to remove it. I am planning on posting the solution in details later but here is the general idea:

What I found:

  • the /64 prefix delegation form the ISP router does work after all
  • whether the router ports are in wan/lan or lan only configuration does not matter much as long as the "uplink" is dhcp client for ipv4 and ipv6. i.e. wan/wan6 or lan/lan6
  • I added a separate firewall zone just for the vpn tunnel with a "universal" config
  • In the first successful scenario, I splitted the ipv6 prefix in two parts with a /65 0000 for "normal" vs 8000 for the vpn
  • In the second successful scenario I used NAT66 instead of range splitting with equal sucess