There is a saying in french that that only crazy guys don't change their mind, so I am reopening this thread and closing the other one instead. Why? I finally found how to make all approaches proposed so far work! The other thread just focus on a single configuration so it's better to remove it. I am planning on posting the solution in details later but here is the general idea:
What I found:
- the /64 prefix delegation form the ISP router does work after all
- whether the router ports are in wan/lan or lan only configuration does not matter much as long as the "uplink" is dhcp client for ipv4 and ipv6. i.e. wan/wan6 or lan/lan6
- I added a separate firewall zone just for the vpn tunnel with a "universal" config
- In the first successful scenario, I splitted the ipv6 prefix in two parts with a /65 0000 for "normal" vs 8000 for the vpn
- In the second successful scenario I used NAT66 instead of range splitting with equal sucess