Escaping DSLite Hell: OpenVPN via IPV6

Hi OpenWrt Community,

I recently got me a Linksys wrt3200AC and it's running 18.06.1 great. However, my cable provider only gives me a native IPv6 adress while all IPv4 is routed through a very slow provider sided gateway, including NAT and possibly traffic shaping, deep package inspection etc. (DSLite using the german provider Unitymedia). Adding insult to injury, there isn't a modem available so i'm stuck with the providers shitty wifibox (that doesn't even allow modem mode). So yeah I'm kinda screwed.

However, I want to route all my traffic through a 3rd party VPN provider anyway and I made sure that provider supports OpenVPN over IPv6 which would allow me to bypass the double NAT and throttling on IPv4. This doesn't quite work yet though. Here's my current setup:

Symbols
-> IPv4
=> IPv6
=>> IPv4 & IPv6
~>> IPv4 & IPv6 with Provider NAT

Basic Setup (This is without any additional configuration, out of the box)

[Clients] =>> [OpenWrt Router] =>> [ProviderBox] ~>> [Internet]

Current Setup

Currently I can only use OpenVPN for all my clients with IPv4. I'm worried about Leaking my IPv6 adress while using the VPN so I disabled it. The firewalls are configured such that clients can only connect to the internet though the VPN, if it's down so is the internet connection of the clients

[OpenWrt Router] =>> [ProviderBox]
[Clients] -> [OpenWrt Router] -> [VPN Provider] -> [Internet]

Dreamsetup

I want all traffic to be routed via IPv6 to my VPN Provider. If I understand it correctly, my VPN provider only has one public facing IPv6 Adress for the entire server, therefore I'd have to deal with portforwarding on their side and IPv6 NAT which is fine with me. I don't need IPv6 on the internal network either.

[OpenWrt Router] =>> [ProviderBox]
[Clients] => [OpenWrt Router] => [VPN Provider] =>> [Internet]

So here are the problems I am facing: I am able to connect to the provider using IPv4 and everything works fine. Connecting via IPv6 suceeds aswell but non of my clients can reach the internet.

I assume you'll need more infos on my configuration, but I'm not sure what exactly you need, so feel free to request more details.

Configure it in the way you want it to work even if it is not working.
And then show the diagnostics from OpenWrt:

uci show network
uci show firewall
uci show dhcp

ip -4 a; ip -4 r; ip -4 ru; iptables-save -t nat
ip -6 a; ip -6 r; ip -6 ru; ip6tables-save -t nat

ping -c3 8.8.8.8
ping -c3 2001:4860:4860::8888
nslookup google.com; ping -c3 google.com
nslookup ipv4.google.com; ping -c3 ipv4.google.com
nslookup ipv6.google.com; ping -c3 ipv6.google.com

That's even worse than I expected.
Both IPv4+IPv6-connectivity is lost after establishing VPN-connection.

  1. VPN-interface has link-local IPv6-address, remove it:
cat << "EOF" > /etc/hotplug.d/iface/30-tun6fix
NET_PROTO="inet6"
NET_ACTION="ifup"
NET_IF="vpn"
. /lib/functions/network.sh
network_flush_cache
network_get_device NET_DEV "${NET_IF}"
if [ "${ACTION}" = "${NET_ACTION}" -a "${INTERFACE}" = "${NET_IF}" ]
then ip -f "${NET_PROTO}" addr flush scope link dev "${NET_DEV}"
fi
EOF
/etc/init.d/openvpn restart
  1. NAT6-table is empty, NAT6 is not working, set it up:
    https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6#nat6_simplified

  2. Section dhcp.vpn looks suspicious, better remove it:

uci -q delete dhcp.vpn
uci commit dhcp
/etc/init.d/dnsmasq restart
  1. Also this may help in some cases:
uci set firewall.@zone[2].mtu_fix="1"
uci commit firewall
/etc/init.d/firewall restart
  1. And why do we see tun1 in the log and ip-output?
    All the network and firewall settings are applied to tun0.
    Fix VPN-client configuration to use not just tun but tun0.

  2. Difference in MTU:

I suppose this should not be critical.

  1. That doesn't look good:

I assume this is still tolerable, but may lead to the next one.

  1. And that looks really bad:

That's the cause of connectivity loss.

vgaetera, you are my hero thank you so much!

Workaround to #8:

cat << "EOF" >> /etc/openvpn/vpn-provider.ovpn
script-security 2
route-up /etc/openvpn/remote_host_route6.sh
EOF
cat << "EOF" > /etc/openvpn/remote_host_route6.sh
#!/bin/sh
NET_PROTO="inet6"
NET_ACTION="ifup"
. /lib/functions/network.sh
network_flush_cache
network_find_wan6 NET_IF
network_get_device NET_DEV "$NET_IF"
network_get_gateway6 NET_GW "$NET_IF"
set -x
exec &> /tmp/remote_host_route6.log
env
ip -6 address show
ip -6 route show
VPN_GW="${trusted_ip6}"
ip -f "${NET_PROTO}" route add "${VPN_GW}" via "${NET_GW}" dev "${NET_DEV}"
EOF
chmod +x /etc/openvpn/remote_host_route6.sh

The main idea is to add route to the VPN-server through ISP-gateway.
However the workaround requires testing and debugging.

Hey, simple test of your script didn't work, i see no change. I tried running the script again with the IPv6 VPN connected and got this result

root@gateway:~# /etc/openvpn/remote_host_route6.sh
ip: RTNETLINK answers: File exists

What debug Information can I supply to you?

I've updated the script above.
If it is not working, show /tmp/remote_host_route6.log.

Thank you so much that did the trick AND halved my ping to the outside world. Had to switch to TCP instead of UDP to get OK Speeds but it's finally done.

Thank you so much!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.