HE IPv6 over an OpenVPN tunnel

ARM128bit · April 8, 2025, 9:34am

Hi there!

I have a IPv6 tunnel via HE and it correctly works. Clients get IPv6 addresses

I set up an OpenVPN tunnel which is configured by this openvpn guide. I wish to have a secure tunnel to my router.

First problem is The OpenVPN tunnel successfully connects clients but does not provide the internet. I think I missed firewall rules.

Second problem is I tried to configure IPv6 over the OpenVPN tunnel by this guide.
I assume that the router will forward IPv6 addresses to the OpenVPN network

My /etc/config/network configuration:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'AA:BB:CC:DD:EE:FF'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option proto '6in4'
        option peeraddr 'XXX.XXX.XXX.XXX'
        option ip6addr 'XXXX:XXX:XY:XYY::X/64'
        list ip6prefix 'XXXX:XXX:XY:XYY::/64'
        option tunnelid 'tunnelid'
        option username 'username'
        option password 'password'
        option mtu '1480'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'LANvpn'
        option proto 'static'
        option device 'tun1'
        list ip6class 'wan6'
        option ip6assign '64'

I cannot understant what should be in the row "option device"? What is "tun1"?
I have those devices:

My firewall configuration:

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun+'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'a
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'


config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option target 'ACCEPT'

What did I miss? I tried to find a solve in the internet, I found out that I should configure IPv6 NAT. Is it true?

Write please what I have to send for you: logs, configs and etc!

I'm sorry I'm not native english and stupid in networks.

mk24 · April 8, 2025, 10:58am

Since you want dual stack in the VPN tunnel, should get v4 working first. Placing the vpn tunnel in the lan zone should have worked. VPNs must be tested from outside, for example when the client is a smartphone test with it on the cell network not your house wifi which is also the vpn server.

The tun interface is created by OpenVPN- by default it is named tun0 so use that same name when assigning IP address to it. A change script is not necessary since henet will not change your prefix. You could even configure a static /64 which is part of your /48 directly into OpenVPN but then you lose OpenWrt automatic assignment.

NAT6 is not necessary here since the clients will have GUAs that route directly to the Internet.

ARM128bit · April 8, 2025, 11:46am

Thank you for answer!
I placed the "tun0" into the lan zone further I checked and fixed again the configuration(firewall, vpn service) and after all the tunnel is working by IPv4!

What I should do for IPv6? What does mean "lose OpenWrt automatic assignment"? Do you mean OpenWrt can not get IPv6 in its wan port?

lleachii · April 8, 2025, 12:19pm

Does your VPN (or your firewall) allow inbound ping?

HE's tunnel checks for a successful ping to the SRC IPv4 address of the tunnel.

Also, you have a static IPv4 address from the VPN provider?

You may also need to route the /32 of the HE endpoint address via your tunnel.

This is in addition to what mk24 suggests.

mk24 · April 8, 2025, 12:32pm

I'm assuming your local ISP is v4 only, so your wan6 is the HE tunnel. Do devices on the local lan have proper v6 access? Test with a site like test-ipv6.com. Assuming all of that is working, next the LANvpn setup should have placed a /64 part of the HE prefix (a different part than the /60 the local LAN has) on tun0. That can be seen on the Interfaces GUI page or with ip addr show or ifstatus LANvpn in CLI.

Then-- this part I'm not sure about since I have not used OpenVPN for a while-- OpenVPN should push a single IPv6 address from that /64 to each client. The client uses that as its source IP when reaching the v6 Internet. It will get routed to the HE tunnel at your house an then to the v6 Internet from HE.

ARM128bit · April 8, 2025, 5:43pm

Yes, I have

you have a static IPv4 address from the VPN provider?

Yes, It has

Do devices on the local lan have proper v6 access?

The LANvpn setup should have placed a /64 part of the HE prefix (a different part than the /60 the local LAN has) on tun0

The LANvpn's settings:

I try to switch the IPv6 prefix filter to "wan" but that couldn't help

Thank you're guys!

ARM128bit · April 8, 2025, 6:39pm

Maybe a problem is that a IPv6 routed prefix is using in the HE tunnel's settings IPv6-in-IPv4 (RFC4213)

And subsequently this does not allow the prefix to be applied in the LANvpn?

mk24 · April 8, 2025, 6:47pm

HE gives each user a /48 prefix. You have configured /64. A /64 can only be passed to one LAN. A /48 can be broken up into 65,000 /64 blocks, or 4096 /60, etc.

ARM128bit · April 15, 2025, 10:21am

Good day!
After those days I have this configaration /etc/openvpn/server.conf

user nobody
group nogroup
dev tun
port 1194
proto udp
proto udp6
server 192.168.9.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.9.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"

server-ipv6 2001:YYY:XX:5ec:8000::/65
ifconfig-ipv6 2001:YYY:XX:5ec:8000::1 2001:YYY:XX:5ec:8000::2
push "route-ipv6 2000::/3"

As you can see I have splited HE's default /64 subnet to /65 one. I think it's not okay so I'll try to split /48 later.

A connected client has access to the IPv6 internet. It pass tests of test-ipv6.com for example.

But clients are assigned the same IP addresses 192.168.9.2 and 2001:YYY:XX:5ec:8000::1000.
I mean addresses does not increase for each clients

Thank you!

egc · April 15, 2025, 10:49am

I also do not think that is OK you should use a /64 subnet

Instead of

[quote="ARM128bit, post:9, topic:229547"]
push "route-ipv6 2000::/3"
[/quote] you can use:

push "redirect-gateway ipv6 def1"

this is ambiguous udp means both udp4 and udp6 which is probably what you want so delete/comment proto udp6

ifconfig-ipv6 is not necessary when using server-ipv6 2001:YYY:XX:5ec:8000::/64 the first address will automatically be the server so use a /64 subnet and I think you can remove this ifconfig-ipv6 line

mk24 · April 15, 2025, 10:53am

I have not used it lately but I got a free /48 from HE. They really only gave you one /64? That is not enough to implement v6 properly.

ARM128bit · April 15, 2025, 11:45am

Thank you for answer!

I changed the configuration to this:

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.9.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.9.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway ipv6 def1"
push "persist-tun"
push "persist-key"

server-ipv6 2001:YYY:XXX:8000::/64

I also splitted a /48 subnet to one /64 subnet as mk24 advised
It does not work now and not pass tests of test-ipv6 for example. Although a client gets IPv6 address 2001:YYY:XXX:8000::1000
Also, a client does not get DNS and gateway addresses

egc · April 15, 2025, 1:07pm

You probably also should push an IPv4 default route like you were doing before so re-instate:

push "redirect-gateway def1"

After that reboot server and client and check the routing on your client both ip route show and ip -6 route show

mk24 · April 15, 2025, 1:46pm

Also make sure your prefix delegation does not conflict with other LANs that were delegated automatically. Since the prefix is static and I don't think OpenVPN works with OpenWrt's automatic system, it would be best to manually / statically delegate all the LANs.

The usual advice to use Wireguard instead if at all possible really applies here since Wireguard interfaces on OpenWrt readily support automatic delegation and DHCPv6 / RA through the tunnel. Although if multiple "road warrior" clients are involved instead of a site to site link, OpenVPN would allow them to share the same /64 instead of using a separate interface and /64 for each one.

ARM128bit · April 15, 2025, 2:52pm

I returned "push "redirect-gateway def1""

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.9.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.9.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "redirect-gateway ipv6 def1"
push "persist-tun"
push "persist-key"

server-ipv6 2001:YYY:XXX:8000::/64

But I'm getting an error during connecting:
WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results

Window's routes:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.5     35
          0.0.0.0        128.0.0.0      192.168.9.1      192.168.9.2    281
   PUB.LIC.IP.135  255.255.255.255      192.168.0.1      192.168.0.5    291
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0      192.168.9.1      192.168.9.2    281
      192.168.0.0    255.255.255.0         On-link       192.168.0.5    291
      192.168.0.5  255.255.255.255         On-link       192.168.0.5    291
    192.168.0.255  255.255.255.255         On-link       192.168.0.5    291
      192.168.9.0    255.255.255.0         On-link       192.168.9.2    281
      192.168.9.2  255.255.255.255         On-link       192.168.9.2    281
    192.168.9.255  255.255.255.255         On-link       192.168.9.2    281
     192.168.56.0    255.255.255.0         On-link      192.168.56.1    281
     192.168.56.1  255.255.255.255         On-link      192.168.56.1    281
   192.168.56.255  255.255.255.255         On-link      192.168.56.1    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      192.168.56.1    281
        224.0.0.0        240.0.0.0         On-link       192.168.9.2    281
        224.0.0.0        240.0.0.0         On-link       192.168.0.5    291
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      192.168.56.1    281
  255.255.255.255  255.255.255.255         On-link       192.168.9.2    281
  255.255.255.255  255.255.255.255         On-link       192.168.0.5    291
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 10    281 ::/3                     fe80::8
  1    331 ::1/128                  On-link
 10    281 2000::/4                 fe80::8
 10     25 2001:YYY:XXX:8000::/64  fe80::8
 10    281 2001:YYY:XXX:8000::1000/128
                                    On-link
 10    281 3000::/4                 fe80::8
 10    281 fc00::/7                 fe80::8
 30    281 fe80::/64                On-link
 10    281 fe80::/64                On-link
 23    291 fe80::/64                On-link
 10    281 fe80::a171:b4fb:c5c7:44e7/128
                                    On-link
 30    281 fe80::a8a1:e26c:def6:692/128
                                    On-link
 23    291 fe80::b01a:203c:33b6:dabc/128
                                    On-link
  1    331 ff00::/8                 On-link
 30    281 ff00::/8                 On-link
 10    281 ff00::/8                 On-link
 23    291 ff00::/8                 On-link
===========================================================================

Tell me please what else I can provide for you

egc · April 15, 2025, 3:48pm

It is a warning and not an error and you can disregard that

As far as I can tell it looks OK but I do not use HE6 tunnels and do not use part of my PD for my OpenVPN subnet I use an ULA address (for which you need NAT66 on the router for internet access) but it should amount to the same, but routing looks good

You can try to run a tracert to see what is the problem e.g.:

tracert -6 2001:4860:4860::8888

But otherwise I do not know

ARM128bit · April 15, 2025, 4:12pm

  1   129 ms   129 ms   129 ms  2001:YYY:XXX:5ec:8000::1
  2   223 ms   223 ms   224 ms  tunnelZZZZZZ.tunnel.tserv27.prg1.ipv6.he.net [2001:YYY:XXX:5ec::1]
  3     *        *        *     Request timed out
  4   216 ms   216 ms   217 ms  nixcz-v6.net.google.com [2001:7f8:14::1d:1]
  5   217 ms   216 ms   217 ms  2001:4860:0:1::7f33
  6   216 ms   216 ms   218 ms  2001:4860:0:1::4e1f
  7   217 ms   217 ms   222 ms  dns.google [2001:4860:4860::8888]

I think I need to try a wireguard after all
Thank you guys! If you have no more ideas, then I will not waste your time any more. I am already very grateful to you.

egc · April 15, 2025, 4:39pm

But it seems to work?

ARM128bit · April 15, 2025, 5:16pm

My bad:

Tracing route to dns.google [2001:4860:4860::8888]
over a maximum of 30 hops:

  1  Destination net unreachable.

Trace complete.

I used the wrong subnetwork