How to configure IPv6 network as an OpenVPN client?

I use my local ISP only for the physical connection to the internet, with fiber. Their modem is plugged in my OpenWrt router in the WAN interface which is configured as a DHCP client and receives a private IPv4. Connection to the internet works. So far so good.

Then I have installed OpenVPN in order to connect to my preferred ISP, which is not physically present in my area, but allows me to connect to their network through OpenVPN. Which allows me to retrieve my public IPv4 and a /64 of public IPv6 which is very convenient for various reasons like fixed IPs, reverse DNS...

OpenVPN runs as a service, installed from opkg. That brings up a TUN interface that gets the IPv4 and the /64.
In order to use the IPv4 I have created a new interface, with protocol set as unmanaged and in physical settings, the interface is set to tun0. So I can manage this interface in the firewall and forward traffic from lan to tun0 easily.
In my OpenVPN configuration I use redirect-gateway def1 which according to my understanding sets tun0 as the default gateway. I use that along with some rules to make sure local traffic does not follow that route:
route net_gateway
route net_gateway
route net_gateway
That works perfectly well, all my IPv4 lan traffic goes through the OpenVPN tunnel through NAT.

Now I would like to do something similar for IPv6. So that the systems on my lan get their own IPv6s, which is not the case at the moment.
In my OpenVPN configuration I have:
route-ipv6 ::/1
route-ipv6 8000::/1
When I do a ip addr on my OpenWrt I can see that the tun0 interface has received a scope global inet6 and I can ping some IPv6 addresses on the internet and traceroute shows that this is working perfectly well.

Now what should I do on my OpenWrt in order to distribute my /64 to my lan?

(edit: I remember using an IPv6 tunnel from HE in the past, and while setting up the interface I could chose the 6in4 protocol and the IPs were appearing as linked to this interface. And then it was much easier as OpenWrt took care of everything and the IPs appeared magically all over the lan. But with that unmanaged interface I can't do that.)

Just use ::/0

Ask for another block for your LAN.
Anything else is messing with the standards of the protocol (a network segment should have at least a /64) or dealing with NAT66 which is not supposed to be used in IPv6 for that reason.

Theoretically you could use a very small /127 like subnet for the tunnel and use the /64 in your LAN.
Or just use ULA for the tunnel, however the ISP might not agree to forward traffic to ULA address.

You are perfectly right about that /64 not being ideal. I will ask for more blocks.

But the question remains. I would still be stuck with that tun0 interface having the /64 and the other blocks being routed towards it. But how do I get from that to something that distributes those IPs to the systems on the lan?

As I said above, last time I tried it was happening automatically as part of the interface. Now I understand I have to configure it myself but I'm not sure where to start (dhcpv6...). Just an overview would be nice, I could probably figure the details myself.

I don't think they will be distributing the prefix with DHCPv6, so static it is.
You'll assign the prefix that will be distributed to the lan in the ip6prefix option.

great! thanks

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.