Ip6class is no sysctl... And I have to admit I wrongly read the worng syntax from to the upper post... That's why I have ask: in OpenWrt you can set local or global for ip6class on an interface but no option ip6class '<ifname> [local|global]
The use_tempaddr = 2 settings are the common way to enable the privacy extensions, see the posting from VxBox at the beginning of this thread.
I have got an IPv6 address from my router which can be used for internet access:
The last 64 bits are randomly generated but they are static as long as the box gets no reboot (I think this is the result of option ip6ifaceid 'random'). The privacy extensions request a temporary address which changed after some time. This is not the case.
At all my other hosts in the LAN, two IPv6 addresses are generated, starting with 2003.... The last 64 bits of one address are constructed from the MAC address of the ethernet port. The last 64 bits of the other address are a result of the privacy extensions. For connections from box to internet always the second one is used. For connections from internet to box the first static one is used.
So I expected a second privacy extensions address.
For your information on https://en.wikipedia.org/wiki/IPv6:
"To address these privacy concerns, the SLAAC protocol includes what are typically called "privacy addresses" or, more correctly, "temporary addresses", codified in RFC 4941, "Privacy Extensions for Stateless Address Autoconfiguration in IPv6". Temporary addresses are random and unstable. A typical consumer device generates a new temporary address daily and will ignore traffic addressed to an old address after one week."
Putting a random IP on the lan interface itself does nothing for privacy since that IP is never used on the Internet. By default it is prefix::1 as is traditional for the router in a lan network.
The router's own IP to interact with the Internet (upgrades, DNS, NTP, etc) is the wan IP. I don't see a way to make that dynamically random, though you can use option ifaceid in a dhcpv6 configuration to use a static random suffix.
If set to use stateful DHCP and that is supported upstream, it will always use the address supplied from upstream. You can set to not request an IPv6 and use SLAAC but that may not play well with an upstream network that insists to know your router's IP for security.