I apologize if the answer to this seems obvious but I thought I'd throw it out there in the event I'm missing something simple.
I have WireGuard configured using ProtonVPN on my Linksys WRT3200ACM running OpenWrt 24.10.0. It is currently running and broadcasting the correct public IPv4 address without any problems, the issue I'm having is I can't get an IPv6 address from ipleak.net or whatismyip.com. I'm pretty sure I have all the settings correct, but I just want to confirm:
On the interfaces page, I do see that my wan6 interface is active and running. Is there anything else I could check to confirm my settings are correct? Here is my Public IP from ipleak.net:
I think that Proton uses ULAs in the tunnel. Your wg interface must hold the ULA as assigned and expected by the VPN service. This will be the source address of v6 packets leaving your router after masquerading. Then the VPN server will masquerade them again to their local GUA.
The next thing to check is if the LAN devices have GUA IPs. Many OS will not use a ULA as a source IP for the Internet, and will run only v4 for Internet access. GUAs will be assigned if your ISP supports v6 and the router is otherwise properly configured for (non-VPN) v6 operation. If you don't have GUAs from the ISP, you will need to fake it by statically setting a "GUA" on the lan interface. This could be be literally 2001:db8:xxxx:xxxx::1/64 (use zeros or random number for the x's). The 2001:db8 prefix is reserved that it will never be the IP of any site on the Internet, thus it is similar to the RFC1918 private IPs in v4.
Looks like my ISP (Charter Spectrum) does provide a GUA using the /56 prefix. In this case, should I change my IPv6 assignment length to 56 instead of 64? If not, is there any negative repercussions to adding 2001:db8::1/64 to my LAN interface?
For this purpose it does not matter what size prefix is on the LAN itself. LAN devices which are not routers only need a /128 IP out of the first /64 on the LAN. That IP is used as the source when they send a packet to the v6 Internet. Check the device's network status to be sure they have a GUA.
This GUA if it went to the Internet would reveal your ISP and location, but that does not happen here since the masquerade hides it.
You wouldn't happen to have a link on how to do this would you? ProtonVPN doesn't even provide any documentation on how to set up their VPN using WireGuard (From what I could find) let alone how to set up a v6 tunnel for it. The only thing I could find is OpenVPN which is much slower compared to WireGuard:
...Or maybe 2600:XXXX:XXXX:XXXX::2/64 so it doesn't butt heads with my LAN interface? Sorry, I am by no means a networking guru. I'm a System Admin by trade and am doing what I can to manage my own home network without my ISP monitoring all my traffic.
You will have to use exactly the tunnel IP that the VPN service tells you to: it needs to be an allowed_ip on their configuration and their server will route to it.
I think I understand, but when I download any configuration from Proton's site, it doesn't include an Ipv6 address, it only gives me an Ipv4, in this case 146.70.202.146. Does this mean ProtonVPN doesn't support Ipv6?
So doing more research, it seems they are still testing Ipv6 across all their software and currently only have support for Linux and a browser extension. I'm unsure if this includes the router configs since they are Linux based, but if it does, it would appear that I am connected to a server that doesn't support Ipv6:
Appears I'm at a standstill for now, unless I want to play around with different Proton servers. They don't explicitly state if they are Ipv6 compatible or not and I don't feel like messing with my router all day to find out.
Proton does not support IPv6 but if you want to have a look how to setup then see my notes.
For IPv6 support the vpn provider has to hand out not only an IPv4 address but also an IPv6 ULA address
