IPv6 Leak - How to influence client's default IPv6 route


my problem occurred with the GL.iNet MT-2500A flashed to latest GL.iNet and vanilla OpenWRT.

Setup is: FritzBox 7530 (fritzbox) of ISP which is working with IPv4 and IPv6. I configured the MT-2500A (router) behind as drop-in gateway, meaning I let it create a tunnel to VypVPN VPN provider with openvpn. I then use the router as gateway for a Mac. This is an experimental setup so I set that manually in the Mac. The solution in the end could be to switch off the fritzbox's DHCP server (this is working) and instead rund a DHCP server on the router providing its own IP address as gateway. (That's what called drop-in gateway in GL.iNet terms and it is quite easy to manage as manual config in vanilla OpenWRT as well)

Some IPv6 leak warnings from the usual sites let me analyze the problem further. I am an old IT guy, so I only have a small clue of how IPv6 is functioning, this here is also an exercise to learn more about it.

What I found out is that when I do a traceroute from the Mac, it will nicely route through the router as the first hop. This is also what all the check pages told me, my IPv4 is tunneled. But when I try to traceroute6 the google DNS server, first hop will be the fritzbox. I am not able to disable IPv6 in the fritzbox, although the provider is very open. I guess that's how they prepare for the future. Nevertheless, in a VPN scenario, this is a leak, as everytime I access something in the IPv6 universe, my data is no longer encrypted.

So I think the problem is that the routing table of the Mac will send data on IPv6 to default route which in this case is the fritzbox, whereas I was able to specify the router's IP as gateway in the configuration. As there is nothing like an IPv6 gateway to specify, I assume it works differently.

Am I on the right way when I think I have to setup a kind of DHCPv6 server providing the IPv6 address of the router to the clients (which then would be the new default route)? Will I be able to do that without having the capability to switch IPv6 off in the fritzbox?

Sorry, my IPv6 knowledge is really just starting to grow...


ip -6 route add blackhole ::1/128 metric 10


config route
        option interface 'loopback'
        option type 'blackhole'
        option target ''
        option metric '10'

theen check luci network routes and enter your v6 address. See low precedence, it will just blackhole everything not your lan(s), ping like to learn how it looks

edit: router obviously, it is in the name that it knows routing.
edit2: sysctl log_martians to log violations.

Hmmm, I see. So by this I create a place to route the unwanted IPv6 traffic. It was what
I learnt from my readings so far.

But I see two problems: (1) at the moment it seems the router is not configured for IPv6,
so I have to do this first I guess and (2) how would that tell the Mac client to use the router
as the IPv6 gateway? No clue how it now "thinks" it is the fritzbox. I edited the thread's
title a bit to move the focus there.


Route into home network in fritzos, since your query has nothing to do with openwrt you can close it.