found guides on using a vpn on openwrt, via openvpn.
applied them, but used wireguard.
The isp provides a -pd address, and the router is setup on the LAN IPv6 DHCP in 'server mode'.
The wireguard connection can be toggled on an off (set not to start at boot).
And ipv4 packets can pass from clients to the internet hosts.
But ipv6 seems to terminate at the router. Only the DNS works for ipv6.
The router can ping ipv6 hosts. but clients can't.
I need it to work, very simply, the same as when I fire up the vpn client on my laptop and everything routes over that, as that's how it is for every device and routers with non-Openwrt firmwares; they've made it simple, straightforward, and it just works. In this particular case, I don't need an additional 'killswitch': if the VPN connection fails, having the packets go back to using the regular wan connection is ok.
If the VPN provider also supports IPv6 e.g. your WireGuard config has also an IPv6 address then you need the following to also route IPv6 via the VPN:
as Allowed IPs add: ::/1 and 8000:/1 instead of ::/0
Enable IPv6 Masquerade on the WireGuard Firewall zone
For details seem my notes (you need the Client setup guide):
The VPN service probably has provided a ULA address on the tunnel. You need to NAT to this address in order to use it. Here the situation is the same as with IPv4; the VPN server is not aware of your LAN addresses, so it will not be able to route a return packet directly back to your LAN endpoint device (phone laptop etc.).
To implement this NAT, the masq6 option should be set on the zone containing the VPN tunnel. The regular masq option is only for IPv4.
Overall the packet flow then becomes:
Your LAN endpoints have a GUA address from the local ISP's prefix. Ordinarily this would be routed directly to the Internet locally. The VPN client has changed the routing table so that Internet destinations from the LAN now route into the VPN tunnel.
When a LAN endpoint initiates a connection to the v6 Internet, it uses its GUA as the source address.
OpenWrt forwards this packet to the VPN tunnel, and uses SNAT (masq6) to change the source IP to the ULA of your end of the tunnel.
The VPN service NATs the address again to their GUA on the v6 Internet.
As intended, the Internet site receives the source address as that of the VPN service, not your ISP.
Once that is working, for additional privacy you may consider issuing source IPs to your LAN which have nothing to do with the local ISP. (This is of course necessary for those with a local ISP that does not support IPv6 at all). ULAs may be able to be used for this, however some OS will not consider a ULA as a connection to the v6 Internet, and will force v4 only on applications. It is better to use phony GUAs such as those literally from 2001:db8::. Any source IP can be used as long as it is not going to overlap something that actually exists on the Internet, as then you could not route properly to that site.
Yes! I will re-read your post when I have time and attention. I read your sentence and that seems exactly what is happening.
Apparently this forum doesn't allow post edits sigh or an easy way to quote you. I tried to go back and edit my original post to make it clearer, and could not.
Yes, ipv4/6 works fine, when not adding or enabling wireguard. Both ipv6-test -type websites, answer that I have both protocols working, 100%.
I think mk24 figured it out, but I have to take the time to apply myself to his answer to see if it resolves the issue.