No, it enables NAT6 on the server side if you have no prefix.
The owner of the server should manually request an additional prefix from the ISP or split his current prefix and use it as the VPN_POOL6 variable value.
In case of commercial VPN provider I doubt they give you a prefix wider than /64, so using NAT6 on the client side seems to be the proper approach.
For multiple commercial clients you should probably do this:
uci set firewall.@zone[1].device="tun+"
uci commit firewall
service firewall restart
Usually there's no point to run 2 VPN client instances unless you want to utilize specific routes.
Do you really need it and what is the reason?
I have no way to help you until I understand why you're doing it.
You do not need run 2 instances to get IPv6.
In general every single instance can run in dual stack mode.
So, if they offer IPv6, it means they usually also offer IPv4 on the same connection.
root@OpenWrt:~# ip -6 addr show; ip -6 route show; ip -6 rule show; ip6tables-sa
ve
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::da50:e6ff:fe4f:9848/64 scope link
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a02:908:3034:f2e0::1/60 scope global dynamic noprefixroute
valid_lft 1044041sec preferred_lft 439241sec
inet6 fd48:17a:cb5c::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::da50:e6ff:fe4f:9848/64 scope link
valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a02:908:3000:3:f8:a4fa:dd16:daeb/128 scope global dynamic noprefixroute
valid_lft 1044041sec preferred_lft 439241sec
inet6 fe80::da50:e6ff:fe4f:9849/64 scope link
valid_lft forever preferred_lft forever
12: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
inet6 fdbf:1d37:bbe0::72:10:0:f2/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::46a1:bd85:230c:7287/64 scope link stable-privacy
valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
inet6 fdbf:1d37:bbe0::48:5:0:f5/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::c846:dffc:d5c0:989b/64 scope link stable-privacy
valid_lft forever preferred_lft forever
default from 2a02:908:3000:3:f8:a4fa:dd16:daeb via fe80::201:5cff:fe92:9846 dev eth0.2 proto static metric 512 pref medium
default from 2a02:908:3034:f2e0::/59 via fe80::201:5cff:fe92:9846 dev eth0.2 proto static metric 512 pref medium
::/3 dev tun1 metric 1 pref medium
::/3 dev tun0 metric 1 pref medium
2a02:908:3034:f2e0::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2a02:908:3034:f2e0::/59 dev lo proto static metric 2147483647 error -113 pref medium
2000::/4 dev tun1 metric 1 pref medium
2000::/4 dev tun0 metric 1 pref medium
3000::/4 dev tun1 metric 1 pref medium
3000::/4 dev tun0 metric 1 pref medium
2000::/3 dev tun1 metric 1 pref medium
2000::/3 dev tun0 metric 1 pref medium
fd48:17a:cb5c::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd48:17a:cb5c::/48 dev lo proto static metric 2147483647 error -113 pref medium
fdbf:1d37:bbe0:0:48:5::/112 dev tun0 proto kernel metric 256 pref medium
fdbf:1d37:bbe0:0:72:10::/112 dev tun1 proto kernel metric 256 pref medium
fc00::/7 dev tun1 metric 1 pref medium
fc00::/7 dev tun0 metric 1 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
0: from all lookup local
32766: from all lookup main
4200000000: from 2a02:908:3034:f2e0::1/60 iif br-lan unreachable
4200000001: from all iif lo failed_policy
4200000007: from all iif br-lan failed_policy
4200000009: from all iif eth0.2 failed_policy
4200000009: from all iif eth0.2 failed_policy
4200000012: from all iif tun1 failed_policy
4200000013: from all iif tun0 failed_policy
# Generated by ip6tables-save v1.6.2 on Thu Jul 11 22:54:11 2019
*nat
:PREROUTING ACCEPT [1110:100357]
:INPUT ACCEPT [769:67792]
:OUTPUT ACCEPT [30:3360]
:POSTROUTING ACCEPT [12:2208]
:postrouting_PP_Firewall_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_PP_Firewall_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_PP_Firewall_postrouting - [0:0]
:zone_PP_Firewall_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_PP_Firewall_prerouting
-A PREROUTING -i tun1 -m comment --comment "!fw3" -j zone_PP_Firewall_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_PP_Firewall_postrouting
-A POSTROUTING -o tun1 -m comment --comment "!fw3" -j zone_PP_Firewall_postrouting
-A zone_PP_Firewall_postrouting -m comment --comment "!fw3: Custom PP_Firewall postrouting rule chain" -j postrouting_PP_Firewall_rule
-A zone_PP_Firewall_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_PP_Firewall_prerouting -m comment --comment "!fw3: Custom PP_Firewall prerouting rule chain" -j prerouting_PP_Firewall_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Jul 11 22:54:11 2019
# Generated by ip6tables-save v1.6.2 on Thu Jul 11 22:54:11 2019
*mangle
:PREROUTING ACCEPT [97928:57628347]
:INPUT ACCEPT [8592:550451]
:FORWARD ACCEPT [78964:56318726]
:OUTPUT ACCEPT [2156:277566]
:POSTROUTING ACCEPT [81113:56595872]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone PP_Firewall MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone PP_Firewall MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Jul 11 22:54:11 2019
# Generated by ip6tables-save v1.6.2 on Thu Jul 11 22:54:11 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_PP_Firewall_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_PP_Firewall_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_PP_Firewall_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_PP_Firewall_dest_ACCEPT - [0:0]
:zone_PP_Firewall_dest_REJECT - [0:0]
:zone_PP_Firewall_forward - [0:0]
:zone_PP_Firewall_input - [0:0]
:zone_PP_Firewall_output - [0:0]
:zone_PP_Firewall_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_PP_Firewall_input
-A INPUT -i tun1 -m comment --comment "!fw3" -j zone_PP_Firewall_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_PP_Firewall_forward
-A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_PP_Firewall_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_PP_Firewall_output
-A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_PP_Firewall_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_PP_Firewall_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_PP_Firewall_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_PP_Firewall_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_PP_Firewall_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
-A zone_PP_Firewall_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_PP_Firewall_dest_REJECT -o tun1 -m comment --comment "!fw3" -j reject
-A zone_PP_Firewall_forward -m comment --comment "!fw3: Custom PP_Firewall forwarding rule chain" -j forwarding_PP_Firewall_rule
-A zone_PP_Firewall_forward -m comment --comment "!fw3" -j zone_PP_Firewall_dest_REJECT
-A zone_PP_Firewall_input -m comment --comment "!fw3: Custom PP_Firewall input rule chain" -j input_PP_Firewall_rule
-A zone_PP_Firewall_input -m comment --comment "!fw3" -j zone_PP_Firewall_src_REJECT
-A zone_PP_Firewall_output -m comment --comment "!fw3: Custom PP_Firewall output rule chain" -j output_PP_Firewall_rule
-A zone_PP_Firewall_output -m comment --comment "!fw3" -j zone_PP_Firewall_dest_ACCEPT
-A zone_PP_Firewall_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_PP_Firewall_src_REJECT -i tun1 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to PP_Firewall forwarding policy" -j zone_PP_Firewall_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
root@OpenWrt:~# traceroute6 openwrt.org
traceroute to openwrt.org (2a03:b0c0:3:d0::1af1:1), 30 hops max, 64 byte packets
1 fdbf:1d37:bbe0::72:10:0:1 (fdbf:1d37:bbe0::72:10:0:1) 26.224 ms 26.118 ms 26.505 ms
2 2a01:4a0:c::1 (2a01:4a0:c::1) 34.076 ms 33.907 ms 33.897 ms
3 2a01:4a0:0:2019::31 (2a01:4a0:0:2019::31) 39.336 ms 40.352 ms 39.085 ms
4 fra1-edge1.digitalocean.com (2001:7f8::36ed:0:1) 40.039 ms 39.792 ms 39.979 ms
5 * * *
6 wiki-01.infra.openwrt.org (2a03:b0c0:3:d0::1af1:1) 39.865 ms 39.511 ms 39.236 ms