OpenVPN on remote OpenWrt - problems when IP6 available & default protocol


#1

I have a home-installed OpenWRT router with OpenVPN server that I have been accessing remotely for years as I travel to various locations. Now as I travel I have begun to encounter more travel destinations that have IP6 enabled on the local router which is interfering with my VPN function since the IP6 is not being sent through the VPN which is configured only for IP4. As a result, the IP6 route is favored and the IP6 address shows as my real location and the IP4 as the VPN server is ignored by websites that I access.

Now as an option I can configure my Windows network adapter and set IP6 "off" and the VPN works but I would like to be able to issue a batch file called by the openvpn client to turn off IP6 for the time I am using the VPN and then turn IP6 back on after I am done with the VPN client so that I begin cloaking my home router's IP4 address when the VPN is active, the way it used to work before IP6 became so readily available.

What I could attempt is connect via VPN into my home router and configure it to support IP6 as well, but considering ho2 I know nothing about IP6, I would give that about a 90% failure potential and there is a possibility I could crash the home router if I diddle with it and configure something wrong, so that's why I am going the route of trying to block IP6 on my laptop when I use the VPN and restore IP6 when I am done.

I have done extensive research and the following commands are supposed to block the IP6 protocol but they don't.

One expert's suggestion that did not work:

netsh interface teredo set state disable
netsh interface 6to4 set state disabled
netsh interface isatap set state disabled

Another expert's suggestion that did not work:

netsh interface teredo set state disabled
netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
netsh interface ipv6 isatap set state state=disabled


#2

These command DO work but require a reboot because they change the registry to permanently disable TCPIP6. (Command to re-enable the interface for those who read this and do not know how to recover._

Set off (after next reboot):
reg add HKLM\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters /v DisabledComponents /t REG_DWORD /d 255 /f

Set on (after next reboot)
reg add HKLM\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters /v DisabledComponents /t REG_DWORD /d 00000000 /f

This is NOT what I am looking for but instead something that halts TCPIP6 during the time OpenVPN client is active ........


#3

For clarity, you're referring to a Windows machine, correct?

You would likely find better help by inquiring at a Microsoft or Windows forums on how to disable IPv6 via a script.

https://www.google.com/search?q=disable+ipv6+windows


#4

The only way I can find to temporarily disable IP6 on Windows is to use a script which calls these netsh calls to change the registry, then this proposed script on the Windows help website says to run a long script which stops all services and starts them again. Now besides not working, this takes several minutes which is not acceptable.

I added
route-ipv66 ::/0
to my client config file in hopes it would force all IP6 traffic down the tunnel even though there is nothing to process it at the other (server) end, but this did not resolve the problem, IP6 still showed my true location where only the IP4 address was shown belonging to my home router.


#5

Ummm...your public IPv6 will show your true location, you have to stop/block the IPv6 stack on Windows. You seem to be aware of this, of course. The IPs are obviously not issued to the tunnel interface, so why do you think any IPv6 traffic would traverse down it?

This is not a Windows forum...but couldn't you just firewall outbound IPv6 traffic on the clients?


#6

The reason I think it is "I mostly guess about everything OpenWRT and VPN". That is because I have several obstacles before me. First is that I either have a mental block about how all of this operates or I have not invested the required years to make a career out of understanding the technology. I am one of the perhaps thousands who want badly to use this technology without investing 14 hrs per day for around 10 years to understand all of the ins and outs. So it is hard for me to understand it but I still want to use it and am left with asking the most basic of questions.

I don't really understand how the technology works and I spent hours copying examples and diddling with all the settings to make it work., which makes it difficult to ask for help.


#7

Ipv4 and ipv6 are entirely separate. You are sending your ipv4 down a VPN tunnel but are not sending ipv6. There are two options, firewall ipv6 from your Windows machine, you can do this but windows will probably still try to use it and fall back only after a delay... Making everything slow, or get a VPN provider who will issue you an ipv6 range and send your ipv6 traffic to them.


#8

Thanks, I am the VPN provider in this case, using a hi-jacked wiki post to create my own OpenWRT OpenVPN server running back home, which works great for IP4. Is this something there is a cook book easy execution to accomplish?


#9

Awesome, so you should be able to do it. Assuming you get a decent ipv6 allocation at home. Do you have ipv6 with say a /60 or /56 allocation at your home? If so, you can tell OpenWrt running on your home router to allocate /64 to the vpn tunnel interface. It may depend on which VPN software you use as to how it would work. I'd recommend wireguard, it seems straightforward to get going and faster and much easier than OpenVPN.

A good method might be to configure a travel router to connect via wireguard back to the home device, and then you can get your VPN for multiple devices and a whole subnet of ipv6 remotely.


#10

https://openwrt.org/docs/guide-user/services/vpn/openvpn/extra#dual_stack_gateway

And in case server side ISP doesn't have IPv6:
https://tunnelbroker.net/