Recommendation to route ipv6 traffic though vpn tunnel

Hello,

I own an GL.iNet MT-2500 and it has to cooperate with a router of my ISP that provides full ipv6. This is an ipv6 learning project and I already learnt a lot about it.

But now I am a bit stuck, maybe someone can give me a hint. By the way, I am also able to configure through LuCi.

I have already set up the MT2500 successfully router mode (WAN in the local network 192.168.178.0/8, LAN DHCP-served 192.168.8.0/8). VPN via wireguard/hide.me, ipv6 is switched off. One client gets ipv4 via dhcp from 192.168.8.0, no leaks (presents to the outside as a pure ipv4, DNS server seems to be the one from hide.me.

Then I re-configured the MT-2500 as Drop-In Gateway. This GL.iNet speciality uses a WAN side connection only with either DHCP server in main router switched off and MT-2500 stepping in to provide its ip address as a new gateway or manual client configuration. So the client is then connected to the 192.168.178.0 network and manually setup to use the MT-2500 as gateway. Works on ipv4 but ipv6 uses directly the ISP ipv6 connection. Client will receive ipv6 addresses and DNS server from the ISP router.

What next steps would you recommend? I think there are two issues:

(1) set a route so that ipv6 traffic will be routed through the vpn tunnel
(2) setup a dhcpv6 server in WAN so that I "overwrite" IPv6 addresses and DNSv6 addresses

Some infos here of the current non-ipv6 drop-in gateway setup:

Current ipv4 route

default via 192.168.178.1 dev eth0 proto static metric 10 
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1 linkdown 
192.168.178.0/24 dev eth0 proto static scope link metric 10 

This is the ipv6 route when ipv6 is switched on:

default from 2a04:4540:7402:b00::/64 via fe80::464e:6dff:fede:92de dev eth0 proto static metric 512 pref medium
2a04:4540:7402:b00::/56 from 2a04:4540:7402:b00::/64 via fe80::464e:6dff:fede:92de dev eth0 proto static metric 512 pref medium
2a04:4540:7402:b00::/64 dev eth0 proto static metric 256 pref medium
unreachable 2a04:4540:7402:b00::/64 dev lo proto static metric 2147483647 pref medium
fd00:6968:6564:4be::a89:7c52 dev wgclient proto kernel metric 256 pref medium
unreachable fdad:c7ed:22e7::/48 dev lo proto static metric 2147483647 pref medium
default via fe80::464e:6dff:fede:92de dev eth0 proto ra metric 1024 expires 1765sec mtu 1492 hoplimit 255 pref medium

So regarding (1) when I understood correctly, maybe the only problem is that the metric of the default route through the VPN tunnel is 1024 > 512 for the default route in the first line...but even then I haven't found out where it is set this way.

Regarding (2) I am stuck a little bit as well. It seems ipv6 is a bit more flexible with the number of DHCPv6 providers and methods to get addresses (although I mainly want to serve router and DNS server addresses, in the end I don't care what ipv6 address the clients will have. Maybe RA is sufficient for that? Or do I need to setup a DHCPv6 server? How will I prevent that the clients like the ISP router more than the MT-2500, I know there is a value somewhere but can't find it.

Thanks for any thoughts on this one, I know it is at the border of GL.iNet and OpenWRT therefore I try it on both forums.

BR,
Carsten.

This forum is about official or "vanilla" OpenWrt. If you're using the GL build, seek help from them.

Also of course your VPN service must allow IPv6 inside the tunnel and their server must have an outlet to the v6 Internet. Very few VPN services do.