Set up OpenVPN tunnel with IPv6 traffic on dumb ap

Dear Openwrt Experts,

i have some problems setting up OpenVPN.

My setup:

I have an Internet Router with IP Address 192.168.72.1 that connects to the internet
I have a public IPv4 Address and a usable IPv6 /56 Prefix

IPv4 Port 443 TCP is forwarded to my Openwrt router
and Port 443 TCP is accessible on the IPV6 Address of the Openwrt Router

My Openwrt Router is Running Openwrt 22.03.2 and has the static IP 192.168.72.2.
It is configured as Dumb AP so there is no WAN Interface.

OpenVPN is configured to listen to Port 443 TCP

What works so far:

I was able to configure networking and firewall to work with ipv4 only. I can connect via OpenVPN. Have access to all devices in the network and can route all traffic through the tunnel. But i can only listen on the ipv4 address.

This is the firewall config for ipv4:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	option syn_flood '1'
	option drop_invalid '1'

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp udp'
	option src '*'
	option dest_port '443'
	option name 'Allow Forwarded VPN Request -> <device>'

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp udp'
	option src '*'
	option src_ip '10.11.0.0/28'
	option dest_ip '192.168.72.0/24'
	option name 'Allow VPN0 -> LAN'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option family 'ipv4'
	option src '*'
	option src_ip '10.11.0.0/28'
	option dest '*'
	option dest_ip '192.168.72.0/24'
	option name 'Allow Forwarded VPN0 -> LAN'

config rule
	option target 'ACCEPT'
	option proto 'icmp'
	list icmp_type 'echo-request'
	option src '*'
	option src_ip '10.11.0.0/28'
	option dest 'lan'
	option name 'Allow VPN0 (ICMP 8) -> <device> '

config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'

config zone
	option name 'vpn'
	option network 'vpn0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option dest 'vpn'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'vpn'

As soon as i configure my Router to also get an IPv6 Address
Relevant Part in /etc/config/network

config interface 'lan6'
	option device '@lan'
	option proto 'dhcpv6'

and i setup OpenVPN to Listen on tcp6 and added

list push "route-ipv6 2000::/3"
list push "redirect-gateway ipv6 def1"

I can connect to my Network via IPv4 and IPv6 but the IPV6 Traffic on my external connecting device is no longer forwarded.

I tried to modify some example firewall rules to my dumb ap setup but i failed to succeed.

Honestly i am familiar with linux but i do not thoroughly understand how to handle IPv6.

I also tried to follow this guide:

and to modify firewall rules to my setup but nothing worked so far.

Any help is appreciated.

Thank you

uci del firewall.lan.network
uci add_list firewall.lan.network='lan'
uci add_list firewall.lan.network='lan6'
uci commit firewall
service firewall restart

Thank you trendy for your answer.

However I have still no success

On the connecting machine i get:

ping -4 www.google.de                                                                                                                               PING  (142.250.186.131) 56(84) Bytes an Daten.
64 Bytes von fra24s07-in-f3.1e100.net (142.250.186.131): icmp_seq=1 ttl=59 Zeit=395 ms
64 Bytes von fra24s07-in-f3.1e100.net (142.250.186.131): icmp_seq=2 ttl=59 Zeit=252 ms

---  ping-Statistik ---
3 Pakete übertragen, 2 empfangen, 33.3333% packet loss, time 2000ms
rtt min/avg/max/mdev = 251.716/323.515/395.315/71.799 ms
ping -6 www.google.de                                                                                                                               PING www.google.de(fra07s64-in-x2003.1e100.net (2a00:1450:4001:80f::2003)) 56 Datenbytes

--- www.google.de ping-Statistik ---
4 Pakete übertragen, 0 empfangen, 100% packet loss, time 3031ms

My present Network Config:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1b:cc66:634b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.72.2'
	option netmask '255.255.255.0'
	option gateway '192.168.72.1'
	option ip6gw 'fde7:660e:1f81::1'
	option ip6gw 'fd00::464e:6dff:fe55:382'
	option ip6assign '60'

config interface 'lan6'
	option device '@lan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 1 2 3 4 5 6t'

config interface 'vpn0'
    option proto 'none'
    option auto '1'
    option device 'tun0'

My firewall config:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	option syn_flood '1'
	option drop_invalid '1'

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp udp'
	option src '*'
	option dest_port '443'
	option name 'Allow Forwarded VPN Request -> <device>'

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp udp'
	option src '*'
	option src_ip '10.11.0.0/28'
	option dest_ip '192.168.72.0/24'
	option name 'Allow VPN0 -> LAN'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option family 'ipv4'
	option src '*'
	option src_ip '10.11.0.0/28'
	option dest '*'
	option dest_ip '192.168.72.0/24'
	option name 'Allow Forwarded VPN0 -> LAN'

config rule
	option target 'ACCEPT'
	option proto 'icmp'
	list icmp_type 'echo-request'
	option src '*'
	option src_ip '10.11.0.0/28'
	option dest 'lan'
	option name 'Allow VPN0 (ICMP 8) -> <device> '

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	list network 'lan'
	list network 'lan6'

config zone
	option name 'vpn'
	option network 'vpn0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option dest 'vpn'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'vpn'

My openvpn config:

persist-key
persist-tun
ca /etc/easy-rsa/pki/ca.crt
cert /etc/easy-rsa/pki/issued/some.crt
compress lzo
dev tun
dh /etc/easy-rsa/pki/dh2048.pem
ifconfig-pool-persist /tmp/ipp.txt
keepalive 10 120
key /etc/easy-rsa/pki/private/some.key
port 443
proto tcp6
push "route 192.168.72.0 255.255.255.0"
push "route-ipv6 2000::/3"
push "dhcp-option DNS 192.168.72.1"
push "dhcp-option WINS 192.168.72.1"
push "redirect-gateway"
push "redirect-gateway ipv6 def1"
server 10.11.0.0 255.255.255.0
server-ipv6 someaddress::/64
status /tmp/openvpn-status.log
user nobody
verb 3

Remove these from lan interface. Which address is the OpenVPN client getting from the server? Is the /64 prefix you have assigned on the OpenVPN a part of the delegated prefix on lan6 or are you routing it statically?

These are the exact gateway addresses of my /etc/resolv.conf on a client in my network. During some earlier configurations as i had not yet figured out how to use dhcpv6 correctly i set these manually.

However i removed the settings, replaced /etc/resolv.conf again with a symlink to /tmp/resolv.conf

Ping4 and Ping6 from the openwrt router still work as before.

IPv6 Prefix from the main router is 2003:f6:1234:7f00::/56

These are relevant lines from ip addr show

7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 14:cc:20:47:25:26 brd ff:ff:ff:ff:ff:ff
    inet 192.168.72.2/24 brd 192.168.72.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2003:f6:1234:7f00:16cc:20ff:fe47:2526/64 scope global dynamic noprefixroute 
       valid_lft 7094sec preferred_lft 1689sec
    inet6 fe80::16cc:20ff:fe47:2526/64 scope link 
       valid_lft forever preferred_lft forever
8: eth1.1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 14:cc:20:47:25:26 brd ff:ff:ff:ff:ff:ff
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    link/[65534] 
    inet 10.11.0.1 peer 10.11.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 2003:f6:1234:7f00:abc::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::736c:dfc1:69b7:d8a5/64 scope link flags 800 
       valid_lft forever preferred_lft forever

and the openvpn config uses

option server_ipv6 "2003:f6:1234:7f00:abc::/64"

and this is the ipv6 address the openvpn client gets

5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.11.0.6 peer 10.11.0.5/32 scope global noprefixroute tun0
       valid_lft forever preferred_lft forever
    inet6 2003:f6:1234:7f00:abc::1000/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::7b6a:a2cc:4bb8:537f/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

So if i understand it correctly, OpenVPN is assigned as part of the delegated prefix

Yeah, but you are using the same network prefix for both lan and tun0, so it cannot work as you are routing, not bridging.

I told you, i don't understand the IPv6 stuff :smiley:
What do i have to do?
Just choose another Prefix for the OpenVPN Server?
And if so, which one would be safe.
Do i also have to modify the ula_prefix in /etc/config/network?

First of all you need to verify that the ISP router has indeed delegated some larger prefix to the OpenWrt. Otherwise you won't be able to use it.
Check with ifstatus lan6

No need to modify that. It is not needed unless you want to do NAT6.

Okay, the ISP router has obviously not.
I come back to you if that works...
Thank you so far

Is this what you want to see?

...
"ipv6-prefix": [
		{
			"address": "2003:f6:1234:7ffc::",
			"mask": 62,
			"preferred": 3577,
			"valid": 7177,
			"class": "lan6",
			"assigned": {
				
			}
		}
	],
...

Yes, try to use 2003:f6:1234:7fff::/64 in the tunnel.

Ok the client has now:

19: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.11.0.6 peer 10.11.0.5/32 scope global noprefixroute tun0
       valid_lft forever preferred_lft forever
    inet6 2003:f6:1234:7fff::1000/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::2a95:d794:ae69:9b12/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

Unfortunately still no success

Is there a default route? Can you ping the OpenWrt OVPN interface?

This is the interface on the openwrt router

9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    link/[65534] 
    inet 10.11.0.1 peer 10.11.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 2003:f6:1234:7fff::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::7fe:9064:6b4a:aac1/64 scope link flags 800 
       valid_lft forever preferred_lft forever

Ping from the connected OpenVPN Client and routing table on the client

ping 2003:f6:1234:7fff::1                                                                                                                                    ✔  20s  
PING 2003:f6:1234:7fff::1(2003:f6:1234:7fff::1) 56 Datenbytes
64 Bytes von 2003:f6:1234:7fff::1: icmp_seq=1 ttl=64 Zeit=17.5 ms
64 Bytes von 2003:f6:1234:7fff::1: icmp_seq=2 ttl=64 Zeit=47.6 ms
64 Bytes von 2003:f6:1234:7fff::1: icmp_seq=3 ttl=64 Zeit=13.8 ms

Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref  Use If
::1/128                        ::                         U    256 2      0 lo
::/3                           2003:f6:1234:7fff::1       UG   50  1      0 tun0
2003:f6:1234:7fff::/64         ::                         U    50  3      0 tun0
2000::/4                       2003:f6:1234:7fff::1       UG   50  9      0 tun0
3000::/4                       2003:f6:1234:7fff::1       UG   50  1      0 tun0
2000::/3                       2003:f6:1234:7fff::1       UG   50  1      0 tun0
fc00::/7                       2003:f6:1234:7fff::1       UG   50  1      0 tun0
fe80::/64                      ::                         U    256 2      0 tun0
fe80::/64                      ::                         U    1024 1      0 wlp2s0
::/0                           ::                         U    50  1      0 tun0
::1/128                        ::                         Un   0   7      0 lo
2003:f6:1234:7fff::1000/128    ::                         Un   0   4      0 tun0
fe80::4b1b:93b8:d63d:5ee3/128  ::                         Un   0   2      0 tun0
fe80::c3e4:970e:5f9c:e916/128  ::                         Un   0   3      0 wlp2s0
ff00::/8                       ::                         U    256 5      0 wlp2s0
ff00::/8                       ::                         U    256 1      0 tun0
::/0                           ::                         !n   -1  1      0 lo

This is the IPv6 routing table. Ping works

Ping to the ISP router?
Also:

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru

Sorry, it was the ping to the Openwrt Router.
Ping to ISP router is unsuccessful

{
	"kernel": "5.10.146",
	"hostname": "wohnzimmer_switch",
	"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
	"model": "TP-Link Archer C7 v2",
	"board_name": "tplink,archer-c7-v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.2",
		"revision": "r19803-9a599fee93",
		"target": "ath79/generic",
		"description": "OpenWrt 22.03.2 r19803-9a599fee93"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1b:cc66:634b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.72.2'
	option netmask '255.255.255.0'
	option gateway '192.168.72.1'

config interface 'lan6'
	option device '@lan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 1 2 3 4 5 6t'

config interface 'vpn0'
	option proto 'none'
	option auto '1'
	option device 'tun0'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	option syn_flood '1'
	option drop_invalid '1'

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp udp'
	option src '*'
	option dest_port '443'
	option name 'Allow Forwarded VPN Request -> <device>'

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp udp'
	option src '*'
	option src_ip '10.11.0.0/28'
	option dest_ip '192.168.72.0/24'
	option name 'Allow VPN0 -> LAN'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option family 'ipv4'
	option src '*'
	option src_ip '10.11.0.0/28'
	option dest '*'
	option dest_ip '192.168.72.0/24'
	option name 'Allow Forwarded VPN0 -> LAN'

config rule
	option target 'ACCEPT'
	option proto 'icmp'
	list icmp_type 'echo-request'
	option src '*'
	option src_ip '10.11.0.0/28'
	option dest 'lan'
	option name 'Allow VPN0 (ICMP 8) -> <device> '

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	list network 'lan'
	list network 'lan6'
	list network 'vpn0'

head: /etc/firewall.user: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::16cc:20ff:fe47:2526/64 scope link 
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2003:f6:1234:7f00:16cc:20ff:fe47:2526/128 scope global dynamic noprefixroute 
       valid_lft 6250sec preferred_lft 2650sec
    inet6 fe80::16cc:20ff:fe47:2526/64 scope link 
       valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 2003:f6:1234:7fff::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::7fe:9064:6b4a:aac1/64 scope link flags 800 
       valid_lft forever preferred_lft forever
default from 2003:f6:1234:7f00:16cc:20ff:fe47:2526 via fe80::464e:6dff:fe55:382 dev br-lan  metric 512 
default from 2003:f6:1234:7ffc::/62 via fe80::464e:6dff:fe55:382 dev br-lan  metric 512 
2003:f6:1234:7f00::/56 from 2003:f6:1234:7f00:16cc:20ff:fe47:2526 via fe80::464e:6dff:fe55:382 dev br-lan  metric 512 
2003:f6:1234:7f00::/56 from 2003:f6:1234:7ffc::/62 via fe80::464e:6dff:fe55:382 dev br-lan  metric 512 
2003:f6:1234:7f00::/64 dev br-lan  metric 256 
2003:f6:1234:7fff::/64 dev tun0  metric 256 
unreachable 2003:f6:1234:7ffc::/62 dev lo  metric 2147483647 
unreachable fd1b:cc66:634b::/48 dev lo  metric 2147483647 
fe80::/64 dev eth1  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev tun0  metric 256 
local ::1 dev lo table local  metric 0 
local 2003:f6:1234:7f00:16cc:20ff:fe47:2526 dev br-lan table local  metric 0 
anycast 2003:f6:1234:7fff:: dev tun0 table local  metric 0 
local 2003:f6:1234:7fff::1 dev tun0 table local  metric 0 
anycast fe80:: dev eth1 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev tun0 table local  metric 0 
local fe80::7fe:9064:6b4a:aac1 dev tun0 table local  metric 0 
local fe80::16cc:20ff:fe47:2526 dev eth1 table local  metric 0 
local fe80::16cc:20ff:fe47:2526 dev br-lan table local  metric 0 
multicast ff00::/8 dev eth1 table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256 
multicast ff00::/8 dev tun0 table local  metric 256 
0:	from all lookup local 
32766:	from all lookup main 
r

Change it to ACCEPT. Or add allow rules for IPv6 too.

And finally it works! Thank you so much!

1 Like