LAN and Guest networks. As you noted, the tunnel has an IP assigned from HE.
It appears my IPV6 DNS requests now use a privacy address on every interface with a random suffix applied (haven't tested disabling binding to the HE tunnel IP).
Setting a string enables them. You enabled temporary addresses.
You will have I/O errors in the log for any interfaces that doesn't have IPv6 enabled. Not sure how you know a secret is set if you don't have an IP.
Did you set on your interface:
option ip6assign '64'
option ip6ifaceid 'random'
option ip6class '<henet_interface_name> local'
- Do you have a /48 issued from HE?