Using OpenVPN with ipv6

Installing and Using OpenWrt Network and Wireless Configuration
1

Hey Everyone,

I am new to this alternative os for my router, and this is almost TOO much freedom. lol

I am having some trouble with openVPN and Openwrt. I was able to install Openvpn and some supporting packages. I was also able to get the router to run the .opvn files from express vpn.

Here is the 2 issues I am having, and I think they are linked.

  1. I can't seem to get the router to run the ipv6 though the vpn. I was thinking of maybe just shutting off ipv6, but I am not sure how, also I would only be hiding the problem

  2. When I was able to connect using just ipv4,i had dns leak. once again, im pretty sure that's because of the ipv6 not being routed through the vpn

2

Consider switching to a VPN provider that offers IPv6, expressvpn apparently doesn't: https://www.expressvpn.com/blog/disable-ipv6-for-better-vpn-protection/

also, if you're switching, consider one that uses wireguard, which is much faster and has a much smaller configuration / attack surface.

1 Like
3

Disable peer DNS to fix DNS leak:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

Disable ISP prefix delegation to avoid IPv6 leak:

uci set network.lan.ip6class="local"
uci commit network
/etc/init.d/network restart

And set up NAT6:
https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6

4

Thanks for the advice!

I did those changes, and it seemed to completely block my access to the internet. All the local traffic was fine.

I had to reset the router back to factory defaults.

1 Like
5

If the problem persists, establish the VPN connection, collect the diagnostics and post it to pastebin.com redacting the private parts:

uci show network; uci show firewall; uci show dhcp; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
ip address show; ip route show table all; \
ip rule show; ip -6 rule show; iptables-save; ip6tables-save
6

I use Expressvpn and disable peer dns on wan as @vgaetera suggests, but leave it enabled on wan6 and there's no DNS leak (disabling on wan6 did cause a DNS leak).

7

Awesome, but what about things connected via Ethernet? Will those be behind the VPN?

When I disabled the ip6 the way it was suggested above, it stopped me from going online

8

Yes,wired will be on the vpn, just to be a little more specific, the only change I made was to disable peer dns on wan (entered cloudflare dns but I'm sure any would work), I kept dns peer enabled on wan6 and left lan at defaults and don't have a DNS leak.

edit - there is no ipv6 connectivity when running through the vpn, expressvpn doesn't use it as @dlakelan mentioned