VPN Hides IPv4 but Not IPv6 & Router Restart Loops Issue

xmilenium · January 15, 2025, 3:47pm

Hello,

I’m experiencing an issue with my VPN setup on OpenWRT using AirVPN. My VPN is hiding my IPv4 traffic as expected, but it’s not routing my IPv6 traffic through the VPN. Instead, my IPv6 traffic is exposed, and I would like to resolve this.

Additionally, after I apply my VPN settings, the router enters a restart loop. I suspect this may be related to the configuration changes, but I’m not sure what’s causing the issue.

Here are the key details:

I’m using AirVPN as the VPN provider, and I have set up separate interfaces for both IPv4 (VPN-IP4) and IPv6 (VPN-IP6).
My ISP requires an additional wan.10 interface, and I’ve configured it accordingly.
Only IPv4 traffic is routed through the VPN, while IPv6 traffic bypasses it.
After applying the changes, my router enters a restart loop.

I’ve tried the following commands:

bash

Copy code

# Variables for IPv4 VPN interface
VPN_IP4_IF="VPN-IP4"
VPN_KEY="your_private_key"
WG_PUB="your_public_key"
WG_PSK="your_preshared_key"
WG_SERV="your_vpn_server"
WG_PORT="1637"
VPN_IP4_ADDR="10.147.205.235/32"

# Variables for IPv6 VPN interface
VPN_IP6_IF="VPN-IP6"
VPN_IP6_ADDR="fd7d:76ee:e68f:a993:f8e1:79da:17ce:b958/128"

# Configure IPv4 VPN interface
uci set network.${VPN_IP4_IF}="interface"
uci set network.${VPN_IP4_IF}.proto="wireguard"
uci set network.${VPN_IP4_IF}.private_key="${VPN_KEY}"
uci add_list network.${VPN_IP4_IF}.addresses="${VPN_IP4_ADDR}"

# Configure IPv6 VPN interface
uci set network.${VPN_IP6_IF}="interface"
uci set network.${VPN_IP6_IF}.proto="wireguard"
uci set network.${VPN_IP6_IF}.private_key="${VPN_KEY}"
uci add_list network.${VPN_IP6_IF}.addresses="${VPN_IP6_ADDR}"

# Add IPv4 VPN peer configuration for VPN-IP4
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${VPN_IP4_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key="${WG_PSK}"
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.persistent_keepalive="15"
uci set network.wgserver.route_allowed_ips="1"
uci add_list network.wgserver.allowed_ips="0.0.0.0/0"

# Add IPv6 VPN peer configuration for VPN-IP6
uci -q delete network.wgserver6
uci set network.wgserver6="wireguard_${VPN_IP6_IF}"
uci set network.wgserver6.public_key="${WG_PUB}"
uci set network.wgserver6.preshared_key="${WG_PSK}"
uci set network.wgserver6.endpoint_host="${WG_SERV}"
uci set network.wgserver6.endpoint_port="${WG_PORT}"
uci set network.wgserver6.persistent_keepalive="15"
uci set network.wgserver6.route_allowed_ips="1"
uci add_list network.wgserver6.allowed_ips="::/0"

# Commit and restart network services
uci commit network
service network restart

What I need help with:

How to ensure that both IPv4 and IPv6 traffic are routed through the VPN tunnel.
Suggestions on why the router is restarting after the VPN settings are applied and how can i fix it
Any advice on the additional wan.10 interface required by my ISP and how it might interact with the VPN setup.

Thanks in advance for any help or advice!

krazeh · January 15, 2025, 3:54pm

Well that doesn't sound right. Once the tunnel is established (whether over IPv4 or v6) it can internally transport both IPv4 and v6 traffic. You don't need two tunnels. As a starting point you should probably check what instructions AirVPN provide for setting up a tunnel to their servers.

egc · January 15, 2025, 4:21pm

Indeed just one tunnel with:
On the Interface:

	list addresses 'IPv4 address/24'
	list addresses 'IPv6 address/64'

On the Peer:

	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

xmilenium · January 15, 2025, 4:29pm

something like this?

VPN_IF="vpn"
VPN_SERV="213.152.176.140"
VPN_PORT="1637"
VPN_ADDR="**********************/32"
VPN_ADDR6="********************************/128"
VPN_KEY="your_private_key"
WG_PUB="your_public_key"
WG_PSK="your_preshared_key"

egc · January 15, 2025, 4:59pm

To review your settings it works best if you connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show

mk24 · January 15, 2025, 7:56pm

Don't use a script. Edit /etc/config/network and add the v6 address and allowed_ips to the vpn interface directly. Since the VPN server is using a ULA local address you will need to NAT into it to reach the v6 Internet. That is done by setting masq6 on the vpn tunnel firewall zone.