OpenWRT doesn't forward IPv6 internet data through OpenVPN.
OpenWRT doesn't forward IPv6 internet data through OpenVPN.
I'm working on directing IPv6 internet traffic from all devices linked to your OpenWRT router using OpenVPN. The same VPN connection handles both IPv4 and IPv6 traffic when devices connect via local client apps. Your server supports an IPv6 DNS server, and every DNS request goes through the VPN to reach the server. The router maintains a functional IPv6 VPN connection. I can ping IPv6 addresses like ipv6.google.com, but devices on the network can't. They can resolve IPv6 addresses but can't ping them. When using OpenVPN, they have proper IPv6 connectivity. This suggests either the router's DHCP settings for IPv6 are incorrect or default routes aren't set up correctly. Any suggestions?
ISPs offer various methods for adding IPv6 support. You may need to visit their site to discover the correct configuration. For example, with Comcast, there was a specific webpage detailing the necessary settings, which guided me in configuring IPv6 on my router.
Remember that DHCP details come from your ISP. When connected via a VPN, your ISP's network helps establish the link. A secure tunnel forms between your device and a server on their network, using your ISP's IP address. Your router’s DHCPv6 settings will fetch information from your ISP. If it can’t provide an address, that’s likely not the problem. It seems the parts that don’t respond might be intentionally configured to ignore such requests.
I understand the situation you're describing. Everything functions properly on the router, with a valid IPv6 internet connection through OVPN. When I SSH into the router, it provides a working IPv6 connection just like connecting via the Windows client's VPN. The router can share an OpenVPN connection using IPv4, but not IPv6. Both IPv4 and IPv6 DHCP settings are set to default, and devices receive IP addresses in both formats, with IPv6 connectivity between them operating smoothly. I'm confident this is because of the IPv6 routing configuration not being active.
Hello, I encountered similar difficulties in locating the precise answer. While searching for assistance, I finally revisited the subject after several attempts. This solution applies specifically to OpenWrt version 22.03, which could be helpful for those reading. NOTE: This method is valid only for 22.03; it didn’t work on earlier releases (I tested 21.02 and IPv6 masquerading failed).
First, when the OpenVPN clients use IPv6 addresses that aren’t genuine Internet addresses (like my subnet fd42:feed:feed:feed::/64), you need to set up IPv6 NAT and masquerading for both IPv4 and IPv6. Key settings from my /etc/config/firewall file:
- LAN zone: enable 'lan' with masq_src and masq options as specified.
- WAN zone: set masq_src to the correct subnet and masq6 to '1'.
- VPN zone: accept input, output, forwarding, and network rules accordingly.
Understanding the masquerading purpose is important—it lets routers see packets as coming from the source IP seen by the client. In OpenWrt, this must be configured on the outgoing side. By default, WAN settings for IPv4 work well (e.g., reaching Google servers), but they’re usually unnecessary for IPv6 since ISPs provide broad ranges.
For my case, I enabled masquerading only for the OpenVPN range, similar to how it functions for IPv4. When connecting LAN devices as VPN clients (such as from fd42:feed:feed:feed::/64), they should appear to the router as originating from its own IP.
To set this up, install the necessary packages with `opkg update && opkg install kmod-ipt-nat6`. Then add a static IPv6 route for packets coming from that subnet in the network configuration. You can verify routing status via WebUI or commands like `ip -f inet6 route`.
If you send traffic to an IPv6 destination, you’ll get a "no route" message. Creating a manual route ensures OpenWrt recognizes the source correctly. This approach works for my setup but may not apply if your clients use different IPv6 ranges.