Understanding IPv6 and OpenVPN Client on Merlin

[archiel]

I have noted below what I think I understand (which is almost certainly wrong) in the hope of understanding how other users manage their use of external VPN services.

• External VPN providers are split between those who have servers that fully support IPv6 tunnelling, those that send IPv6 traffic into a virtual black hole and those who do nothing.
• OpenVPN has the capability to support IPv6 tunnels.
• Currently Asuswrt-Merlin does not support sending IPv6 traffic though an OpenVPN tunnel.
• In order to prevent IPv6 leaking when using an external VPN the options are

1. Install and use the VPN provider's own software (if available) onto the device(s) using the tunnel and leave IPv6 enabled on the router
2. Disable IPv6 on the device(s) using the tunnel and leave IPv6 enabled on the router
3. Disable IPv6 on the router

As I understand it any other choice will result in some level of IPv6 leak. Is this correct and what choices do other users make when they have native IPv6.

If the above is correct what are the issues involved in adding IPv6 tunnelling as an option (e.g. the ability of the router hardware to manage this, the extent of the changes needed not just to the IPv6 client but more generally, which may break other parts of the firmware, etc) and what would be needed for Asuswrt-Merlin to support IPv6 tunnelling to be added.

 

[RMerlin]

If the above is correct what are the issues involved in adding IPv6 tunnelling as an option

The amount of work and the complexity of such an undertaking, plus the fact that my ISP won't support IPv6 for many years, making it impossible to properly test.

 

[archiel]

Living in the UK, IPv6 is more the norm than the exception. I use an external VPN for some devices on the network and route device traffic through the VPN server when travelling. Given the risk of leakage if both client and server cannot support IPv6 tunnels, I either need to disable IPv6 on my router at and my devices when out, or work out how to manage this.

I am new to this and suspect it will be a very long process, but I presume the steps are
Learn how OpenVPN works
Learn how to modify OpenVPN to accommodate IPv6 (Server and Client)
Learn how OpenVPN integrates with the rest of Asuswrt-Merlin
Learn how to compile the firmware for testing - I have an old AC87U I can use for this.

Can anyone let me know if this would be the right approach / suggest anything else I need to consider.

 

[intr0]

As stated in the explicit instructions given by ProtonVPN, do not use IPv6 when using a VPN service that only supports IPv4. Supporting IPv6 in such a way that prevents IPv6 DNS leaks is apparently a more complex task than supporting only IPv4. This is why ProtonVPN to this day has not yet implemented support for IPv6 and instructs users to disable IPv6 directly within the router itself when using ProtonVPN. They have instructions for various WRT based routers including AsusWRT. I'm not able to give a personal view / tell my experience with using it with my router, however, either on stock Asus or on AsusWRT-Merlin, I believe it's due to the fact that my router - the TT-AX58U just can't handle the processing power involved in maintaining the level of encryption required / built into Proton's OpenVPN configuration files, especially their SecureCore configs. It's a shame (and reason to upgrade my router when I can afford to) that I'm unable to as they've got P2P specific and Netflix / streaming specific tunnels available for their paid plans (ProtonVPN Plus servers for Plus & Pro subscribers and I believe others for Visionary plans). Their instructions for anyone who wants to use their free servers on an RT-AX88U are @ https://protonvpn.com/support/protonvpn-asuswrt-router-vpn-setup/ and their explanation about IPv6 @ https://protonvpn.com/support/prevent-ipv6-vpn-leaks/ . As it's not a Proton-specific issue (IPv6 leakage) despite some providers implementations that use IPv6 but have DNS leak issues, both links should be helpful to @archiel as well as random guest visitors and members alike.

 

[siena]

check out airvpn.org they have a configuration that can utilize both ipv4 and 6, together or separately and exit to ipv4 or ipv6
if you will tunnel all connections there is no leak, but if you will selectively add connections outside of the tunnel, there is no way to manually add IPv6 to the vpn like the IPv4 192.168.1.0/24 as the entry cell does not accept : which is part of the IPv6 address.