IPv6 through IPv4 openVPN tunnel

[JimbobJay]

My AC87U with merlin 380.65 firmware is running an openvpn 2.4 server at home, and has native IPv6 support from my ISP. I am trying to enable access to IPv6 when I am away from home through the IPv4 vpn tunnel. I have tried following the instructions here https://community.openvpn.net/openvpn/wiki/IPv6 as well as here https://www.snbforums.com/threads/openvpn-ipv6-support.22879/ and here https://www.snbforums.com/threads/tunneling-ipv6-over-ipv4-with-openvpn.25497/ as well as numerous other places, and have made a lot of progress, and it seems to be within touching distance of getting this 100% operational.

I have the following entries in my openvpn server.conf

server-ipv6 my:ipv6:address:fromISP:80::/64
push "route-ipv6 my:ipV6:address:fromISP::/56"
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"

as well as

ip6tables -A INPUT -i tun21 -j ACCEPT
ip6tables -A FORWARD -i tun21 -j ACCEPT

in the firewall-start script in /jffs/scripts

When I fire up the vpn on the client, I am succesfully routing ipv6 thrrough the tunnel. I can ping6 both the IPv6 address of the router, as well as other IPv6 clients on the LAN, and even the outside IPv6 world, with ipv6.google.com and other addresses returning all my ping requests (these ping6 requests fail when the VPN is not initiated). However, I just cannot for the life of me get access to IPv6 websites, and both http://ipv6test.google.com and http://ipv6-test.com report that IPv6 connectivity is not supported on the client (which seems strange to me given that I can get ping replies from IPv6 addresses on the web).

Any help would be appreciated. I've followed so many different instructions from so many different sources, but I have a feeling it has something to do with either the routing or the firewall on the router, hence my question here. Having gotten it seemingly working more or less, I'm hoping it's just something stupidly simple that I've overlooked. Hope to hear back from someone

 

[pitboss]

My AC87U with merlin 380.65 firmware is running an openvpn 2.4 server at home, and has native IPv6 support from my ISP. I am trying to enable access to IPv6 when I am away from home through the IPv4 vpn tunnel. I have tried following the instructions here https://community.openvpn.net/openvpn/wiki/IPv6 as well as here https://www.snbforums.com/threads/openvpn-ipv6-support.22879/ and here https://www.snbforums.com/threads/tunneling-ipv6-over-ipv4-with-openvpn.25497/ as well as numerous other places, and have made a lot of progress, and it seems to be within touching distance of getting this 100% operational.

I have the following entries in my openvpn server.conf

server-ipv6 my:ipv6:address:fromISP:80::/64
push "route-ipv6 my:ipV6:address:fromISP::/56"
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"

as well as

ip6tables -A INPUT -i tun21 -j ACCEPT
ip6tables -A FORWARD -i tun21 -j ACCEPT

in the firewall-start script in /jffs/scripts

When I fire up the vpn on the client, I am succesfully routing ipv6 thrrough the tunnel. I can ping6 both the IPv6 address of the router, as well as other IPv6 clients on the LAN, and even the outside IPv6 world, with ipv6.google.com and other addresses returning all my ping requests (these ping6 requests fail when the VPN is not initiated). However, I just cannot for the life of me get access to IPv6 websites, and both http://ipv6test.google.com and http://ipv6-test.com report that IPv6 connectivity is not supported on the client (which seems strange to me given that I can get ping replies from IPv6 addresses on the web).

Any help would be appreciated. I've followed so many different instructions from so many different sources, but I have a feeling it has something to do with either the routing or the firewall on the router, hence my question here. Having gotten it seemingly working more or less, I'm hoping it's just something stupidly simple that I've overlooked. Hope to hear back from someone

Sorry to say that ASUSWRT does not support IPv6 within the VPN. It supports IPv6 native connection but not in the tunnel but then I could be wrong. Do an ifconfig and see if you have IPv6 on your tun and ? Based on normal IPv6 implementation, you are missing a DNS6 push from the server to client and probably why you can ping by address and not by url. Did you enable IPv6 on your br0 interface?

I did my own tests as IPv6 client and it is impossible to make it work with Asus. I remember that Merlin state that IPv6 will not work in VPN mode cause the base firmware does not support it.

 

[JimbobJay]

Sorry to say that ASUSWRT does not support IPv6 within the VPN. It supports IPv6 native connection but not in the tunnel but then I could be wrong. Do an ifconfig and see if you have IPv6 on your tun and ? Based on normal IPv6 implementation, you are missing a DNS6 push from the server to client and probably why you can ping by address and not by url. Did you enable IPv6 on your br0 interface?

I did my own tests as IPv6 client and it is impossible to make it work with Asus. I remember that Merlin state that IPv6 will not work in VPN mode cause the base firmware does not support it.

Thanks for your reply. That's a shame to hear though. Would be interested to see if Merlin can confirm this is the case? I'm surprised though, because it definitely seems as though, with my current config, some form of ipv6 is being routed through the tunnel.

I had forgotten about DNS6, so will give that a go later when I get a chance and report back. If that doesn't work though, then it would seem that you are indeed right in that it's not supported, which would be a shame. Hope ASUS push a fix for this in future firmware.

 

[JimbobJay]

It supports IPv6 native connection but not in the tunnel but then I could be wrong.

Just two quick follow up questions. Firstly, would my client, wherever it was, need an ipv6 connection to the internet to enable a tunnel to the server via native ipv6? And secondly, if I hypothetically got that to work, would that by extension mean that ipv6 is naturally forwarded within the tunnel as a result ie I could then access ipv6 internet through the tunnel?(of course, that would be rather moot if the answer to questipn 1 is that I would need an ipv6 connection on the client in the first place, as that's the only reason I'm trying to get ipv6 thorigh the tunnel in the first place - where I'm spending most of the time doesn't have it, but my router at home does)

 

[RMerlin]

Would be interested to see if Merlin can confirm this is the case?

That's correct, even tho some people seem to get overly emotional about that.

Proper IPv6 support for OpenVPN would require a lot of work. Everything on the webui would need to be updated to support IPv4 and IPv6. The firewall would need updating. And things might get tricky on older models still running kernel 2.6.22, as I'm not sure if the kernel fully support IPv6 at the tun/tap level.

You might be able to make it work by manually configuring everything, but I cannot guarantee that it will work reliably, as some of your configuration might get overwritten by the firmware.

 

[pitboss]

That's correct, even tho some people seem to get overly emotional about that.

Proper IPv6 support for OpenVPN would require a lot of work. Everything on the webui would need to be updated to support IPv4 and IPv6. The firewall would need updating. And things might get tricky on older models still running kernel 2.6.22, as I'm not sure if the kernel fully support IPv6 at the tun/tap level.

You might be able to make it work by manually configuring everything, but I cannot guarantee that it will work reliably, as some of your configuration might get overwritten by the firmware.

My professional advise to all asus users that have their IPv6 native enabled and OpenVPN client active, please disable IPv6 native on the WAN port immediately as you will be leaking IPv6 traffic thru your normal IPv6 WAN connection as the router is not able to route IPv6 traffic into the your OpenVPN client. If you need to have full IPv6/IPv4 privacy and anonymity, do the connection to your VPN provider thru your desktop vpn client.

 

[Rai80]

Here I have ipv6 working through the Openvpn tunnel without any problems. Almost same config. Only on Merlin 380.64 (openvpn 2.3):

tun-ipv6
server-ipv6 2a02:a44e:xxxx:2::/64
push "route-ipv6 2000::/3"

And check if the tun interface is included in dnsmasq.conf:

admin@RT-AC68U-3570:/tmp/home/root# cat /jffs/configs/dnsmasq.conf
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=tun21
....