Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Tue Nov 23, 2021 18:15 Post subject: IPv6 over OpenVPN in an IPv4-only router?
My dd-wrt router (Linksys WRT1900ACSv2 on build 46816) is IPv4 only, as my config has too many VAPs, extra iptables rules, VPN clients and servers, etc. for me to have been tempted to experiment with providing IPv6 at the whole-router level. But AirVPN offers an option in its configuration generator to provide both IPv4 and IPv6 to the internet from their server but with underlying transport from client to server being strictly via IPv4.
I have my iPhone's WireGuard app set up to use such an AirVPN config file, and when I connect the phone to the internet via the router's non-VPNed VAP, it seems to work as advertised. I can browse to ipv6.google.com, for example.
Can I set up the router similarly so that ordinary IPv4 clients can get access to the IPv6 world (without running their own VPN clients like in that phone experiment)? The difference between a plain IPv4-only AirVPN router config and a IPv4/IPv6-over-IPv4 AirVPN router config turns out to be only that the latter includes two extra config lines,
push-peer-info
setenv UV_IPV6 yes
which of course is easy enough to provide in dd-wrt. It didn't take long, of course, to learn experimentally that this is not enough to allow me to to browse to ipv6.google.com via the (one of the) router's OpenVPN VAP(s). But the vpn log info seems to only gain two extra lines:
2021-11-23 11:48:23 us=38677 net_iface_up: set tun1 up
2021-11-23 11:48:23 us=38750 net_addr_v6_add: fde6:7a:7d20:19b6::10bb/64 dev tun
and the whole setup still works fine for IPv4 OpenVPN traffic as before. I haven't tweaked the OpenVPN MTU yet in this experiment but understand that I'll need to. (Down by 20?) From a linux box PBRed through OpenVPN a test ping fails:
$ ping ipv6.google.com
connect: Network is unreachable
(Same if I try pinging a numerical IPv6 address.)
I'm sharing my monumental IPv6 ignorance here, but I'm wondering whether getting from here to functional IPv6-over-OpenVPN might by some miracle be some small incremental tweak. Any idea?
Of course I have looked at the wiki re IPv6 and also IPv6 over a Hurricane Electric tunnel, but those wike pages are oriented towards providing whole-router IPv6 capability, so that the router's client devices can connect to the router via IPv6, while I'm curious here only about providing IPv6 transport capability to ordinary IPv4 clients that are PBRed to OpenVPN. It may not even be a sensible question, and I'm certainly up for that answer if that's the reality. Every day is a school day! _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 16 Nov 2015 Posts: 6445 Location: UK, London, just across the river..
Posted: Tue Nov 23, 2021 19:05 Post subject:
i ve had a similar question/idea back in the days, when i got on with Stubby, as it can use IPv4 DNS servers as well resolving via IPv6 servers...
In general if your ISP provides IPv6, than you should be ok to go...
But as you said only ipv6 transport/use inside VPN... as VPN is a tunneling stuff and all has a different layout, if your VPN provider supports ipv6 than transport/use, should be ok i guess..mine PIA doesn't
or i haven't read their bulletin for a while... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Wed Nov 24, 2021 10:09 Post subject: Re: IPv6 over OpenVPN in an IPv4-only router?
SurprisedItWorks wrote:
My dd-wrt router (Linksys WRT1900ACSv2 on build 46816) is IPv4 only, as my config has too many VAPs, extra iptables rules, VPN clients and servers, etc. for me to have been tempted to experiment with providing IPv6 at the whole-router level
Caveat emptor!
You can safely test this (famous last words) by taking a backup of the config, I would in fact as well as the backup config do nvram show > /tmp/nvram-settings.txt in case something is screwy with restoring the backup and disabling the IPv6 still causes issues (grab that file and wack it on desktop.)
Then enabling IPv6 on the IPv6 Tab selecting the relevant options that apply to you.
Make a few tests and if it screws up your setup you can restore the backup or like I found out recently that I had to reconfigure the router again by hand when the backup just didn't work as it should have and I did not have any text version in human readable format to make the setup faster.
Now I'm making a nvram show > backup to text file because it takes hours to get everything reconfigured without any references and from memory.
Disclaimer: If this burns your house down, all kittens on your neighborhood drown and if babies are killed in this process, remember I started with Caveat emptor. =)
Adding screenshot attach of IPv6 tab, because why not?
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Wed Nov 24, 2021 15:40 Post subject:
Thanks for the input, guys.
Pointless aside: I totally agree with @the-joker above about backups. For years and for five routers, I've backed up after EVERY change or simultaneous group of changes, and every backup is done from a script on my linux box that uses ssh/scp to both run the backup on the router and capture the output of nvram show. I probably have a thousand named (for the router) and numbered backup files accumulated by now. They double as a clumsy configuration-control system, because I also keep notes on the changes, and indeed, I have sometimes gone back and found a setting from a couple of years ago.
On the IPv6 matter at hand, again I am not eager to visit the IPv6 page, because I do not want to convert to an IPv6 WAN and don't actually know that my ISP allows it. Perhaps worse, I don't even recognize the terms on the various buttons on that page. I'd have to do a ton of homework to even consider it, and that'd have to include pouring over my firewall and startup and vpn client configs looking to make them compatible. Waaaaaay to big/risky a project. So the whole point of the present exercise is to see if there's an easier/safer way to get to IPv6.
I have finally discovered the command ip -f inet6 route show to show me IPv6 routing info. I'm not sure what to make of it yet, as there is a default line
default via fe80::201:5cff:fe65:de46 dev eth0 metric 1024 expires 0sec
that unsurprisingly outputs with an unreachable default... line immediately after, since the default IPv6 address corresponds to nothing in the ifconfig output. I have no idea where this default IPv6 address comes from. Soon though (have to do other things for a few days) I'll experiment with changing that default. Maybe something good will happen if I point the default at tun1? _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Tue Dec 07, 2021 18:37 Post subject:
The latest tiny increment in this wild stab at getting IPv6 connectivity "the easy way" - through IPv6 over IPv4 in OpenVPN to AirVPN - is this simple experiment in the router CLI:
Code:
root@ :~# ip -6 route add default dev tun1 metric 1
root@ :~# ip -f inet6 route show
fde6:7a:7d20:1c5a::/64 dev tun1 metric 256
fe80::/64 dev eth0 metric 256
fe80::/64 dev eth1 metric 256
fe80::/64 dev br0 metric 256
fe80::/64 dev wlan0 metric 256
fe80::/64 dev wlan1 metric 256
fe80::/64 dev tun1 metric 256
default dev tun1 metric 1
unreachable default dev lo metric -1 error -101
ff00::/8 dev eth0 metric 256
ff00::/8 dev eth1 metric 256
ff00::/8 dev br0 metric 256
ff00::/8 dev wlan0 metric 256
ff00::/8 dev wlan1 metric 256
ff00::/8 dev tun1 metric 256
unreachable default dev lo metric -1 error -101
root@ :~# ping ipv6.google.com
PING ipv6.google.com (2607:f8b0:4009:808::200e): 56 data bytes
64 bytes from 2607:f8b0:4009:808::200e: seq=0 ttl=118 time=118.197 ms
64 bytes from 2607:f8b0:4009:808::200e: seq=1 ttl=118 time=118.156 ms
64 bytes from 2607:f8b0:4009:808::200e: seq=2 ttl=118 time=118.254 ms
64 bytes from 2607:f8b0:4009:808::200e: seq=3 ttl=118 time=117.849 ms
^C
--- ipv6.google.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 117.849/118.114/118.254 ms
root@ :~# traceroute ipv6.google.com
traceroute to ipv6.google.com (2607:f8b0:4009:819::200e), 30 hops max, 64 byte packets
1 fe80:FOO::1 (fe80:FOO::1) 99.379 ms 86.858 ms 79.798 ms
2 2620:7:6001::fe (2620:7:6001::fe) 79.895 ms 99.565 ms 79.811 ms
.
.
.
(Of course FOO and BAR are my placeholders.) So the addition of an IPv6 default route (cluelessly formulated so quite likely incorrect in its details), lets the router itself ping IPv6 addresses across "the internet," and traceroute shows that indeed this is done via the tun1 OpenVPN interface, which is operating in udp4 mode.
BUT... Similar pings fail from iOS and linux (an old Fedora: fc29) wifi clients, even though both clients (tested with dig) obtain IPv6 AAAA addresses for ipv6.google.com without issue from the router's DNS system. In response to the ping, iOS (fing app) ping complains that "Domain ipv6.google.com is not valid" and linux ping advises that "connect: Network is unreachable" if on a wifi that is PBR'ed to OpenVPN in IPv4-land and a several-second hesitation then "ping: ipv6.google.com: Name or service not known" otherwise.
So whatever "success" the CLI ping experiment represents is pretty minor, as I have no clue what (small, safe) tweak from here might enable IPv6 connectivity for a dd-wrt client.
Thoughts? _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 18 Mar 2014 Posts: 12904 Location: Netherlands
Posted: Wed Dec 08, 2021 13:01 Post subject:
I have no experience with it other then that I am reading up on it as my provider finally started to give out IPv6 address to users with the modem in bridge mode (so probably will come back to ask for help )
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Dec 13, 2021 15:08 Post subject:
Per Yngve Berg wrote:
In order for clients to communicate over IPv6, you need a PD on br0 so you can assign Global Scope addresses to clients.
So prefix delegation on any interface whose clients I want to enable to communicate via IPv6? (Here br0 is only for IoT and other high-security-risk clients like printers.)
Thanks for that hint... it's a place to start.
Might be awhile before I get back to this. Distracted by prep for holiday visitors and, the past couple of days, the tornado news out of the US midwest. My stepmother's house had a monster mile-wide night tornado - saw a video of it on national TV news a few minutes ago - pass within two miles of her Friday night and kill people she knew personally. One of my sister's childhood friends, someone I remember, lost her in-laws. They and a five-month-old were found dead in a field. Our whole extended community is absolutely stunned. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.