[SurprisedItWorks]

My dd-wrt router (Linksys WRT1900ACSv2 on build 46816) is IPv4 only, as my config has too many VAPs, extra iptables rules, VPN clients and servers, etc. for me to have been tempted to experiment with providing IPv6 at the whole-router level. But AirVPN offers an option in its configuration generator to provide both IPv4 and IPv6 to the internet from their server but with underlying transport from client to server being strictly via IPv4.

I have my iPhone's WireGuard app set up to use such an AirVPN config file, and when I connect the phone to the internet via the router's non-VPNed VAP, it seems to work as advertised. I can browse to ipv6.google.com, for example.

Can I set up the router similarly so that ordinary IPv4 clients can get access to the IPv6 world (without running their own VPN clients like in that phone experiment)? The difference between a plain IPv4-only AirVPN router config and a IPv4/IPv6-over-IPv4 AirVPN router config turns out to be only that the latter includes two extra config lines,

push-peer-info
setenv UV_IPV6 yes

which of course is easy enough to provide in dd-wrt. It didn't take long, of course, to learn experimentally that this is not enough to allow me to to browse to ipv6.google.com via the (one of the) router's OpenVPN VAP(s). But the vpn log info seems to only gain two extra lines:

2021-11-23 11:48:23 us=38677 net_iface_up: set tun1 up
2021-11-23 11:48:23 us=38750 net_addr_v6_add: fde6:7a:7d20:19b6::10bb/64 dev tun

with ifconfig tun1 gaining the corresponding line

inet6 addr: fde6:7a:7d20:19b6::10bb/64 Scope:Global

and the whole setup still works fine for IPv4 OpenVPN traffic as before. I haven't tweaked the OpenVPN MTU yet in this experiment but understand that I'll need to. (Down by 20?) From a linux box PBRed through OpenVPN a test ping fails:

$ ping ipv6.google.com
connect: Network is unreachable

(Same if I try pinging a numerical IPv6 address.)

I'm sharing my monumental IPv6 ignorance here, but I'm wondering whether getting from here to functional IPv6-over-OpenVPN might by some miracle be some small incremental tweak. Any idea?

Of course I have looked at the wiki re IPv6 and also IPv6 over a Hurricane Electric tunnel, but those wike pages are oriented towards providing whole-router IPv6 capability, so that the router's client devices can connect to the router via IPv6, while I'm curious here only about providing IPv6 transport capability to ordinary IPv4 clients that are PBRed to OpenVPN. It may not even be a sensible question, and I'm certainly up for that answer if that's the reality. Every day is a school day!

[Alozaros]

i ve had a similar question/idea back in the days, when i got on with Stubby, as it can use IPv4 DNS servers as well resolving via IPv6 servers...

In general if your ISP provides IPv6, than you should be ok to go...
But as you said only ipv6 transport/use inside VPN... as VPN is a tunneling stuff and all has a different layout, if your VPN provider supports ipv6 than transport/use, should be ok i guess..mine PIA doesn't
or i haven't read their bulletin for a while...

[Per Yngve Berg]

[the-joker]

[SurprisedItWorks]

Thanks for the input, guys.

Pointless aside: I totally agree with @the-joker above about backups. For years and for five routers, I've backed up after EVERY change or simultaneous group of changes, and every backup is done from a script on my linux box that uses ssh/scp to both run the backup on the router and capture the output of nvram show. I probably have a thousand named (for the router) and numbered backup files accumulated by now. They double as a clumsy configuration-control system, because I also keep notes on the changes, and indeed, I have sometimes gone back and found a setting from a couple of years ago.

On the IPv6 matter at hand, again I am not eager to visit the IPv6 page, because I do not want to convert to an IPv6 WAN and don't actually know that my ISP allows it. Perhaps worse, I don't even recognize the terms on the various buttons on that page. I'd have to do a ton of homework to even consider it, and that'd have to include pouring over my firewall and startup and vpn client configs looking to make them compatible. Waaaaaay to big/risky a project. So the whole point of the present exercise is to see if there's an easier/safer way to get to IPv6.

I have finally discovered the command ip -f inet6 route show to show me IPv6 routing info. I'm not sure what to make of it yet, as there is a default line

default via fe80::201:5cff:fe65:de46 dev eth0 metric 1024 expires 0sec

that unsurprisingly outputs with an unreachable default... line immediately after, since the default IPv6 address corresponds to nothing in the ifconfig output. I have no idea where this default IPv6 address comes from. Soon though (have to do other things for a few days) I'll experiment with changing that default. Maybe something good will happen if I point the default at tun1?

[SurprisedItWorks]

The latest tiny increment in this wild stab at getting IPv6 connectivity "the easy way" - through IPv6 over IPv4 in OpenVPN to AirVPN - is this simple experiment in the router CLI:

[egc]

I have no experience with it other then that I am reading up on it as my provider finally started to give out IPv6 address to users with the modem in bridge mode (so probably will come back to ask for help )

But what you are doing seems to have an analogy with a 6 in 4 tunnel so maybe something to look into how that is setup?

[Per Yngve Berg]

In order for clients to communicate over IPv6, you need a PD on br0 so you can assign Global Scope addresses to clients.

[SurprisedItWorks]

[Per Yngve Berg]

With several interfaces, you must get a larger PD.

64= one sub-net
60= 4 sub-nets
56= 255 sub-nets