Skip to content

Instantly share code, notes, and snippets.

Last active Mar 18, 2022
What would you like to do?
Faux-implementing IPv6 Policy-Based Routing on OpenWRT

Stangri's VPN Policy Routing package is a mainstay of my OpenWRT builds. It works great for IPv4, but I couldn't, for the life of me, get it working with IPv6. Instead, I had to faux-implement PBR as follows.

My VPN provider only gave me a single IP address with a /128 prefix, so I was forced to use NAT6. This left me with a stanza in my firewall config that looks like this; note the masq6 option

config zone
	option name 'wan_vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wg_vpn'
	option masq6 '1'
	option masq6_privacy '1'

With that in-place, I had to ignore my ISP's prefix delegation on those interfaces where I wanted IPv6 traffic to be directed over the VPN:

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask ''
	option ipaddr ''
	option ifname 'eth1 eth2'
	option ip6assign '64'
	option ip6hint 'AA'
	list ip6class 'local'

Finally, I created a route:

config route6
	option target '::/0'
	option interface 'wg_vpn'

It's not pretty - there should be no need to use NAT with IPv6 - and I'm sure there's a better way; but it works. Perhaps one day my VPN provider will give me something like a /48; or at least a /60. In the meantime, if anybody knows how to get IPv6 PBR working with Stangri's package, please let me know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment