Description
The remote OpenVPN server accepts connections only over IPv6 UDP and has no public IPv4 (it responds with an unreachable CGNAT IPv4). The tunnel establishes and forwards traffic correctly on other OpenVPN clients such as phones.
On a GL‑MT3000 running 4.8.1 the tunnel will not pass traffic. Version 4.8 added IPv6 OpenVPN support, but I cannot get it to work on this device.
Reproduction steps (brief)
- Configure OpenVPN on the remote server to accept connections only via IPv6 UDP.
- Configure the GL‑MT3000 as an OpenVPN client and connect to that server.
- After the connection is established, attempt to send traffic from the router or a LAN host over ovpnclient1 (for example: ping -I ovpnclient1 8.8.8.8), or have the server ping the client VPN IP.
Observed behavior
- OpenVPN control plane works: TLS handshake and session establishment succeed, and both server and router logs show the session up.
- Tunnel data plane is completely nonfunctional: pings sourced from ovpnclient1 get no replies; direct pings to the OpenVPN server get no replies; the server cannot ping the client VPN IP.
- Within about two minutes after connection the server sees no client packets and marks the client offline; the client likewise reconnects after roughly two minutes because it receives no server packets.
- Basic IPv6 reachability for the control plane is confirmed (UDP6 handshakes complete). The failure appears to be in tunnel data forwarding or kernel policy/path handling.
- Enabling or disabling killswitch and changing other settings on the GL‑MT3000 does not restore tunnel forwarding.
- ip route and iptables have been inspected; no obvious misconfigurations were found.
Relevant routing and policy snippets
ip rule show (key entries):
0: from all lookup local
1: from all iif lo lookup 16800
800: from all lookup 9910 suppress_prefixlength 0
6000: from all fwmark 0x8000/0xf000 lookup main
6000: from all fwmark 0xa000/0xf000 lookup 1011
9910: not from all fwmark 0/0xf000 blackhole
9920: from all iif br-lan blackhole
10000: from 10.9.9.2 lookup 1011
20000: from all to 10.9.9.2 lookup 1011
32766: from all lookup main
32767: from all lookup default
90014: from all iif lo lookup 1011
ip route show table 1011:
default dev ovpnclient1 scope link
blackhole default proto static metric 254
10.9.9.0/24 dev ovpnclient1 proto static scope link
ip route show table 9910:
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
Expected behavior
After an OpenVPN ipv6 client session is established on the GL‑MT3000, the tunnel should forward traffic both directions and behave like other clients: LAN to ovpnclient1 to server to Internet, and server to ovpn to LAN. There should be no case where the tunnel connects but becomes completely unreachable for data.
