IPv6 with IPv4 over RRAS SSTP VPN from Client that only has IPv4 access

I thought I'd provide a more generic Linux router scenario for users not using pfSense but a Linux based router (in my case DD-WRT).

ip -6 route add xxxx:xxx:xxxx:xxxx::/64 via xxxx:xxx:xxxx:xx::x dev br0
  • The configured IPv6 prefix in RRAS IPv6 tab needs to be added after the add
  • The IPv6 LAN IP address of the RRAS box is the via (essentially the gateway)
  • br0 is LAN interface of your router is. This is usually the default on DD-WRT, for other routers it could be another interface like eth0

The only problem I've discovered is while this static route allows IPv6 traffic to flow through to the outside, it doesn't provide access to other LAN IPv6 addresses within the IPv6 subnet of the LAN IP address of the server. Likely because the subnet is a different /64. To solve this, you need to add IPv6 static routes on the RRAS box itself to allow this connectivity.


Turns out it was a little thing and it took looking at the problem in a completely different way to figure it out.

The problem wasn't with RRAS it was with my router software setup (in this case pfSense). When on a VPN connected client I was getting an IPv6 address and name resolution was working but nothing would respond over IPv6. The problem was that my v6 packets would get into my network fine but that local machines didn't have any route information on how to get back to the VPN connected machine. I had to setup a static route in my router for the prefix used in RRAS to route that prefix on my network back to the RRAS box. Now when the internal box tried to talk back it would see a different prefix and send it to my router then my router would forward it to RRAS which would then send it to the VPN connected client.

Sure took a long time to track this down but it is finally working.