I've got native IPv6 via my ISP (they give me a /48). Using RAs (SLAAC), my router is advertising a particular /64 to machines in my network - in other words my network has full native IPv6.
My router is also connected to an OpenVPN network to access some private resources, some of which are available over IPv6. The goal is that machines on my LAN have access to these resources transparently.
The VPN pushes routes to the router so that traffic heads down its interface when it needs to access the private resources - this bit works "fine" as I can see the traffic going out properly when tcpdumping on the tun0 interface, and connecting to things from the router itself is OK.
My problem is that traffic from end clients never makes it back to them. I think what happens is that IP packets are using the public IPv6 addresses as their source address (client machines don't know about the VPN at all), and so the VPN is dropping the packets because they are coming from (as far as the remote OpenVPN is concerned) a bogus address.
It feels like this must be a known problem, but I couldn't really find anyone talking about it. I suppose I need to somehow provide addresses in the /64 that I get from the VPN to clients on my LAN, and also somehow(!) distribute routes too? Or else do some kind of 1:1 local → VPN NAT translation for v6 (probably not this solution)? Have others accomplished this before and if so, what did you do?
