Is this a sound solution for enabling IPv6 in OpenVPN over IPv4?

[Markyrian]

This is a follow up on Dynamic IPv6 prefixes / dynamic DNS / VPN: Handling via NPTv6?

To my joy, my new ISP supports IPv6 though they stated otherwise (Halebop/Sweden). It seems well-behaved and RAs state it is managed and I get a GW and a /56 prefix over DHCPv6. This prefix is regarded as dynamic although it seems fairly stable (I get the same one after a renewal for instance).

I've got IPv6 going in my homelab setup over two local lans (LAN, OPT) and delegates two different /64 prefixes to them using the "Track Interface" feature.

On my android I have more or less the same operator as the ISP but this big player still doesn't support IPv6 in their mobile network. But hey, why not at least make it possible over OpenVPN which I need anyway!

The first stumble is of course what to put in the "IPv6 Tunnel Network" field of the VPN server setup. (using legacy server / tun mode). I can't really use the current prefix here. Using something like Interface Tracking and SLAAC on the tunnel interface is also not possible. So I opted for what I think the above mentioned thread suggested, with some extra ideas:

• I (ab)use the NAT64 reserved address range and put 64:ff9b::/64 as the tunnel network.
• I created a dummy VLAN interface on the OPT physical and set it to "Track Interface" and give it a /64 subnet that then is different from LAN and OPT. I activate "Manual configuration" to avoid generating router advertisements. New finding. See end of post.
• On WAN I create a NAT/NPTv6 firewall rule that translates between the 64:ff9b::/64 above and whatever prefix the dummy VLAN has by leaving the "External IPv6 Prefix (target)" empty and specifying the VLAN in "Track Interface"

This actually works and my phone now passes test-ipv6 after connecting home! First connection gets the address 64:ff9b::1000 which in my case maps to GUA 2001:xxxx:xxxx:xx80::1000 thanks to the NPTv6 mechanism.

At first I let the NPTv6 track OPT where I only have one PC, but this didn't feel good due to the following reasons:

• I doubt DAD can resolve situations of address collisions between hosts on OPT and VPN in such a complex setup? (Yes, I know this risk is infinitesimal anyway)
• Deploying NTPv6 tracking OPT did not seem to affect the possibility to use IPv6 on a PC on OPT, possibly thanks to the statefulness of the firewall. But I guess it ruins the possibility to have UDP server ports in OPT network being globally exposed?

So, is there any apparent drawback with the above solution? Dynamic prefixing seems hated, but I won't spend time discussing this with my ISP which doesn't even seem to understand they support IPv6. Also NPTv6 seems frowned upon, but is there a better, more intuitive solution to setup OpenVPN as an "IPv6 enabler" when the prefix is dynamic? Perhaps in later versions of OpnSense? (I'm on 24.7.10_2-amd64)

Last questions: Let's say this PC on OPT is a gaming PC :-). Is there any, if small, performance hit by (a) the creation of the dummy VLAN upon OPT. (b) deploying NPTv6 translation on WAN. Does it perhaps depend on what kind of hardware I run opnsense on?

Update 2025-07-06: The dummy VLAN seems very hard to quiet out. Although DHCPv6 and RA are disabled and no DNS configuration is sent to clients that mentioned Windows PC still somehow picks up the existence of this VLAN and its prefix. So if anyone knows how to create a "silent" interface with "Track interface" option I would be interested. For now I use a dummy linux bridge created at the Proxmox level to get that sought after unique /64 prefix. (Yes, I do run opnsense in a VM...)