Most home networks only have one router, and enterprise networks can have many but usually each device only sees a single upstream router. But just because it is unusual does not mean it is unsupported.
Using IPv6 Stateless Address Auto-Configuration, we can announce and route traffic without replacing the existing router.
graph TB
r0(main router)
sw[switch]
rv(VPN Gateway)
d1(client device)
d2(client device)
r0===|::/0|sw---d2
rv---|fd00::/7|sw---d1
network diagram
RFC 4862: IPv6 Stateless Address Autoconfiguration
The trick here is that our VPN gateway will not route default traffic (::/0) but only the VPN prefixes. The in-kernel Router Advertisement can only advertise a default route, but radvd can announce a specific route.
Example setup:
VPN prefix (in case we add other sites later): fd00:1111::/32
Prefix for site A: fd00:1111:a::/64
other remote sites would have prefixes that are suffixes of the VPN prefix, such as fd00:1111:b::/64, fd00:1111:c::/64 …
With the following configuration, the other devices on the network will gain a new IPv6 address in the fd00:1111:a:/64 space, and they will use the VPN gateway as destination for fd00:1111::/32.
# /etc/radvd.conf
interface eth0 # change to the ethernet interface that plugs into your network
{
AdvSendAdvert on;
# hint so that clients don't use me as a default gateway
AdvDefaultLifetime 0;
# RA intervals
MinRtrAdvInterval 30;
MaxRtrAdvInterval 100;
# the prefix of your site
prefix fd00:1111:a::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
# VPN route
route fd00:1111::/32
{
AdvRouteLifetime 1800;
};
};
radvd itself does not setup any networking, you have to configure it yourself
$ ip -6 address add fd00:1111:a::1/64 dev eth0
$ ip -6 address show dev eth0
1: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet6 2a03:ac70:9008:e797:b208:ff47:904d:cc9c/64 scope global dynamic mngtmpaddr noprefixroute ← the ISP provided IPv6
valid_lft 606sec preferred_lft 606sec
inet6 fd00:1111:a::1/64 scope global ← the VPN Gateway's private IPv6
valid_lft forever preferred_lft forever
inet6 fe80::db04:6654:d28c:bb9c/64 scope link
valid_lft forever preferred_lft forever
Of course you need an actual site-to-site VPN for this setup to be useful. I run Wireguard+OSPFv3, but you can use any other technology, the tunnel doesn’t need to be encrypted (e.g. L2TPv3 with UDP encapsulation).
The beauty of this setup is that the VPN gateway does not have any dependency on the main router in your network. This means that you can plug it in another home, and it will work the same way.
If you are part of DN42, you could use this radvd setup to create a “portable DN42 gateway” (that gateway should not run BGP, as DN42 routers are supposed to be always-on).
Depending on your VPN usage, you might want to adversite a DNS server to your devices. But there is no telling how a smart TV would use two differents DNS servers (with different search domains)…