OpenWrt 25.x lacks the netifd grev6 protocol handler, so the UCI
vpn_tunnel interface never came up (NO_DEVICE). Now using a dedicated
init script (parahub-vpn-tunnel, START=96) that:
- Creates ip6gre tunnel with encaplimit none (critical: Yggdrasil
drops IPv6 packets with DSTOPT extension headers from encaplimit)
- Waits for Yggdrasil address before creating tunnel
- Adds guest subnet direct route to table 100 (fixes DNS/reply
routing — without it, router replies with source in guest subnet
get routed through GRE instead of back to the client)
- Reloads firewall so vpn_tunnel zone picks up gre6-vpn device
Also updated VPS mesh-gateway.sh with encaplimit none.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1. Add yggdrasil init script (procd) — OpenWrt 25.x package doesn't
include one, causing uci-defaults to fail on `/etc/init.d/yggdrasil
enable` with set -e, leaving script in /etc/uci-defaults/ to re-run
every boot and overwrite all config changes.
2. Delete default br-lan/lan before creating br-private — both bridges
competing for eth0/eth1 port, preventing LAN cable access.
3. Per-device port mapping via /etc/parahub/port_map — filogic devices
(MT3000, MT6000, WR3000) have eth0=WAN, eth1=LAN (opposite of
qualcommax/ath79). Build.sh writes PORT_MAP, uci-defaults reads it.
Also: remove `set -e` from uci-defaults (too fragile for first-boot),
add SSH/HTTP firewall rules on yggdrasil zone for remote management.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
