diff --git a/hosts/router/firewall.nix b/hosts/router/firewall.nix
index 3086531..cef6ffa 100644
--- a/hosts/router/firewall.nix
+++ b/hosts/router/firewall.nix
@@ -20,8 +20,9 @@ in
           ${ifs.lan40.name},
           ${ifs.lan50.name},
       }
-      define OPNSENSE_NET6 = ${pdFromWan}d::/64
+      define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
       define ZONE_LAN_EXTRA_NET6 = {
+          # TODO: reevaluate this statement
           ${ifs.lan20.net6},  # needed since packets can come in from wan on these addrs
           $OPNSENSE_NET6,
       }
diff --git a/hosts/router/ifconfig.nix b/hosts/router/ifconfig.nix
index 63f3198..d479a7d 100644
--- a/hosts/router/ifconfig.nix
+++ b/hosts/router/ifconfig.nix
@@ -150,6 +150,7 @@ in
           ifs.lan40.name
           ifs.lan50.name
         ];
+        routes = vars.extra.opnsense.routes;
       };
       "30-vlan10" = mkLanConfig ifs.lan10;
       "30-vlan20" = mkLanConfig ifs.lan20;
diff --git a/hosts/router/vars.nix b/hosts/router/vars.nix
index 10abd5f..3961ab9 100644
--- a/hosts/router/vars.nix
+++ b/hosts/router/vars.nix
@@ -95,4 +95,28 @@ rec {
       ulaPrefix_ = "${ulaPrefix}:0050";  # ::/64
     };
   };
+
+  extra = {
+    opnsense = rec {
+      addr4 = "${ifs.lan.p4}.250";
+      ulaAddr = "${ifs.lan.ulaPrefix}::250";
+      p6 = "${pdFromWan}d";
+      net6 = "${p6}::/64";
+      # VPN routes on opnsense
+      routes = [
+        {
+          Destination = "10.6.0.0/24";
+          Gateway = addr4;
+        }
+        {
+          Destination = "10.18.0.0/20";
+          Gateway = addr4;
+        }
+        {
+          Destination = net6;
+          Gateway = ulaAddr;
+        }
+      ];
+    };
+  };
 }