Unable to route IPv6 through Wireguard on OpenWRT router

As the title suggests, I cannot pass v6 traffic through wireguard. My ISP has just v4 CGNAT so I wanted to configure openwrt to route just v6 via wireguard to a VPS and use v4 from ISP.

The connection is successful. If I add '0.0.0.0/0' to allowed IPs, v4 gets tunnelled, but not v6. Adding '::/0' seems to have no effect at all.

Here are some configs and screenshots.

From /etc/config/network

config interface 'v6_AT'
    option proto 'wireguard'
    option private_key 'xxxx'
    list addresses '10.7.0.2/24'
    list addresses 'fddd:2c4:2c4:2c4::2/64'
    list dns '1.1.1.1'
    list dns '2606:4700:4700::1111'
    option ip6table 'default'
    option force_link '1'

config wireguard_v6_AT
    option description 'id1-atharva'
    option public_key 'xxxx'
    option preshared_key 'xxxx'
    option route_allowed_ips '1'
    option endpoint_host 'xxxx'
    option endpoint_port 'xxxx'
    option persistent_keepalive '25'
    list allowed_ips '::/0'

I believe this has to do something with firewalls and routing, but I have not been able to find anything useful yet.

Any help is greatly appreciated, thanks in advance!!

Tagged:

Comments

  • If my understanding is correct, the VPS is the wireguard server and the openwrt router is the wireguard client?

    I am not familiar with using a openwrt router as a wireguard client. So in this case, besides being a wireguard client, the openwrt router is also the default gateway for your internal network?

    Maybe besides adding the '::/0', you might need to setup IPv6 masquerading on the openwrt router and this link might be of some help:

    https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6

  • @tmntwitw said:
    If my understanding is correct, the VPS is the wireguard server and the openwrt router is the wireguard client?

    Yup, correct

    I am not familiar with using a openwrt router as a wireguard client. So in this case, besides being a wireguard client, the openwrt router is also the default gateway for your internal network?

    Yes, that's the plan.

    Maybe besides adding the '::/0', you might need to setup IPv6 masquerading on the openwrt router and this link might be of some help:

    https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6

    I had followed this, but it didn't help me much. Maybe I'm doing something wrong as well.
    From my understanding, I think I might need to v6 NAT.

    Thanks for your inputs!

  • FrankZFrankZ Moderator
    edited August 2023

    Not an IPv6 expert, but do you have the following in sysctl.conf on the VPS

    net.ipv6.conf.default.forwarding = 1
    net.ipv6.conf.all.forwarding = 1

    For staff assistance or support issues please use the helpdesk ticket system at https://support.lowendspirit.com/index.php?a=add

  • To give you free headache, just buy VPN router ;)

    KangServer - VPS Benchmark
    Android | Windows 11 | Ubuntu 22.04 | XShell

  • Is the /64 routed or onlink?

    If routed, your VPS needs to further route the /64 to the wireguard interface.
    ip -6 r r (your /64) via (wg interface)

    Thanked by (1)yoursunny

    The all seeing eye sees everything...

  • @FrankZ said:
    Not an IPv6 expert, but do you have the following in sysctl.conf on the VPS

    net.ipv6.conf.default.forwarding = 1
    net.ipv6.conf.all.forwarding = 1

    I'll have to check this. I think so, since this config works fine on mobile and PC.

    @febryanvaldo said:
    To give you free headache, just buy VPN router ;)

    What do you mean 🧐

    @terrorgen said:
    Is the /64 routed or onlink?

    If routed, your VPS needs to further route the /64 to the wireguard interface.
    ip -6 r r (your /64) via (wg interface)

    I think it might be routed, not 100% sure.
    But if this is the case, then the wireguard config which I use on mobile would also not work right? For eg, I can pass both v6 + v4 and v6 only when using Mobile/PC.
    Or maybe my dumbass is missing something in your question?

  • edited August 2023

    Hi @sh97 , I tried to simulate your problem, and was finally able to get it to work after many tries. I needed to create a separate firewall zone for the wireguard interface 'wg1' (I named the firewall zone as 'vpn'). Then follow the steps in https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6 to enable 'masq6' on the 'vpn' firewall zone, and disable IPv6 source routing on the 'wg1' interface. After doing these 2 steps, it still doesn't work.

    After reading through this https://openwrt.org/docs/guide-user/services/vpn/wireguard/all-traffic-through-wireguard, it mentions that the lan traffic needs to be forwarded to the wireguard interface instead of the default wan interface. So what I did was to add the 'vpn' zone as an additional entry to the lan forwarding list: screenshot

    And after that, the client machine connected to the openwrt LAN was able to get the IPv6 traffic tunnelled through the wireguard interface, while the IPv4 traffic still goes via the default WAN interface.

    From /etc/config/firewall

    config zone
            option name 'vpn'
            option output 'ACCEPT'
            list network 'wg1'
            option masq '1'
            option masq6 '1'
            option input 'ACCEPT'
            option forward 'ACCEPT'
    
    config forwarding
            option src 'lan'
            option dest 'wan'
    
    config forwarding
            option src 'lan'
            option dest 'vpn'
    
    Thanked by (3)FrankZ sh97 crunchbits
  • @tmntwitw said:
    Hi @sh97 , I tried to simulate your problem, and was finally able to get it to work after many tries. I needed to create a separate firewall zone for the wireguard interface 'wg1' (I named the firewall zone as 'vpn'). Then follow the steps in https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6 to enable 'masq6' on the 'vpn' firewall zone, and disable IPv6 source routing on the 'wg1' interface. After doing these 2 steps, it still doesn't work.

    After reading through this https://openwrt.org/docs/guide-user/services/vpn/wireguard/all-traffic-through-wireguard, it mentions that the lan traffic needs to be forwarded to the wireguard interface instead of the default wan interface. So what I did was to add the 'vpn' zone as an additional entry to the lan forwarding list: screenshot

    And after that, the client machine connected to the openwrt LAN was able to get the IPv6 traffic tunnelled through the wireguard interface, while the IPv4 traffic still goes via the default WAN interface.

    From /etc/config/firewall

    config zone
            option name 'vpn'
            option output 'ACCEPT'
            list network 'wg1'
            option masq '1'
            option masq6 '1'
            option input 'ACCEPT'
            option forward 'ACCEPT'
    
    config forwarding
            option src 'lan'
            option dest 'wan'
    
    config forwarding
            option src 'lan'
            option dest 'vpn'
    

    Hi, thanks for taking the time to check this out. Appreciate it very much!

    I quickly tried following your steps, but unfortunately it did not work out for me. I had tried many other steps from the internet so maybe something was conflicting with this.

    I will perform a reset of the router and try these steps once again over the weekend.

    Also, what did you mean by 'disable IPv6 source routing', I could not find any such option in the interface settings.

    Thanks again.

  • edited August 2023

    @sh97 said:
    Also, what did you mean by 'disable IPv6 source routing', I could not find any such option in the interface settings.

    I followed the steps here as described here: https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6#network

    For my case, I wanted to set it on the 'wg1' interface, so the command would be:

    uci set network.wg1.sourcefilter='0'

    From /etc/config/network

    config interface 'wg1'
            option proto 'wireguard'
            option private_key 'xxxxx'
            list addresses 'xxxxx'
            option sourcefilter '0'
    
    config wireguard_wg1
            option description 'xxxxx'
            option public_key 'xxxxx'
            list allowed_ips '::/0'
            option endpoint_host 'xxxxx'
            option endpoint_port 'xxxxx'
            option persistent_keepalive '25'
            option route_allowed_ips '1'
    
    Thanked by (1)sh97
Sign In or Register to comment.