Allow IPv6 Wireguard traffic through to OpenWrt router

Hi all,

I have Server A and Clients B and C on a Wireguard network. Client C is a router with OpenWRT and the other two are Linux machines.

I am trying to get IPv6 addresses working on Wireguard so I can communicate with the router behind a NAT. So far I can IPv6 ping between the other peers, so the Wireguard configurations are working, but I can't IPv6 ping any other peer from the router.

The router's global IPv6 address used as the Endpoint is also valid and reachable from the public internet, so it's not that.

When I ping any IPv6 address that is on the router's actual LAN, it works. When I ping a peer's Wireguard IPv6 address, it says "Network unreachable".

I believe it is some firewall setting preventing OpenWRT from communicating on its Wireguard IPv6 address.

Thanks in advance.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru

Also the wg config and firewall from the other systems.

Note that if you want to connect to your WG peers (the linux boxes) they also have their own firewall.

You might need to open up their firewall for traffic from the WG subnet and from the OpenWRT subnet.

# ubus call system board; \
> uci export network; uci export firewall; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru
{
	"kernel": "5.10.176",
	"hostname": "[...]",
	"system": "ARMv7 Processor rev 0 (v7l)",
	"model": "Netgear R6250 V1 (BCM4708)",
	"board_name": "netgear,r6250v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r20134-5f15225c1e",
		"target": "bcm53xx/generic",
		"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd4d:[...]/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.5.1'

config device
	option name 'wan'
	option macaddr '[...]'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '[...]'
	option listen_port '51871'
	list addresses '10.0.0.3/24'
	list addresses 'fdc9:281f:04d7:9ee9::3/128'

config wireguard_wg0
	option public_key '[...]'
	option endpoint_host '[...]'
	option endpoint_port '51871'
	option persistent_keepalive '25'
	list allowed_ips '10.0.0.1/32'
	list allowed_ips '10.0.0.0/24'
	list allowed_ips 'fdc9:281f:04d7:9ee9::1/128'

config wireguard_wg0
	option public_key '[...]'
	option persistent_keepalive '25'
	list allowed_ips '10.0.0.2/32'
	list allowed_ips '10.0.0.0/24'
	list allowed_ips 'fdc9:281f:04d7:9ee9::2/128'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'

config forwarding
	option src 'wg'
	option dest 'lan'

config forwarding
	option src 'wg'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wg'

config forwarding
	option src 'wan'
	option dest 'wg'

config rule
	option src 'wan'
	option dest 'wg'
	option target 'ACCEPT'

config rule
	option src 'wg'
	option dest '*'
	option target 'ACCEPT'

config redirect
	option dest 'wg'
	option target 'DNAT'
	option src 'wan'
	option src_dport '51871'
	option dest_port '51871'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::2ac6:8eff:fe72:21c/64 scope link 
       valid_lft forever preferred_lft forever
9: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdcc:[...]21d/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 2600:[...]21d/64 scope global dynamic noprefixroute 
       valid_lft 79889sec preferred_lft 79889sec
    inet6 fdcc:[...]c11/128 scope global dynamic noprefixroute 
       valid_lft 43188sec preferred_lft 43188sec
    inet6 2600:[...]c11/128 scope global dynamic noprefixroute 
       valid_lft 43188sec preferred_lft 43188sec
    inet6 fe80::2ac6:8eff:fe72:21d/64 scope link 
       valid_lft forever preferred_lft forever
11: br-lan: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 state DOWN qlen 1000
    inet6 fdcc:[...]1/62 scope global dynamic noprefixroute 
       valid_lft 43188sec preferred_lft 43188sec
    inet6 fd4d:[...]1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::2ac6:8eff:fe72:21c/64 scope link 
       valid_lft forever preferred_lft forever
13: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 fdc9:281f:4d7:9ee9::3/128 scope global 
       valid_lft forever preferred_lft forever
14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 fe80::9f44:485f:b62c:dc5/64 scope link flags 800 
       valid_lft forever preferred_lft forever
default from 2600:[...]c11 via fe80::861b:5eff:feda:61af dev wan  metric 512 
default from 2600:[...]/64 via fe80::861b:5eff:feda:61af dev wan  metric 512 
default from fdcc:[...]c11 via fe80::861b:5eff:feda:61af dev wan  metric 512 
default from fdcc:[...]/64 via fe80::861b:5eff:feda:61af dev wan  metric 512 
default from fdcc:[...]/62 via fe80::861b:5eff:feda:61af dev wan  metric 512 
2600:[...]/62 from 2600:[...]c11 via fe80::861b:5eff:feda:61af dev wan  metric 512 
2600:[...]/62 from 2600:[...]/64 via fe80::861b:5eff:feda:61af dev wan  metric 512 
2600:[...]/62 from fdcc:[...]c11 via fe80::861b:5eff:feda:61af dev wan  metric 512 
2600:[...]/62 from fdcc:[...]/64 via fe80::861b:5eff:feda:61af dev wan  metric 512 
2600:[...]/62 from fdcc:[...]/62 via fe80::861b:5eff:feda:61af dev wan  metric 512 
2600:[...]/64 dev wan  metric 256 
unreachable 2600:[...]/64 dev lo  metric 2147483647 
fd4d:52f0:47ef::/64 dev br-lan  metric 1024 
unreachable fd4d:52f0:47ef::/48 dev lo  metric 2147483647 
fdc9:281f:4d7:9ee9::3 dev wg0  metric 256 
fdcc:[...]/48 from 2600:[...]c11 via fe80::861b:5eff:feda:61af dev wan  metric 512 
fdcc:[...]/48 from 2600:[...]/64 via fe80::861b:5eff:feda:61af dev wan  metric 512 
fdcc:[...]/48 from fdcc:[...]c11 via fe80::861b:5eff:feda:61af dev wan  metric 512 
fdcc:[...]48 from fdcc:[...]/64 via fe80::861b:5eff:feda:61af dev wan  metric 512 
fdcc:[...]/48 from fdcc:[...]/62 via fe80::861b:5eff:feda:61af dev wan  metric 512 
fdcc:[...]/64 dev wan  metric 256 
unreachable fdcc:[...]/64 dev lo  metric 2147483647 
fdcc:[...]/64 dev br-lan  metric 1024 
unreachable fdcc:[...]/62 dev lo  metric 2147483647 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wan  metric 256 
fe80::/64 dev tun0  metric 256 
local ::1 dev lo table local  metric 0 
anycast 2600:[...] dev wan table local  metric 0 
local 2600:[...]c11 dev wan table local  metric 0 
local 2600:[...]21d dev wan table local  metric 0 
anycast fd4d:[...] dev br-lan table local  metric 0 
local fd4d:[...]1 dev br-lan table local  metric 0 
local fdc9:[...]3 dev wg0 table local  metric 0 
anycast fdcc:[...] dev wan table local  metric 0 
local fdcc:[...]c11 dev wan table local  metric 0 
local fdcc:[...]21d dev wan table local  metric 0 
anycast fdcc:[...] dev br-lan table local  metric 0 
local fdcc:[...]1 dev br-lan table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev wan table local  metric 0 
anycast fe80:: dev tun0 table local  metric 0 
local fe80:[...]21c dev eth0 table local  metric 0 
local fe80:[...]21c dev br-lan table local  metric 0 
local fe80:[...]21d dev wan table local  metric 0 
local fe80:[...]dc5 dev tun0 table local  metric 0 
multicast ff00::/8 dev eth0 table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256 
multicast ff00::/8 dev wan table local  metric 256 
multicast ff00::/8 dev wg0 table local  metric 256 
multicast ff00::/8 dev tun0 table local  metric 256 
0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from fdcc:[...]1/62 iif br-lan lookup unspec unreachable

# wg showconf wg0
[Interface]
ListenPort = 51871
PrivateKey = [...]

[Peer]
PublicKey = [...]
AllowedIPs = 10.0.0.1/32, fdc9:281f:4d7:9ee9::1/128
Endpoint = [...]:51871
PersistentKeepalive = 25

[Peer]
PublicKey = [...]
AllowedIPs = 10.0.0.2/32, 10.0.0.0/24, fdc9:281f:4d7:9ee9::2/128
PersistentKeepalive = 25

Whew, that was a lot. Thanks! Sorry if I cut out too much, I'm still new to IPv6.

The second peer is not correct, as the traffic will go through the server.
You need to remove the

from the server, as it is covered from the /24
Also the subnet mask in the wg tunnel is not correct, since you are not routing the allowed_ips.
Change the mask

Regarding the firewall, it would make sense to add wg0 network in the lan zone and delete the wg zone and all those forwardings,

The redirect is not needed as the client will initiate the traffic and open the firewall.

On the server fix allowed ips

and on the peer remove the /24