Here's what I want to achieve: Break out of my ISP's CG-NAT with openWRT running on a VPS (Hetzner to be specific). Wireguard clients connect to the VPS, and can then accept connections over ipv4 and ipv6. The wg clients connected will be running things like a webserver, email server, sftp, and need to be reachable over WAN.
The VPS has a public ipv4, and a /64 ipv6 subnet. The wireguard clients can access the web and receive incoming connections (with port forwarding) over ipv4, but do not have ipv6 connectivity.
I'm also not sure whether a /64 is sufficient. I think it should be, since I only need to distribute addresses from the /64 to the wireguard interface, there's no lan interface.
Here's my /etc/config/network
I can provide other config files if needed
Test IPv6 connectivity from the VPS by explicitly specifying its IPv6 address on the VPN interface as source and make sure that IPv6 forwarding is enabled.
BTW, I used a similar dual-stack VPN setup running on KVM in Linode.
Hi @vgaetera and thanks for the answer, I've come accross several of your replies looking through the forum for a solution to my problem.
So I can do curl --interface eth0 https://openwrt.org on the VPS running openWRT and that works for ipv4 and ipv6, but changing to --interface wg0 doesn't work for either ipv4 or ipv6. Is this maybe linked to the wan interface ip6addr being the same as the wg0 interface ipv6 adresses ? I thought both interfaces need to have the same ipv6 for my purpose, but I'm not sure.
The wireguard client has ipv4 connectivity over the wireguard interface, curl -4 --interface wg0 https://openwrt.org and dig AAAA openwrt.org work but curl -6 --interface wg0 https://openwrt.org times out.
What do you mean by ipv6 forwarding? I thought port forwarding would be necessary for ipv4 due to NAT, but that wireguard clients would get a global ipv6 and so wouldn't need any port forwarding configuration for ipv6 connections.
I have a /128 address on the WAN interface and another separate routed /56 prefix.
Try getting a routed prefix, otherwise you probably need to use NDP proxy or NAT66.
So you're not using the same ::/64 for the wan and wireguard interfaces?
I only have a /64 from this VPS provider. I will try giving a /128 to the WAN interface and an /80 to the wireguard interface, I think that should be possible without overlapping
Thanks for the tip about having /128 on the WAN interface @vgaetera !
That seemed to be the problem. I now have an ipv6 of the form ::1/128 for the WAN interface and ::1/64 for the wireguard interface. So they have the same ipv6 up until the slash, meaning the WAN interface just gets a single ipv6 and the wireguard gets the entire /64 subnet
Clients get a global ipv6, I added traffic rules to make clients accept incoming ipv6 connections and added port forwarding for ipv4.
Here's my network config for reference, the gateway and ip6gw options are specific to Hetzner:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'wan'
option device 'eth0'
option proto 'static'
option ipaddr 'zzz.zzz.zzz.zzz'
option netmask '255.255.255.255'
option ip6gw 'fe80::1'
list dns '1.1.1.1'
list ip6addr 'xxxx:xxxx:xxxx:xxxx::1/128'
config route
option interface 'wan'
option target '0.0.0.0/0'
option gateway '172.31.1.1'
config route
option interface 'wan'
option target '172.31.1.1/32'
config interface 'wg0'
option proto 'wireguard'
option private_key 'priv_key'
option listen_port '51820'
list addresses 'yyy.yyy.yyy.1/24'
list addresses 'xxxx:xxxx:xxxx:xxxx::1/64'
config wireguard_wg0 'wgclient'
option public_key 'pub_key'
list allowed_ips 'yyy.yyy.yyy.4/32'
list allowed_ips 'xxxx:xxxx:xxxx:xxxx::4/128'
config wireguard_wg0
option description 'client2'
list allowed_ips 'yyy.yyy.yyy.2/32'
list allowed_ips 'xxx:xxx:xxx:xxx::2/128'
option public_key 'pub_key'
