Can't connect to github.com through OpenWrt using Wireguard

My network, hierarchically:

• SAGEMCOM F@st 5460 FTTH Modem, connected to the internet through Vodafone.
• TP-Link Router with OpenWrt 19.07.3 installed, and WireGuard set up and working.
• My devices, connected through Ethernet or Wi-Fi
  Network diagram:
  
  NB: same thing happens if modem is on 192.168.0.x and router on 192.168.99.x.

My problem:
I can't connect to some websites, like github.com. I can ping it but a traceroute times out.
I can't upload images on imgur.com, but I can browse the website just fine.
A simple example: I can view this forum from my router, but attempting to post or upload an image from the router's subnetwork results in a timeout.
It works fine when WireGuard is disabled on the router or if I connect my computer directly to the modem with the VPN vendor's app installed. This makes me think that the problem lies somewhere in my OpenWrt configuration, but where? Firewall rules? NAT forwarding? Static routes? Bug in Wireguard?

I'm thinking it could be somehow caused by double NAT, but that doesn't appear to be a problem in the traceroutes. Also wouldn't explain why it works fine without WireGuard. Or it's caused by some misconfiguration elsewhere, but where?

More information:
ipleak.net results:

659×668

Traceroute on modem:

traceroute to github.com (140.82.118.3), 30 hops max, 60 byte packets
 1  kabel (192.168.0.1)  5.543 ms  6.910 ms  6.885 ms
 2  xxxx-isp.superkabel.de (x)  28.498 ms  28.979 ms  28.959 ms
...

Traceroute on router:

traceroute to github.com (140.82.118.4), 30 hops max, 60 byte packets
 1  _gateway (192.168.0.2)  1.397 ms  2.702 ms  2.761 ms
 2  10.x.x.x (10.x.x.x)  29.762 ms  30.080 ms  30.163 ms
 3  xx (x.x.x.x / VPN adress)  32.325 ms  32.409 ms  32.713 ms
 4  x.x.x.x (x.x.x.x)  32.773 ms  32.697 ms  32.675 ms
 5  (Timeout)

OpenWrt config: https://pastebin.com/FAESbtrh

Screenshot_2020-07-23_16-08-45984×627 42.7 KB

Any help is appreciated.

For a start you are using the same subnet in wan and lan. This won't work. Either use a different one, or make the OpenWrt a dumbAP.
I am aware that you tried with 192.168.99.x in the lan, but the configs you posted show the same subnet in wan and lan.

They're not the same. Modem uses IPs 0-127, router 128-255. I'll try changing it to .1.x anyways, but I doubt it'll change anything

Your lan interface has mask /24 which means from 0-255.

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0.1'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.0.2'

Changed the router's IP to 192.168.99.1, same behaviour. Another interesting finding I just noticed, which actually makes it even more confusing to me: I can connect to github on Windows. I tried connecting on 2 different Linux devices, no success. Does that make it clearer for you?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

Here you go! Thank you.

BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 19.07.3, r11063-85e04e9f46
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
        "kernel": "4.14.180",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link TL-WR1043ND v4",
        "board_name": "tplink,tl-wr1043nd-v4",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.3",
                "revision": "r11063-85e04e9f46",
                "target": "ath79/generic",
                "description": "OpenWrt 19.07.3 r11063-85e04e9f46"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd3:ef5d:b266::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.99.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'x'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config route
        option target '192.168.0.1'
        option gateway '192.168.0.1'
        option netmask '255.255.255.0'
        option interface 'lan'

config route6
        option target 'fe80::145d:50ff:fe1c:b8cc'
        option gateway 'fe80::145d:50ff:fe1c:b8cc'
        option interface 'lan'

config interface 'WGINTERFACE'
        option proto 'wireguard'
        option private_key 'x'
        option listen_port '51820'
        list addresses 'x'
        option force_link '1'

config wireguard_WGINTERFACE
        option public_key 'x'
        option description 'x'
        option persistent_keepalive '25'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host 'x.mullvad.net'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'

config wifi-iface 'wifinet1'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'ap'
        option network 'lan'
        option key 'x'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        list server '10.64.0.1'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        list dhcp_option '6,10.64.0.1'
        option start '100'
        option limit '150'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'sq'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'sq'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'
        option input 'REJECT'
        option forward 'REJECT'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'WGZONE'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option network 'WGINTERFACE'
        option name 'WGZONE'
        option mtu_fix '1'
        option masq '1'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option dest 'WGZONE'
        option src 'lan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.88/24 brd 192.168.0.255 scope global eth0.2
       valid_lft forever preferred_lft forever
8: WGINTERFACE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.x/32 brd 255.255.255.255 scope global WGINTERFACE
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.99.1/24 brd 192.168.99.255 scope global br-lan
       valid_lft forever preferred_lft forever
default dev WGINTERFACE proto static scope link
185.x via 192.168.0.1 dev eth0.2 proto static
192.168.0.0/24 dev eth0.2 proto kernel scope link src 192.168.0.88
192.168.99.0/24 dev br-lan proto kernel scope link src 192.168.99.1
local 10.x dev WGINTERFACE table local proto kernel scope host src 10.x
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth0.2 table local proto kernel scope link src 192.168.0.88
local 192.168.0.88 dev eth0.2 table local proto kernel scope host src 192.168.0.88
broadcast 192.168.0.255 dev eth0.2 table local proto kernel scope link src 192.168.0.88
broadcast 192.168.99.0 dev br-lan table local proto kernel scope link src 192.168.99.1
local 192.168.99.1 dev br-lan table local proto kernel scope host src 192.168.99.1
broadcast 192.168.99.255 dev br-lan table local proto kernel scope link src 192.168.99.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 x/64 scope link
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 x/64 scope global dynamic noprefixroute
       valid_lft 4509sec preferred_lft 1809sec
    inet6 x/64 scope link
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 x/64 scope link
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 x/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 x/64 scope link
       valid_lft forever preferred_lft forever
default from 2a02:810a:8340:72a1::/64 via fe80::145d:50ff:fe1c:b8cc dev eth0.2 proto static metric 512 pref medium
2a02:810a:8340:72a1::/64 dev eth0.2 proto static metric 256 pref medium
2a02:810a:8340:72a1::/64 via fe80::145d:50ff:fe1c:b8cc dev eth0.2 proto static metric 512 pref medium
fdd3:ef5d:b266::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdd3:ef5d:b266::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fe80::145d:50ff:fe1c:b8cc via fe80::145d:50ff:fe1c:b8cc dev br-lan proto static metric 1024 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2a02:810a:8340:72a1:: dev eth0.2 table local proto kernel metric 0 pref medium
local 2a02:810a:8340:72a1:1ad6:c7ff:fe51:6ec5 dev eth0.2 table local proto kernel metric 0 pref medium
anycast fdd3:ef5d:b266:: dev br-lan table local proto kernel metric 0 pref medium
local fdd3:ef5d:b266::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
local fe80::1ad6:c7ff:fe51:6ec4 dev eth0 table local proto kernel metric 0 pref medium
local fe80::1ad6:c7ff:fe51:6ec4 dev wlan0 table local proto kernel metric 0 pref medium
local fe80::1ad6:c7ff:fe51:6ec4 dev br-lan table local proto kernel metric 0 pref medium
local fe80::1ad6:c7ff:fe51:6ec5 dev eth0.2 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth0.2 table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev WGINTERFACE table local metric 256 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo failed_policy
4200000007:     from all iif eth0.2 failed_policy
4200000007:     from all iif eth0.2 failed_policy
4200000008:     from all iif WGINTERFACE failed_policy
4200000010:     from all iif br-lan failed_policy
lrwxrwxrwx    1 root     root            16 May 16 18:32 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Jul 23 15:42 /tmp/resolv.conf
-rw-r--r--    1 root     root           129 Jul 23 12:52 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.0.1
search box
# Interface wan6
nameserver 2a02:810a:8340:72a1:bad9:4dff:fe66:2784
search box

Pointless, remove it.

Then reboot the router to clean up any trash leftover from these entries.

Looks better now.
I suspect your Linux hosts are using the Ipv6 connection via your ISP, which doesn't work so well with the Mulvad nameserver, which you advertise.

Can you try to run traceroute from Win and Linux to a host in ipv4 and v6?

Removed the static routes and ran 8 traceroutes (IPv4/6, modem/OpenWrt router, linux/windows). Looks like you're on the right track, this is more progress that I've made in weeks. So IPv6 support would be the problem?

Windows, Modem, IPv6

Tracing route to google.com [2a00:1450:4001:800::200e]
over a maximum of 30 hops:

  1    10 ms     4 ms     4 ms  kabel [x] 
  2    41 ms    16 ms    18 ms  x 
  3    19 ms    15 ms    15 ms  2a02:8100:6:2::105:c1 
  4     *        *        *     Request timed out.
  5     *       15 ms     *     2a00::1fff:0:c01:c01:9 
  6     *        *        *     Request timed out.
  7    28 ms    34 ms    29 ms  2001:4860:1:1::1d4 
  8    53 ms    44 ms    39 ms  2a00:1450:80f2::1 
  9    47 ms    41 ms    47 ms  2001:4860:0:12e4::1 
 10    42 ms    43 ms    70 ms  2001:4860:0:12e4::3 
 11    48 ms    29 ms    30 ms  2001:4860::c:4001:ec6 
 12    63 ms    28 ms    31 ms  2001:4860::c:4001:5c5 
 13    35 ms     *       29 ms  2001:4860::c:4000:f873 
 14     *        *        *     Request timed out.
 15    32 ms     *        *     2001:4860:0:1::26d7 
 16    28 ms    36 ms    28 ms  fra07s27-in-x200e.1e100.net [2a00:1450:4001:800::200e] 

Trace complete.

Windows, Router, IPv6

Unable to resolve target system name google.com.

Windows, Modem, IPv4

Tracing route to google.com [172.217.23.110]
over a maximum of 30 hops:

  1    30 ms    22 ms     5 ms  kabel [192.168.0.1]
  2     *       53 ms    30 ms  x-isp.superkabel.de [x]
  3    29 ms    38 ms    39 ms  x.static.kabel-deutschland.de [x]
  4    37 ms    62 ms    33 ms  145.254.3.94
  5   126 ms    67 ms    40 ms  145.254.2.217
  6    69 ms   136 ms    48 ms  145.254.2.217
  7    64 ms    71 ms    47 ms  72.14.194.138
  8    45 ms    48 ms   169 ms  216.239.62.103
  9   123 ms    51 ms    48 ms  108.170.253.34
 10    37 ms    76 ms   123 ms  216.239.57.7
 11   115 ms    62 ms    45 ms  172.253.50.110
 12    43 ms    49 ms    50 ms  209.85.241.145
 13    49 ms    46 ms    73 ms  108.170.226.2
 14    86 ms    45 ms    73 ms  108.170.252.65
 15    67 ms    49 ms   205 ms  172.253.73.155
 16    49 ms    40 ms    44 ms  fra16s45-in-f14.1e100.net [172.217.23.110]

Trace complete.

Windows, Router, IPv4

Tracing route to google.com [172.217.23.110]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  OpenWrt.lan [192.168.99.1]
  2    32 ms    28 ms    27 ms  x
  3    27 ms    28 ms    26 ms  x.se [x]
  4    34 ms    28 ms    37 ms  core2.ams.net.google.com [80.249.209.100]
  5    28 ms    30 ms    29 ms  108.170.241.172
  6     *       31 ms     *     209.85.254.157
  7    58 ms     *       55 ms  108.170.234.11
  8    59 ms    60 ms    58 ms  108.170.229.169
  9    66 ms    63 ms    62 ms  108.170.251.193
 10    57 ms    61 ms    56 ms  172.253.73.153
 11    55 ms    62 ms    61 ms  mil04s23-in-f110.1e100.net [172.217.23.110]

Trace complete. 

Linux Modem, IPv6

 1  kabel (x)  4,5553 ms  4,6142 ms  6,6722 ms
 2  x (x)  30,8669 ms  12,9900 ms  15,3939 ms
 3  x (x)  11,9746 ms  15,8145 ms  13,9181 ms
 4  2a02:8100:6:2::105:c1 (2a02:8100:6:2::105:c1)  14,9157 ms 2a02:8100:6:2::a:d (2a02:8100:6:2::a:d)  186,2798 ms *
 5  * * *
 6  * * *
 7  2001:4860:1:1::1d4 (2001:4860:1:1::1d4)  29,3146 ms  30,5681 ms  31,1880 ms
 8  2a00:1450:80b0::1 (2a00:1450:80b0::1)  27,0340 ms  25,8713 ms  25,6457 ms
 9  * * *
10  2001:4860:0:12e5::4 (2001:4860:0:12e5::4)  30,1130 ms  26,2233 ms  28,3097 ms
11  2001:4860::c:4001:ec1 (2001:4860::c:4001:ec1)  29,7255 ms  28,4526 ms  27,4241 ms
12  2001:4860::c:4001:9920 (2001:4860::c:4001:9920)  31,6615 ms  36,2326 ms  30,9295 ms
13  2607:f8b0:e000:8000::4 (2607:f8b0:e000:8000::4)  29,7721 ms  31,7576 ms  30,6741 ms
14  * * 2607:f8b0:e000:8000::3 (2607:f8b0:e000:8000::3)  27,6563 ms
15  * 2001:4860:0:1::3007 (2001:4860:0:1::3007)  32,4933 ms *
16  ams17s08-in-x0e.1e100.net (2a00:1450:400e:80e::200e)  35,1844 ms  28,7570 ms  28,6716 ms

Linux, Router, IPv6

traceroute6: connect: Network is unreachable

Linux, Modem, IPv4

traceroute to google.com (172.217.23.110), 30 hops max, 60 byte packets
 1  kabel (192.168.0.1)  9.979 ms  9.907 ms  9.856 ms
 2  x-isp.superkabel.de (x)  25.441 ms  27.085 ms  27.069 ms
 3  x.static.kabel-deutschland.de (x)  26.946 ms  31.380 ms  31.348 ms
 4  145.254.3.68 (145.254.3.68)  31.299 ms  31.236 ms  29.777 ms
 5  145.254.2.215 (145.254.2.215)  41.932 ms 145.254.2.217 (145.254.2.217)  42.585 ms 145.254.2.215 (145.254.2.215)  42.528 ms
 6  145.254.2.215 (145.254.2.215)  45.516 ms 145.254.2.217 (145.254.2.217)  27.621 ms  27.541 ms
 7  72.14.194.138 (72.14.194.138)  37.555 ms  49.961 ms  58.063 ms
 8  * * *
 9  209.85.251.130 (209.85.251.130)  62.910 ms 108.170.253.81 (108.170.253.81)  60.759 ms 216.239.54.180 (216.239.54.180)  60.699 ms
10  108.170.253.85 (108.170.253.85)  62.825 ms 108.170.253.51 (108.170.253.51)  70.185 ms 108.170.253.34 (108.170.253.34)  70.114 ms
11  216.239.57.218 (216.239.57.218)  70.104 ms  71.512 ms 216.239.63.49 (216.239.63.49)  33.072 ms
12  172.253.50.100 (172.253.50.100)  33.307 ms  39.791 ms 172.253.51.198 (172.253.51.198)  36.697 ms
13  72.14.233.247 (72.14.233.247)  39.807 ms 72.14.234.11 (72.14.234.11)  42.340 ms  42.666 ms
14  209.85.241.230 (209.85.241.230)  41.078 ms 209.85.245.31 (209.85.245.31)  55.573 ms 209.85.241.230 (209.85.241.230)  55.301 ms
15  108.170.251.193 (108.170.251.193)  56.489 ms 108.170.252.65 (108.170.252.65)  59.293 ms  57.634 ms
16  172.253.73.155 (172.253.73.155)  36.135 ms  37.519 ms 172.253.73.153 (172.253.73.153)  33.742 ms
17  mil04s23-in-f14.1e100.net (172.217.23.110)  35.885 ms  35.788 ms  33.103 ms

Linux, Router, IPv4

traceroute to google.com (172.217.20.78), 30 hops max, 60 byte packets
 1  _gateway (192.168.99.1)  0.925 ms  0.978 ms  1.324 ms
 2  x (x)  35.747 ms  35.732 ms  36.216 ms
 3  x.se (x)  36.432 ms  37.055 ms  37.157 ms
 4  core2.ams.net.google.com (80.249.209.100)  37.555 ms  37.548 ms  37.520 ms
 5  108.170.241.161 (108.170.241.161)  37.492 ms  37.469 ms  37.430 ms
 6  108.170.235.133 (108.170.235.133)  35.904 ms 108.170.235.135 (108.170.235.135)  30.545 ms 108.170.235.133 (108.170.235.133)  30.673 ms
 7  ams15s33-in-f14.1e100.net (172.217.20.78)  30.621 ms  30.872 ms  31.190 ms

Yes, it seems so.
If you don't need IPv6 right now, turn it off on lan interface (remove option ip6assign)
Otherwise you'll need to configure IPv6 from Mulvad.

I don't need it and disabled it as you suggested, however the problem persists. Should I also remove the WAN6 interface? ifconfig shows that my computer still receives an IPv6 address from the router.

Did you restart networking?
What is the output of ifstatus lan ?

I rebooted the router altogether. Here's ifstatus lan:

root@OpenWrt:~# ifstatus lan
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 8947,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "192.168.99.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}

Here's ifconfig on my computer:

enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.99.249  netmask 255.255.255.0  broadcast 192.168.99.255
        inet6 fe80::223d:2036:69ca:68b6  prefixlen 64  scopeid 0x20<link>
        inet6 fdd3:ef5d:b266:0:faf6:67c0:ff46:7993  prefixlen 64  scopeid 0x0<global>
        inet6 fdd3:ef5d:b266:0:d4e6:bb52:85bd:7039  prefixlen 64  scopeid 0x0<global>
        ether 30:85:a9:9d:5c:dc  txqueuelen 1000  (Ethernet)
        RX packets 11764985  bytes 14588082958 (14.5 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6339071  bytes 468237451 (468.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

The link locals are stale entries. Do a restart of the pc interface and they will be gone.

I'm not so sure about that. I tried restarting the computer and the interface, still the same. I removed option ip6assign, however other remnants of IPv6 are still present. DHCP6 is still active in the LAN interface, in "server" mode. WAN6 is also still there. Could that be a problem?

I was under the impression that it would not advertise anything if there is no ipv6 address/prefix. Turn them off under lan and check.

I disabled everything I could find related to IPv6, rebooted the router then the PC, reset the ethernet connection, I am still receiving an IPv6 address. Could the modem be assigning the address over the router? Assuming IPv6 is the source of the connectivity problems, wouldn't it be possible to simply deactivate it on the computer's side? That would solve the problem

Completely disabling the IPv6 is not anymore a supported function.
I would start a tcpdump in one of the lan hosts to verify where are the RAs coming from. I remember a topic some time ago, where a dumbAP in the lan kept advertising ULAs.

I thought about IPv6 at first, but github.com seem to have no IPv6 address.
And I also can't reach it with traceroute, but ping and web work fine.

@CreeperLava, check out this:

curl -I github.com
curl -I -L github.com
curl -L github.com | head

In addition, I'd recommend to use a public DNS provider like Google or Cloudflare, since small-scale DNS providers more often have issues like outdated cache, missing or incorrect EDNS or DNSSEC support.

Looks about the same on Windows and Linux.

u42@u42-CX62-6QD:~$ curl -I github.com
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://github.com/

u42@u42-CX62-6QD:~$ curl -I -L github.com
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://github.com/

HTTP/1.1 200 OK
date: Fri, 24 Jul 2020 21:58:31 GMT
content-type: text/html; charset=utf-8
server: GitHub.com
status: 200 OK
vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding
etag: W/"0a5e91fb1e374db3f9198b530879989a"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker.js gist.github.com/socket-worker.js
Set-Cookie: _gh_sess=zsn0BvnJmEmPhts9S2JFqx6Gtjf8XeU0S8Wm%2FqMXuYj7jbyqwfk%2BNKnkYxGSNL1SM03XoN7vBUdvNo8xlonKVFIz0epzFexH1UZoOHYz0zRoz%2Bfr5D3PzNX%2FmOCYf1DQcgi0czpx%2Bz8NIXlPVb52dzs%2B8BAWLz%2FZmsqhYH%2BpuTZqVq0gk34vgkw27GSmiGDAR005DqnskaKixJX%2F3v9YOJRTmsRNexAIMbBEFpXGVVfbeZpY9dFLSHTSDm9OL00o%2BFaAtSz3jX7KNiVadA9XHQ%3D%3D--TXhzV1TNvr16%2Bxqn--9uhssQJ8iZieMfsrFwhTGw%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
Set-Cookie: _octo=GH1.1.1737202611.1595627919; Path=/; Domain=github.com; Expires=Sat, 24 Jul 2021 21:58:39 GMT; Secure; SameSite=Lax
Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sat, 24 Jul 2021 21:58:39 GMT; HttpOnly; Secure; SameSite=Lax
Accept-Ranges: bytes
X-GitHub-Request-Id: 9216:8211:51227F:7634C6:5F1B598F

u42@u42-CX62-6QD:~$ curl -L github.com | head
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  
4
1
02 
 <!DOCTYPE html>
 <html lang="en">
   <head>
0    <meta charset="utf-8">
   <link rel="dns-prefetch" href="https://github.githubassets.com">
 4  <link rel="dns-prefetch" href="https://avatars0.githubusercontent.com">
100  6842    0  6842    0     0  25818      0 --:--:-- --:--:-- --:--:--  157k
curl: (23) Failed writing body (1350 != 1370)