Configure IPv6 for Wireguard "server" on a relayd client bridge

Installing and Using OpenWrt
1

Hello everyone!

I've configured my OpenWrt router as a relayd client bridge and a Wireguard "server" by following this thread.

Yesterday I've been trying to setup IPv6 addresses for my Wireguard "clients", but unfortunately I'm not a whole lot experienced in this. Any help would be welcome!

My current configuration is this:

  • Main house router at 192.168.15.1;
  • OpenWrt router at 192.168.15.7 acting as a relayd bridge;
  • Wireguard packets are forwarded from the main router to the OpenWrt router;
  • Wireguard "server" at 192.168.9.1/24 and "clients" at 192.168.x.2/32;

I am able to connect and route my internet access through IPv4 from the Wireguard "clients", but also would like to have a IPv6 address available if need be. Also, my ISP provides a delegated prefix like this: 2804:xxxx:xxxx:xxxx::/64.

My router configuration files:

/etc/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'ddf6:5a3b:c731::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.15.1'
	list dns '192.168.15.1'

config device
	option name 'eth0.2'
	option macaddr <removed>

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'wwan'
	option proto 'dhcp'

config interface 'repeater_bridge'
	option proto 'relay'
	option ipaddr '192.168.15.7'
	list network 'lan'
	list network 'wwan'
	list network 'wwan6'

config interface 'wwan6'
	option proto 'dhcpv6'
	option reqaddress 'none'
	option reqprefix 'auto'

config interface 'vpn'
	option proto 'wireguard'
	option private_key <removed>
	option listen_port '51820'
	list addresses '192.168.9.1/24'

config wireguard_vpn 'wgclient'
	option public_key <removed>
	option preshared_key <removed>
	option persistent_keepalive '25'
	option description 'win10'
	option route_allowed_ips '1'
	list allowed_ips '192.168.9.2/32'

config wireguard_vpn
	option description 'win7'
	option public_key <removed>
	option preshared_key <removed>
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '192.168.9.3/32'

/etc/firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option drop_invalid '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'lan'
	list network 'wwan'
	list network 'repeater_bridge'
	list network 'wwan6'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option masq6 '1'
	option masq6_privacy '0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config rule 'wg'
	option name 'Allow-WireGuard'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'
	option src_port '51820'
	option src 'lan'
	option dest 'vpn'
	list src_ip '192.168.15.1'
	list dest_ip '192.168.15.7'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vpn'

config forwarding
	option src 'vpn'
	option dest 'lan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'vpn'
	option src_dport '51820'
	option name 'Wireguard-output'
	list proto 'udp'

config redirect
	option target 'DNAT'
	option name 'Wireguard-input'
	option src 'lan'
	option src_dport '51820'
	option dest 'vpn'
	list proto 'udp'

config rule 'samba_nsds'
	option name 'Allow-Samba/NS/DS'
	option src 'lan'
	option dest_port '137-138'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'samba_ss'
	option name 'Allow-Samba/SS'
	option src 'lan'
	option dest_port '139'
	option proto 'tcp'
	option target 'ACCEPT'

config rule 'samba_smb'
	option name 'Allow-Samba/SMB'
	option src 'lan'
	option dest_port '445'
	option proto 'tcp'
	option target 'ACCEPT'

/etc/wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'BR'
	option channel 'auto'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option htmode 'HT20'
	option channel 'auto'
	option legacy_rates '1'
	option country 'BR'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid <removed>
	option encryption 'psk2'
	option key <removed>
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'sta'
	option ssid <removed>
	option bssid <removed>
	option encryption 'psk2'
	option key <removed>
	option network 'wwan wwan6'