Delegate IPv6 ULA to Wireguard peers for NAT6 connectivity

Installing and Using OpenWrt Network and Wireless Configuration
1

Hey there!

I was finally able to set up NAT6 on my network, and all the devices that are local to the router are able to connect to the internet successfully using either IPv4 or IPv6, though I'm still getting stuck on how to successfully give a ULA address to each of the configured peers so that I'm able to do the same with a road warrior configuration.

So far, even if I give both the interface and the peer an address from the br-lan group, I am only able to get a ping through to the peer if I'm using an IPv6 address that's exclusive to the Wireguard interface, using the LAN's address ends in a destination unreachable: no route message when trying to ping from the console. As of now, this means that the peer is unable to connect through IPv6 to anywhere.

I have seen this article on the wiki, and I believe it speaks exactly of the issue I'm trying to figure out, though, if possible, I'd like not to have to recreate all of my current configuration to be able to use the features described there.

Given my current situation, what would be the best way to try and troubleshoot this problem?

Thanks in advance! I'll make sure to attach my network and firewall configurations below.

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'ddf8:f929:5f71::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'ztrta4adry'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6class 'local'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth0'
        option username 'REDACTED'
        option password 'REDACTED'
        option ipv6 '1'
        list ip6class 'local'
        option delegate '0'

config interface 'wan6'
        option proto 'dhcpv6'
        option device '@wan'
        option reqprefix '64'
        option reqaddress 'try'
        option sourcefilter '0'
        option ip6assign '64'
        list ip6class 'wan6'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'
        option peerdns '0'
        option ip6assign '64'
        list ip6class 'local'
        list ip6class 'wan_6'

config device
        option type 'bridge'
        option name 'docker0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port '51820'
        list ip6class 'local'
        option ip6assign '64'
        list addresses '10.0.5.1/24'
        list addresses 'fe80::e097:46ff:fef0:2d8e/64'
        list addresses 'fd2d:a278:3852::1/64'

config wireguard_wg0
        option public_key 'REDACTED'
        option description 'ToastyPen10+'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option preshared_key 'REDACTED'
        list allowed_ips '10.0.5.2/32'
        list allowed_ips 'fd2d:a278:3852::2/64'

config wireguard_wg0
        option description 'ToastyUFO'
        option preshared_key 'REDACTED'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option public_key 'REDACTED'
        list allowed_ips '10.0.5.3/32'
        list allowed_ips 'fd2d:a278:3852::3/64'

config wireguard_wg0
        option description 'Moto One Action de Liz'
        option preshared_key 'REDACTED'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option public_key 'REDACTED'
        list allowed_ips '10.0.5.4/32'
        list allowed_ips 'fd2d:a278:3852::4/64'

config wireguard_wg0
        option description 'Liz-PC'
        option public_key 'REDACTED'
        option preshared_key 'REDACTED'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '10.0.5.5/32'
        list allowed_ips 'fd2d:a278:3852::5/64'

config wireguard_wg0
        option description 'Moto One Action de Celia'
        option preshared_key 'REDACTED'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option public_key 'REDACTED'
        list allowed_ips '10.0.5.6/32'
        list allowed_ips 'fd2d:a278:3852::6/64'

config device
        option name 'eth1'
        option mtu '1492'
        option mtu6 '1492'

config device
        option name 'br-iot'
        option type 'bridge'
        list ports 'br-lan.2'

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'br-lan.3'

config interface 'ZeroTier'
        option proto 'none'
        option ip6assign '64'
        list ip6class 'local'
        list ip6class 'wan_6'
        option device 'ztrta4adry'

config device
        option name 'pppoe-wan'
        option type 'tunnel'

config device
        option name 'wg0'

config interface 'wg_usa'
        option proto 'wireguard'
        option private_key 'REDACTED'
        list addresses '10.2.0.2/32'
        option peerdns '0'
        list dns '10.2.0.1'

config wireguard_wg_usa
        option description 'SE-US#1'
        option public_key 'REDACTED'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'REDACTED'
        option endpoint_port '51820'

config interface 'wg_uk'
        option proto 'wireguard'
        option private_key 'REDACTED'
        list addresses '10.2.0.2/32'
        option peerdns '0'
        list dns '10.2.0.1'

config wireguard_wg_uk
        option description 'IS-ES#1'
        option public_key 'REDACTED'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'REDACTED'
        option endpoint_port '51820'

config interface 'wg_spa'
        option proto 'wireguard'
        option private_key 'REDACTED'
        list addresses '10.2.0.2/32'
        option peerdns '0'
        list dns '10.2.0.1'

config wireguard_wg_spa
        option description 'CH-UK#1'
        option public_key 'REDACTED'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'REDACTED'
        option endpoint_port '51820'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option masq6 '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'vpnzone'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option masq6 '1'
        option masq6_privacy '1'
        option mtu_fix '1'
        list network 'wg_usa'
        list network 'wg_uk'
        list network 'wg_spa'

config forwarding
        option src 'lan'
        option dest 'vpnzone'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6 replies'
        option src 'wan'
        option proto 'udp'
        option src_port '547'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '547'
        option name 'Allow DHCPv6 (546-to-547)'
        option family 'ipv6'
        option src_port '546'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option name 'Allow DHCPv6 (547-to-546)'
        option family 'ipv6'
        option src_port '547'

config include
        option path '/etc/firewall.user'
        option reload '1'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list device 'br-5adff94956ab'
        list network 'docker'

config rule
        option name 'AllowNGINXPMAdmin'
        option src_port '81'
        option dest 'lan'
        option dest_port '81'
        option target 'ACCEPT'
        option src 'lan'
        list dest_ip '172.18.0.2'

config redirect
        option target 'DNAT'
        option name 'RProxy-Admin'
        option src 'lan'
        option src_dport '81'
        option dest 'lan'
        option dest_port '81'
        option dest_ip '172.18.0.2'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'RProxy'
        option src 'wan'
        option dest 'lan'
        option dest_ip '172.18.0.2'
        option src_dport '80'
        option dest_port '80'

config redirect
        option target 'DNAT'
        option name 'RProxy-SSL'
        option src 'wan'
        option dest 'lan'
        option dest_ip '172.18.0.2'
        option dest_port '443'
        option src_dport '443'

config redirect 'adblock_wan853'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'
        option name 'AGH DNS over TLS'
        option dest 'lan'
        option dest_ip '192.168.1.1'

config redirect
        option target 'DNAT'
        option name 'AGH DNS over QUIC'
        option src 'wan'
        option src_dport '784'
        option dest 'lan'
        option dest_ip '192.168.1.1'
        option dest_port '784'

config rule
        option name 'RClone-GUI'
        option src 'lan'
        option src_port '5572'
        option dest 'lan'
        option dest_port '5572'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config rule
        option name 'HomeAssistant'
        option src 'lan'
        option src_port '8123'
        option dest 'lan'
        option dest_port '8123'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config rule
        option name 'Allow-NFS-RPC'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '111'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '2049'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS-Lock'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '32777:32780'
        option target 'ACCEPT'

config rule
        option name 'Tautulli'
        option src 'lan'
        option src_port '8181'
        option dest 'lan'
        list dest_ip '172.18.0.5'
        option dest_port '8181'
        option target 'ACCEPT'

config rule
        option name 'PiHole-Admin'
        option src_port '82'
        option dest 'lan'
        option dest_port '82'
        option target 'ACCEPT'
        option src 'lan'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config rule
        option name 'Transmission-GUI'
        option src 'lan'
        option dest 'lan'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'
        option src_port '9091'
        option dest_port '9091'

config rule
        option name 'NGINXPM-DB'
        option src 'lan'
        list src_ip '172.18.0.2'
        option src_port '3306'
        option dest 'lan'
        list dest_ip '172.18.0.3'
        option dest_port '3306'
        option target 'ACCEPT'

config rule
        option name 'Adguard-Admin'
        option src 'wan'
        option src_port '82'
        option dest 'lan'
        option dest_port '82'
        option target 'ACCEPT'
        list dest_ip '172.18.0.6'
        list dest_ip '2001:3984:3989::6'

config rule 'wg'
        option dest_port '51820'
        option target 'ACCEPT'
        option name 'Allow-WireGuard-lan'
        list proto 'tcp'
        list proto 'udp'
        option src 'wan'

config defaults
        option input 'REJECT'
        option output 'REJECT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config rule
        option name 'Allow-ZeroTier-Inbound'
        list proto 'udp'
        option src 'wan'
        option dest_port '9993'
        option target 'ACCEPT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option name 'ZeroTier'
        list network 'ZeroTier'

config forwarding
        option dest 'lan'
        option src 'ZeroTier'

config forwarding
        option dest 'wan'
        option src 'ZeroTier'

config forwarding
        option src 'lan'
        option dest 'ZeroTier'

config forwarding
        option src 'wan'
        option dest 'ZeroTier'

config redirect 'adblock_docker53'
        option name 'Adblock DNS (docker, 53)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_docker853'
        option name 'Adblock DNS (docker, 853)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_docker5353'
        option name 'Adblock DNS (docker, 5353)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_lan853'
        option name 'Adblock DNS (lan, 853)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_lan5353'
        option name 'Adblock DNS (lan, 5353)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_vpnzone53'
        option name 'Adblock DNS (vpnzone, 53)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_vpnzone853'
        option name 'Adblock DNS (vpnzone, 853)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_vpnzone5353'
        option name 'Adblock DNS (vpnzone, 5353)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_wan53'
        option name 'Adblock DNS (wan, 53)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_wan5353'
        option name 'Adblock DNS (wan, 5353)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Allow-P2P-USA'
        option src 'vpnzone'
        option src_dport '58861'

config include 'opennds'
        option type 'script'
        option path '/usr/lib/opennds/restart.sh'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Mosquitto-Outside'
        option src 'wan'
        option src_dport '8883-8884'
        option dest_ip '192.168.1.1'
        option dest_port '8883-8884'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Mosquitto-WebSockets'
        option src 'wan'
        option src_dport '8083'
        option dest_ip '192.168.1.1'
        option dest_port '8083'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Allow-ZeroTier-Inbound'
        list proto 'udp'
        option src 'wan'
        option src_dport '9993'
        option dest_ip '192.168.1.1'
        option dest_port '9993'

config forwarding
        option src 'docker'
        option dest 'wan'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

config redirect 'dns_int'
        option src 'lan'
        option src_dport '53'
        option proto 'tcp udp'
        option target 'DNAT'
        option family 'any'
        list src_mac '!2C:16:DB:A0:E6:92'
        option name 'Redirect-DNS'
        option dest_ip '192.168.1.1'
        option src_ip '!192.168.1.1'
        option enabled '0'

config nat 'dns_masq'
        option name 'Masquerade-DNS'
        option src 'lan'
        option dest_ip '192.168.1.1'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'MASQUERADE'

config rule 'samba_nsds_nt'
        option name 'NoTrack-Samba/NS/DS'
        option src 'lan'
        option dest 'lan'
        option dest_port '137-138'
        option proto 'udp'
        option target 'NOTRACK'

config rule 'samba_ss_nt'
        option name 'NoTrack-Samba/SS'
        option src 'lan'
        option dest 'lan'
        option dest_port '139'
        option proto 'tcp'
        option target 'NOTRACK'

config rule 'samba_smb_nt'
        option name 'NoTrack-Samba/SMB'
        option src 'lan'
        option dest 'lan'
        option dest_port '445'
        option proto 'tcp'
        option target 'NOTRACK'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Allow-WireGuard-Inbound'
        option src 'wan'
        option src_dport '51820'
        option dest_port '51820'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'
2

I see two issues on a quick glimpse.

  1. You need a firewall rule to allow von to wan and lan if desired.
  2. To enable ULA to GUA, you need either masquerade for IPv6 or network prefix translation. (If I'm not mistaken I have pointed you to in an other tread earlier.)
3

I see, from what I'm understanding this would have to be done as an IPv6 firewall rule, though I'm not sure where exactly, as the Wireguard interface is within the LAN zone, would this be in a separate section?

I think I've already enabled that when following this article on the wiki, and fortunately local devices are able to use the v6 Internet so far without issue, though if I missed anything please let me know.

Screenshot 2023-03-25 203315
Screenshot 2023-03-25 203315614Ă—618 18.3 KB

Screenshot 2023-03-25 204310
Screenshot 2023-03-25 204310854Ă—551 34.6 KB

(Also thanks for the help on the other thread, thought it had gone stale for the last step so that's why I opened another one. If I manage to get this part solved I'll go back to that one and post the assembled solution).

4

I see you have added the wg interface to lan, I have missed that.

Regarding NPT, you can this configure this only for the wireguard clients aka the network.
If you move wg0 to a separate firewall zone you can masq6 only, too. Totally depends on what you want to achieve...
I think ULA to GUA NPT is the most cleanest. But this can not be setup with UCI and you need hook scripts

5

I see.

So from what I'm understanding, I'd have to do NPT on top of NAT66 only on the Wireguard interface, for which in part I'd have to assign it a different firewall zone and start looking for hotplug scripts.

Truth be told, I'm starting to get a bit lost. If the Wireguard interface shares a network prefix with the LAN up to a certain point (let's say LAN is ddf8:f929:5f71:2::1/64 and wg0 is ddf8:f929:5f71:3::1/64), would that not be enough to ensure proper routing under NAT66?

If it's not so, what would be a good starting point for developing the hook scripts?

6

Since your issue is related to routing, it is essential to analyze routing related diagnostics, specifically runtime diagnostics, including routing tables, routing rules, fetching the default route, etc.

However, your current configuration is quite complex, which makes troubleshooting not so trivial.
It is often useful to take a step back and disable unrelated features to minimize side effects and properly isolate the issue.

Also keep in mind that WireGuard expects static configuration, so delegating an IPv6 prefix to a WireGuard interface means that it will only manage routing for that prefix, and you still need to statically allocate IPv6 addresses for each peer.

7

I see, in this case I'd assume you're referring to things like PBR and BanIP, right?

Sure, I can disable them no problem. What would be the next steps after this?

For this part I think I've got a good grasp of how to do it, since from what I'm understanding it boils down to just giving each peer a manually assigned address within the interface's prefix, right? (Which in my case we would end up with ddf8:f929:5f71:2::1/64 for the router, something like ddf8:f929:5f71:3::1/64 for the Wireguard interface, ddf8:f929:5f71:3::2/64 for the first configured peer and so on and so forth)

In any case, please let me know if I got anything wrong, and thanks for the help!

1 Like
8

Collect and analyze routing related runtime diagnostics as explained in the wiki:
https://openwrt.org/docs/guide-user/network/routing/basics#troubleshooting

Also include your ping results to verify that the source and destination addresses are within the scope of routable networks.

A typical cause for this kind of error:

  • The target route is not present in the routing table.
  • Routing rules prevent reaching the proper routing table.
9

Oh boy, that took a while.

First of all, thank you for the detailed instructions, I'll be sure to keep that wiki page handy for future inquiries.

As for the logs, I'll attach them in this folder, that way if I ever need to update them the link will stay the same (The ping to the Wireguard interface itself works, but I haven't tried to proceed further and attempt it with the peers until further instructions).

Thanks for the help!

1 Like
10

Sorry for the bump, but I just wanted to make sure if there was anything else missing.

Should I upload anything else?

1 Like
11

I briefly checked the logs, but don't see the error you mentioned.
This should be the starting point for troubleshooting.

12

Oh god, I missed a BIG detail while uploading those logs (I had forgotten trying to ping one of the affected peers).

I have just added the corresponding addresses to the peers' configuration and tried pinging one of them though IPv4 and IPv6 both before and after restarting the network service, leading to the previously mentioned result.

So sorry about that. I have already uploaded the latest ping logs, but just to be sure I'll attach them here as well, giving they are reasonably short this time around.

Again, thanks for the help!

#ping ddf8:f929:5f71:3::1

PING ddf8:f929:5f71:3::1(ddf8:f929:5f71:3::1) 56 data bytes
64 bytes from ddf8:f929:5f71:3::1: icmp_seq=1 ttl=64 time=0.207 ms
64 bytes from ddf8:f929:5f71:3::1: icmp_seq=2 ttl=64 time=0.307 ms
64 bytes from ddf8:f929:5f71:3::1: icmp_seq=3 ttl=64 time=0.186 ms
64 bytes from ddf8:f929:5f71:3::1: icmp_seq=4 ttl=64 time=0.221 ms
^C
--- ddf8:f929:5f71:3::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3146ms
rtt min/avg/max/mdev = 0.186/0.230/0.307/0.046 ms

#ping ddf8:f929:5f71:3::2

PING ddf8:f929:5f71:3::2(ddf8:f929:5f71:3::2) 56 data bytes
From ddf8:f929:5f71:3::1 icmp_seq=1 Destination unreachable: Address unreachable
ping: sendmsg: Required key not available
From ddf8:f929:5f71:3::1 icmp_seq=2 Destination unreachable: Address unreachable
ping: sendmsg: Required key not available
From ddf8:f929:5f71:3::1 icmp_seq=3 Destination unreachable: Address unreachable
ping: sendmsg: Required key not available
From ddf8:f929:5f71:3::1 icmp_seq=4 Destination unreachable: Address unreachable
ping: sendmsg: Required key not available
From ddf8:f929:5f71:3::1 icmp_seq=5 Destination unreachable: Address unreachable
ping: sendmsg: Required key not available
From ddf8:f929:5f71:3::1 icmp_seq=6 Destination unreachable: Address unreachable
ping: sendmsg: Required key not available
^C
--- ddf8:f929:5f71:3::2 ping statistics ---
6 packets transmitted, 0 received, +6 errors, 100% packet loss, time 5184ms

# ping  10.0.5.2

PING 10.0.5.2 (10.0.5.2) 56(84) bytes of data.
64 bytes from 10.0.5.2: icmp_seq=1 ttl=64 time=9.04 ms
64 bytes from 10.0.5.2: icmp_seq=2 ttl=64 time=6.49 ms
64 bytes from 10.0.5.2: icmp_seq=3 ttl=64 time=3.78 ms
64 bytes from 10.0.5.2: icmp_seq=4 ttl=64 time=71.0 ms
64 bytes from 10.0.5.2: icmp_seq=5 ttl=64 time=6.97 ms
^C
--- 10.0.5.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 3.778/19.453/70.995/25.825 ms

# service network restart

'radio0' is disabled

# ping  10.0.5.2

PING 10.0.5.2 (10.0.5.2) 56(84) bytes of data.
From 10.0.5.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=4 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=5 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=6 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=7 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=8 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=9 Destination Host Unreachable
From 10.0.5.1 icmp_seq=10 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=11 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=12 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=13 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=14 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=15 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=16 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=17 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=18 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=19 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=20 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=21 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=22 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.5.1 icmp_seq=23 Destination Host Unreachable
ping: sendmsg: Destination address required
^C
--- 10.0.5.2 ping statistics ---
171 packets transmitted, 0 received, +23 errors, 100% packet loss, time 176829ms

# ping  10.0.5.2
PING 10.0.5.2 (10.0.5.2) 56(84) bytes of data.
64 bytes from 10.0.5.2: icmp_seq=1 ttl=64 time=9.23 ms
64 bytes from 10.0.5.2: icmp_seq=2 ttl=64 time=110 ms
64 bytes from 10.0.5.2: icmp_seq=3 ttl=64 time=27.9 ms
64 bytes from 10.0.5.2: icmp_seq=4 ttl=64 time=53.3 ms
64 bytes from 10.0.5.2: icmp_seq=5 ttl=64 time=71.7 ms
^C
--- 10.0.5.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 9.232/54.428/109.994/35.030 ms

# ping ddf8:f929:5f71:3::2 (Same device as above)

PING ddf8:f929:5f71:3::2(ddf8:f929:5f71:3::2) 56 data bytes
From ddf8:f929:5f71:3::1 icmp_seq=1 Destination unreachable: Address unreachable
ping: sendmsg: Destination address required
From ddf8:f929:5f71:3::1 icmp_seq=2 Destination unreachable: Address unreachable
ping: sendmsg: Destination address required
From ddf8:f929:5f71:3::1 icmp_seq=3 Destination unreachable: Address unreachable
ping: sendmsg: Destination address required
From ddf8:f929:5f71:3::1 icmp_seq=4 Destination unreachable: Address unreachable
ping: sendmsg: Destination address required
From ddf8:f929:5f71:3::1 icmp_seq=5 Destination unreachable: Address unreachable
ping: sendmsg: Destination address required
^C
--- ddf8:f929:5f71:3::2 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4137ms
1 Like
13

It looks like something is wrong with your WireGuard configuration:

BTW, next time you'd better disable mwan3 while testing as it makes a lot of noise.

14

First of all, sorry about that. I'll make sure to look into it next time.

As for that, thanks for the links! It seems something is indeed wrong with the configuration, but I'm not too sure if the problem is on my side completely...

When I check /etc/config/network for the relevant peers, I can see that I have set the AllowedIPs list correctly (I think), for example, this is the peer of my phone (which I'm performing the tests with) and the corresponding peer of the router itself:

Router

config interface 'wg0'
    option proto 'wireguard'
    option private_key 'REDACTED'
    option listen_port '51820'
    list ip6class 'local'
    option ip6assign '64'
    list addresses '10.0.5.1/24'
    list addresses 'fe80::e097:46ff:fef0:2d8e/64'
    list addresses 'fd2d:a278:3852::1/64'
    list addresses 'ddf8:f929:5f71:3::1/64'

Phone

config wireguard_wg0
    option description 'ToastyUltra22'
    option public_key 'M8VDSoxXhBP+Hy3pYYdlx94b7RW1DQ0UticOu9V0OGk='
    option endpoint_port '51820'
    option persistent_keepalive '25'
    option preshared_key 'REDACTED'
    list allowed_ips '10.0.5.2/32'
    list allowed_ips 'fd2d:a278:3852::2/64'
    list allowed_ips 'ddf8:f929:5f71:3::2/64'
    option route_allowed_ips '1'

After changing anything in either of them, I make sure to reset the wg0 interface and both turn on and off the client in my phone. However, it seems that for some reason the AllowedIPs are not being passed through to the Wireguard installation on the router itself, as per this output provided by wg show:

❯ wg show
interface: wg0
  public key: 5P7+g958RoU4KuL880SaWRW92+d71921P9aO2Tx2QnA=
  private key: (hidden)
  listening port: 51820

peer: M8VDSoxXhBP+Hy3pYYdlx94b7RW1DQ0UticOu9V0OGk=
  preshared key: (hidden)
  endpoint: 192.168.1.210:42569
  allowed ips: 10.0.5.2/32
  latest handshake: 1 minute, 31 seconds ago
  transfer: 791.54 KiB received, 1.97 MiB sent
  persistent keepalive: every 25 seconds

peer: GQ9vEK42RjlRCnOrm3SS/Xmf1Gkqdp4ms8CGknF5Kzw=
  preshared key: (hidden)
  allowed ips: 10.0.5.3/32
  persistent keepalive: every 25 seconds

peer: X7dSbHOsnLdlcuB4ZLlfsz7oqwtKhSmaCnakQAtJXB0=
  preshared key: (hidden)
  allowed ips: 10.0.5.4/32
  persistent keepalive: every 25 seconds

peer: YL2g4t3zSGAmK82pOj3JjsExz1xKNmnKcDzrZY6733I=
  preshared key: (hidden)
  allowed ips: 10.0.5.5/32
  persistent keepalive: every 25 seconds

peer: HwCzTJShdSN52tEpdvavAEfX5DwU/jgO5fIWyseJ6Bg=
  preshared key: (hidden)
  allowed ips: 10.0.5.6/32, fd2d:a278:3852::/64, ddf8:f929:5f71:3::/64
  persistent keepalive: every 25 seconds

Even weirder still, only one of the other peers IS getting the set allowed IPs (though that one is a bit out of reach, so I don't have a chance to check if things work with it).

Given I'm using UCI to configure the service, would there be any way of checking where and how the configuration is getting lost along the way?

Thanks for the help!

15

Just a thought but are you testing from outside e.g. with your phone on cellular otherwise you might run into strange routing problems

16

Fair enough, I did not try that one while logging on this attempt yet.

However, I can say that I am typing this message from my phone while tunneling through the VPN on cellular and as of now I'm unable to connect to anywhere through IPv6, but IPv4 works fine as usual.

Screenshot_20230423_000332_Chrome
Screenshot_20230423_000332_Chrome1440Ă—2988 213 KB

17

Change the IPv6 prefixes for allowed_ips to /128 as they cannot overlap.
Also check the client side WireGuard configs.

1 Like
18

Okay, after changing the allowed_ips to /128 they show up properly in wg show:

interface: wg0
  public key: 5P7+g958RoU4KuL880SaWRW92+d71921P9aO2Tx2QnA=
  private key: (hidden)
  listening port: 51820

peer: M8VDSoxXhBP+Hy3pYYdlx94b7RW1DQ0UticOu9V0OGk=
  preshared key: (hidden)
  allowed ips: 10.0.5.2/32, fd2d:a278:3852::2/128, ddf8:f929:5f71:3::2/128
  persistent keepalive: every 25 seconds

peer: GQ9vEK42RjlRCnOrm3SS/Xmf1Gkqdp4ms8CGknF5Kzw=
  preshared key: (hidden)
  allowed ips: 10.0.5.3/32, fd2d:a278:3852::3/128, ddf8:f929:5f71:3::3/128
  persistent keepalive: every 25 seconds

peer: X7dSbHOsnLdlcuB4ZLlfsz7oqwtKhSmaCnakQAtJXB0=
  preshared key: (hidden)
  allowed ips: 10.0.5.4/32, fd2d:a278:3852::4/128, ddf8:f929:5f71:3::4/128
  persistent keepalive: every 25 seconds

peer: YL2g4t3zSGAmK82pOj3JjsExz1xKNmnKcDzrZY6733I=
  preshared key: (hidden)
  allowed ips: 10.0.5.5/32, fd2d:a278:3852::5/128, ddf8:f929:5f71:3::5/128
  persistent keepalive: every 25 seconds

peer: HwCzTJShdSN52tEpdvavAEfX5DwU/jgO5fIWyseJ6Bg=
  preshared key: (hidden)
  allowed ips: 10.0.5.6/32, fd2d:a278:3852::6/128, ddf8:f929:5f71:3::6/128
  persistent keepalive: every 25 seconds

And I'm able to ping my phone now, so we're making progress so far.

ping ddf8:f929:5f71:3::2
PING ddf8:f929:5f71:3::2(ddf8:f929:5f71:3::2) 56 data bytes
64 bytes from ddf8:f929:5f71:3::2: icmp_seq=1 ttl=64 time=81.9 ms
64 bytes from ddf8:f929:5f71:3::2: icmp_seq=2 ttl=64 time=100 ms
64 bytes from ddf8:f929:5f71:3::2: icmp_seq=3 ttl=64 time=20.3 ms
64 bytes from ddf8:f929:5f71:3::2: icmp_seq=4 ttl=64 time=7.61 ms
64 bytes from ddf8:f929:5f71:3::2: icmp_seq=5 ttl=64 time=7.28 ms
^C
--- ddf8:f929:5f71:3::2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 7.275/43.513/100.492/39.662 ms

Now the only thing left to solve would be getting connectivity to the IPv6 Internet through Wireguard, but I'm not too sure what could be missing to make it happen.

Thanks for the help!

19

You need a "Source Route" from ULA- to GUA-Space, something like:
default from <ul> dev <wan-iface> ....

My default routes looks like:

root@cpe:~# ip -6 route show default
default from 2003:XX:bf2d:5c00::/56 via fe80::f6cc:55ff:fe42:1a94 dev pppoe-wan proto static metric 512 pref medium
default from 2003:XX:bfff:2dd1::/64 via fe80::f6cc:55ff:fe42:1a94 dev pppoe-wan proto static metric 512 pref medium
default from fde6:a09a:b373:f0::/64 dev pppoe-wan metric 1024 pref medium
default from fde6:a09a:b373:ff::/64 dev pppoe-wan metric 1024 pref medium

And either you use masq6 on your wan interface, or you use Network Prefix Translation:

root@cpe:~# ip6tables-save | grep NPT
-A POSTROUTING -s fde6:a09a:b373:ff::/64 -o pppoe-wan -m comment --comment "wg15 NPT" -j NETMAP --to 2003:XX:bf2d:5cff::/64
-A POSTROUTING -s fde6:a09a:b373:f0::/64 -o pppoe-wan -m comment --comment "wg0 NPT" -j NETMAP --to 2003:XX:bf2d:5cf0::/64

PS: On my Android Phone I have to test with Chrome, as Firefox behaves somehow strange and does not want to use an IPv6 on the first try/test.

20

I see. At the moment my default route look like this:

 ip -6 route show default
default via fe80::d66d:50ff:fe2f:9dca dev pppoe-wan proto static metric 512 pref medium

In the case of masq6, how would I define these routes using the UCI config file? (I'm still very new to routing, so I'd love a few pointers if possible.)