Getting HE.net 6in4 to work via Wireguard VPN

My OpenWRT router sends all IPv4 traffic to a Wireguard VPN hosted in GCP.
Sadly, the GCP instance does not have global IPv6

Since the 6in4 traffic is also sent via the VPN, my OpenWRT router cannot setup the 6in4 connection once the VPN is setup.
I assumed this was because the VPN server was not forwarding Protocol 41 traffic back to the router.
I see traffic sent on OWRT's 6in4 interface but 0 received.

On the VPN server I tried (to no effect):

iptables -A INPUT -p 41 -j ACCEPT
iptables -A PREROUTING -t nat -p 41 -d $VPN_PUBLIC_IP -j DNAT --to-destination 192.168.1.10 # OpenWRT router internal IP

How can I get this working via the VPN?

EDIT:
Just tested... If I get the 6in4 interface up first and then manually start the VPN, IPv6 works fine.
If this is not possible via the VPN, how can I ensure the 6in4 interface goes up first before the WireGuard VPN interface goes up?

If you want to use the VPN IP address when connecting to HE wouldn't it be better to terminate the 6in4 tunnel on the VPN server in that case? Then you also would be able to use IPv6 on the server itself.

BTW have you updated tunnelbroker.net with your new VPN IP address?

2 Likes

And if you don't want the tunnel to go over the VPN then just put a static route to reach the tunnel via your WAN

My ISP assigns dynamic IP, so I can't really specify the IPv4 gateway under Static Routes.

Tunnelbroker.net sees the VPN server as the endpoint, as expected.

  • Have you permitted the tunnel check server to ping the Public IP of your GCP VPN server? (this information can be found on your Tunnelbroker account)
  • Did you disable the 6in4 interface on OpenWrt?
  • If so, did you verify that your Tunnel account switched to the VPN IP in the web portal?

If this means you don't believe you can setup 6in4, that's wrong. That's why there is a Tunnel check server - to employ dynamic updating. HE also allows me to use DDNS in this manner. My OpenWrt config sets up the Interface properly.

  1. Tunnelbroker is pinging the GCP VPN
  2. No, I have not disabled it, I would like to set it up via OpenWRT not the GCP VPN.
  3. Yes, Tunnelbroker switches to the GCP VPN.

And no, what that means is I cannot setup Static routing in Luci due to dynamic IPv4 as suggested by @dlakelan

With the HE config that I use from the Tunnelbroker site, it works for me!

So what's the problem with doing so???

I have a perfectly working HE Tunnel with a dynamic IP WAN for approximately 10 years.

@lleachii So you're setting up 6in4 on your VPN server and giving a /56 from it to the OpenWRT router that connects to it? Would you share your configs?

???

I receive a /48 and can then subdivide it into /64's. You then make static routes as you please. You can route them wherever you desire. What config do you want?

If you want to route an IPv6 network to another router, make an IPv6 static route.

The config that allows OpenWRT to provide IPv6 to the LAN.

You just assign an IP and routed prefix subnet to the LAN interface. This can be done in LuCI.

Interesting, I don't appear to have two of the options from your screenshot - IPv6 address and IPv6 gateway. Perhaps if I add them directly to /etc/config/network?

That is because you have the IPv6 assignment length to 64 instead of disabled.

1 Like

I would add the IPv6 prefix to another interface than the LAN interface where you want to use the addresses. It is possible to add ip6prefix to a wireguard interface with uci, but I can't find the settings in luci.

Just assign an IP in the subnet as the listed address. You then just make a static route to the WG Interface.

You can create a new interface with static protocol and assign there the IP addresses. The ifname should point to the wireguard interface.

1 Like