Help with Wireguard, Cloudflare Warp, IPv6

Installing and Using OpenWrt Network and Wireless Configuration
#1

I'm running OpenWrt SNAPSHOT r13649-b1d5ab1a69 on a Linksys WRT-3200ACM. I've got Wireguard configured to connect to Cloudflare Warp. IPv4 works. IPv6 doesn't - LAN clients cannot connect to ipv6.google.com, for example. On the router I can ping6 the Warp peer, but not other IPv6 addresses.

Wireguard config from /etc/config/network:

config interface 'wg0'                            
        option proto 'wireguard'                                         
        option private_key 'X'
        list addresses '192.168.11.2/32'          
        list addresses 'fd03:2319:63b0:a80b::2/128'                       
                                                      
config wireguard_wg0                              
        option description 'Cloudflare'                                 
        option public_key 'bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
        list allowed_ips '0.0.0.0/0'   
        list allowed_ips '::/0'                                         
        option route_allowed_ips '1'                  
        option endpoint_host '2606:4700:d0::a29f:c001'
        option endpoint_port '2408'     
        option persistent_keepalive '25'

Relevant portion of /etc/config/firewall:

config zone                                     
        option name 'Warp'                   
        option input 'REJECT'                   
        option output 'ACCEPT'                  
        option forward 'REJECT'              
        option network 'wg0'                    
        option mtu_fix '1'                      
        option masq '1'                      
                                                
config forwarding                               
        option src 'lan'                     
        option dest 'Warp'
#2

You haven't assigned a Public IPv6 address.

#3

Hi,

Here goes mine, it works, hope it helps, this is /etc/config/network:

config interface 'wg0'
	option proto 'wireguard'
	list addresses '172.16.0.2'
	list addresses 'fd01:5ca1:ab1e:8bbb:8994:4e6c:4151:a815'
	option private_key 'XXXXXX='
	option auto '0'

config wireguard_wg0
	option public_key 'bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
	option description 'Cloudflare'
	option persistent_keepalive '25'
	option endpoint_host 'engage.cloudflareclient.com'
	option endpoint_port '2408'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

list addresses are exactly what I have in my Warp+ configuration files generated by wgcf script.

And this is from /etc/config/firewall, please, check how zones are configured, as I am using wan and wan6 for IPv4 and IPv6:

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan6 wan wg0'

config forwarding
	option src 'lan'
	option dest 'wan'
#4

@ amteza Confused. You have

config forwarding
	option src 'lan'
	option dest 'wan'

which doesn't seem right - allows one to go from lan to wan directly, whereas I think we only want to allow lan to wg0_zone, where wg0_zone is the firewall zone that covers (only) wgo0.
It "works" in the sense I can get to IPv6 sites. While my real IPv4 address is hidden and instead appears to be a Cloudflare IP, my IPv6 address is exposed and is the one from my ISP. Is your IPv6 hidden?

#5

I get a /64 prefix delegated from my ISP. Do I stick that in here instead of fd03:2319:63b0:a80b::2/128? That will be a problem as it is dynamic. Shouldn't Cloudflare provide the publicly visible IPv6, just as it masks my real IPv4?

#6

Do they provide IPv6?

I thought you wanted to use an IPv6 from Cloudflare. That's the IP subnet you'd assign an address from. You'd also add a route the /128 IP to via the WG tunnel there too.

#7

with a /128 from Cloudflare, won't NAT6 be needed, too (yes; I know NAT6 is evil)?

#8

I don't understand much or perhaps any of this! I have Wireguard running on my router as described. If I go to https://ipv6leak.com it says:

You are already connecting from an IPv6 address 2600:1700:9580:ce80:xxxx:xxxx:xxxx:xxxx

which is one of the IPv6 addresses on interface wan on the router and assigned by my ISP. But I still can't visit https://ipv6.google.com. ipleak.com and ipleak.net don't detect any IPv6 address, only an IPv4 address 8.48.xxx.xxx which is neither my IPv4 address from my ISP nor the 172.16.0.2 address of wg0.

With Wireguard still running as above on my router, I start Wireguard on my Mac lan client. Now from the Mac I can reach https://ipv6.google.com. https://test-ipv6.com says:

Your IPv4 address on the public Internet appears to be 8.45.xx.xx
Your IPv6 address on the public Internet appears to be 2a09:bac0:4::xxxx:xxxx

On the Mac the Wireguard configuration has addresses as 172.16.0.2/32, fd01:5ca1:ab1e:8800:xxxx:xxxx:xxxx:xxxx/128. I tried putting in the 2a09:bac0:4::xxxx:xxxx IPv6 address on the router Wireguard: it connects etc., but still no IPv6.

#9

If it's only a /128, yes. I'm kinda assuming the user has a proper /64 at Cloudflare - to route a single /128.

:confused: ??? You'll never see a Private IP on the Public Internet.

I assume it's Cloudflare, which is what you want, correct?

???

As this IP does not match what you claim is your ISP's, please explain this IP address and the ISP it's registered to?

#10

@lleachii Think I get it now. Cloudflare gives me a single IPv4 and a single IPv6. If I want IPv6 I can either get an appropriate block from Cloudflare or do IPv6 NAT. Which latter I am informed is evil. So no IPv6 via Warp I guess, at least for now.

#11

I was being deliberately provocative when I referred to NAT6 as being 'evil'; it's 'unnecessary' rather than evil. You're right, though: the solution here is to see if Cloudflare can give you a /64 or better, but it seems that few VPN providers do this. Pragmatically, use NAT6 if you have to.