I have setup Wireguard on Linode VPS running debian and radvd on it and connected it is to my home router behind CG-NAT running OpenWRT 22.03.
I want to give GUA ipv6 to all my home clients.
Linode has the ipv6 range of 2600:3c08:xxxx:2a00::/56 and ipv4 172.xxx.0.4.
Now how to give ipv6 gua to all clients.
AFAIK 6in4 won't work because i'm behind CG-NAT.
I am utterly confused by IPv6 
I have only Ipv4 on my home. No Ipv6
Yes I'm doing exactly that although I'm running OpenWrt on the Linode as well, so I can't offer much advice how to set up Debian other than what you should have at the end. In particular make sure that (on the VPS end):
Again don't ask me how to make any of that happen on Debian, it is outside the scope of this forum. Linode does allow you to run any OS including OpenWrt but it must be installed manually.
On the home terminus of the Wireguard tunnel in OpenWrt you can treat the tunnel as the wan6, since there is no other wan6. The only thing is to apply the prefix to it manually.
I'm still not sure of the exact syntax to do this but it looks something like
config interface wg0
option proto 'wireguard'
option private_key <this side's private key>
list addresses 'fe80::2/64'
list ip6prefix '<your 56>::/56'
option sourcefilter '0'
config wireguard_wg0
option public_key <other side's public key>
option endpoint_host <your VPS IPv4>
option endpoint_port <your VPS listen_port>
list allowed_ips '::/0'
option route_allowed_ips '1'
This is a bit simplified from what I do since I also have a wan v6 active on the router. If you don't have any other v6 wan you can simply make wireguard the default.
Your LAN should now have a prefix delegated out of the /56 and that should allow v6 Internet access from LAN devices.
I can install OpenWRT on Linode no problem.
So I should create a static IPv6 wan6 interface on home?
Also can you give example for Linode's wireguard config and openwrt interface settings?
You're creating a static Wireguard interface but using it instead of a wan6. A conventional wan6 attached to the local ISP modem won't do anything since your ISP does not support IPv6.
On the VPS, first of course it needs a wan6 so that the IPv6 Internet can be reached (the whole point of this setup). Linode doesn't support dhcpv6 so it needs to be configured statically:
config interface 'wan6'
option device 'eth0'
option proto 'static'
option ip6addr '<your Linode's direct IPv6>/64'
option ip6gw 'fe80::1'
option ip6prefix '<your Linode's routed prefix>/56'
list dns '2600:3c03::4'
list dns '2600:3c03::5'
Then manually "delegate" the prefix to a wireguard interface. It isn't necessary to use the delegation feature, just install it as a routed allowed_ip. This wireguard tunnel will only support IPv6, but you can use an IPv4 connection to transport the "outer" packets.
config interface 'wg0'
option proto 'wireguard'
option listen_port '51820'
option private key 'Linode's private key>'
list addresses 'fe80::1'
config wireguard_wg0
option public_key '<Home's public key>'
list allowed_ips '<your Linode's prefix>/56'
list allowed_ips 'fe80::2/128'
option route_allowed_ips '1'
If you have other interfaces in the VPS be sure that they do not have an ip6assign so they don't get any prefix. Thinking about this some more it probably isn't even necessary to declare the prefix on wan6, packets are just going to arrive and get routed out due to the route_allowed_ips on Wireguard.
Of course make sure to open UDP to your listen_port from wan in the firewall.
Thanks. So first thing is I was not able to install OpenWRT on linode, I got grub rescue error. It was much easier installing OPNSense which is what I am using now.
So what is setup now is the first network 2600:3c08:xxxx:2a00::/64 for tunnel communication for WireGuard.
Then I will setup 2600:3c08:xxx:2a01::/64 for SLAAC for my LAN device.
I am not using fe80 to make to simple for me as I got ping issues with that. But it does not matter because I have /56.
I am able to ping both the devices with 2600:3c08:xxxx:2a00::1 and 2600:3c08:xxxx:2a00::2 respectively.
So the problem now is RA mode is greyed out in DHCP SERVER option in Wireguard interface. Plus I am getting ULA not GUA from my Linode.
Do you have any real time communication app we can use?
A prefix larger than /64 needs to be forwarded, in order to be able to delegate multiple /64 out of it for uses at home (at least the router itself will hold one, and the LAN interface and its clients another one). I forward the entire /56 since the only client of the VPS is the one router at home. Since Linode also issues a separate /128 for the VPS itself, the VPS itself will not use any IP within the /56 to originate or receive its own Internet use. It only forwards it.
Both ends of the tunnel must also have a LLA (such as fe80::1/64 and fe80::2/64) since many low-level IPv6 operations depend on the existence of LLAs. In particular the VPS's LLA will be the gateway from the home router back to the Internet.
This cannot work with your present setup that only forwards the <prefix56>00::/64, as <prefix56>01::/64 is not in the same /64 and won't be forwarded from the Internet into the tunnel.
Although DHCPv6 can work through a Wireguard tunnel, since the prefix the Linode has is static it is simpler to just statically assign the prefix on the wireguard interface. This notifies the UCI system to delegate parts of that prefix to the LANs based on their ip6assign setting. The setting is list ip6prefix in the main wg0 interface definition.
Once the LAN has a GUA prefix then RA server mode becomes usable to serve the local GUA information to the LAN endpoints.
Thanks man I switched to fe80::/64, the issue was I needed to specify the interface to ping with eg: ping6 -I wg0 fe80::1.
I also edited /etc/config/network to specify ip6prefix, DOES this exist in LuCI? I did not see an option. Anyways I can see LAN and wg0 have IPv6-PD.
But I can't ping6 google.com from OpenWRT how can I fix this?
OPNSense VPS Routing Table:
Internet6:
Destination Gateway Flags Netif Expire
default fe80::1%vtnet0 UG vtnet0
::1 link#2 UHS lo0
2600:3c08::f03c:94ff:xxxx:4 link#1 UHS lo0
2600:3c08:e002:xxxx::/56 link#6 US wg1
fe80::/64 link#6 US wg1
fe80::%vtnet0/64 link#1 U vtnet0
fe80::f03c:94ff:fee9:4%vtnet0 link#1 UHS lo0
fe80::%lo0/64 link#2 U lo0
fe80::1%lo0 link#2 UHS lo0
fe80::%wg1/64 link#6 U wg1
fe80::1%wg1 link#6 UHS lo0
Does your DNS work and resolve the address IPv6? If not try also pinging Google numerically at 2001:4860:4860::8844.
Of course the OPNsense firewall needs to allow forwarding from wg0 to vtnet0.
On the OpenWrt home router the wireguard interface should be in the wan zone. This isn't real important for pinging out from inside OpenWrt though, that only requires the interface be in some zone that allows output.
Once all the routes look proper, try some packet captures to see where packets are being lost.
Yes DNS Works.
Yes wg0 is in WAN zone.
I think OPNsense is forwarding traffic because earlier with 2600:3c08:xxx:2a00::/64 setup I had IPv6 internet access.
I am not sure how to debug it further. How to packet capture on openwrt?
Use package tcpdump.
tcpdump -i wg0
Thanks. Sry for spoon feed.
OpenWRT to wg1 (Linode) works.
wg1 (Linode) to WAN works.
I think the reply is not forwarded to wg1 from WAN. Is this an issue with AllowedIPs?
:16:06.855599 IP6 2600:3c08:xxxx:2a01::1 > maa03s45-in-x0e.1e100.net: ICMP6, echo request, seq 123, length 64
21:16:06.856816 IP6 maa03s45-in-x0e.1e100.net > 2600:3c08:xxxx:2a01::1: ICMP6, echo reply, seq 123, length 64
At the home end of the tunnel, allowed_ips should be ::/0 since responses may come from anywhere on the Internet. I think that Wireguard on the receiving end (home) just silently drops incoming packets that don't match an allowed_ip.
OpenWRT is ::/0.
I think its a issue on OPNSense side.
Is this AllowedIPs correct for Linode side?
2600:3c08:e002:2a00::/56,fe80::/64
EDIT: I had to edit the firewall rule in OPNSense on wg interface to allow packets from WAN also to pass.
EDIT2: I disabled SLAAC on wg and enabled on LAN and it worked. I have IPv6 Internet.
But now I am not able to access my global ipv6 on the internet from mobile data.
EDIT3: Ok I had to add this firewall rule in OpenWRT to fix "port forwarding"
tcpdump helped me A LOT.
Thanks a lot @mk24
It should be noted that Linode IPs are blacklisted by many websites, so this isn't ideal for general Internet use.
Even IPv6 is blacklisted?? So they blacklist ranges?
Can I prioritize IPv4 over IPv6? Or can I disable IPv6 and allow only for my servers?
I don't need for general browsing, I need it to access my servers over IPv6. (Ik there are better ways but I just wanted to try this method)
For your own use it will work fine. You can accept incoming connections from the public if you want. The issue is when you use the connection to go to google or certain commerce sites, they don't like your source IP. This is true of both v4 and v6.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
