IPv6 Allow Traffic Ingress

I have a new FTTP ISP which I have unfortunately now discovered are using CGNAT on IPv4.

To get around this I have successfully setup a VPN Tunnel to a remotely hosted VPS instance with my OpenWRT router as a client connecting to the VPN server on the VPS. This allows me reverse proxy inbound traffic for self hosted services through the VPN tunnel. The issue is that my new FTTP connection is 900mb and I am only seeing throughput of 200mb+ using OpenVPN which improved to about 300mb+ switching to Wireguard. But still far off my 900mb potential.

Connecting to the Wireguard VPN server using my Laptop I see throughput of 800mb. I assume the issue is the processing power on my router vs laptop.

I have a server running behind my home router which I am trying to setup as a Wireguard VPN Server. I would like my WAN based VPS to connect to this as a client and proxy through that tunnel in the hope throughput will be better.

The LAN based server is working fine on IPv6. It has a global IPv6 addresses assigned which is being reported to a DDNS service successfully.


I have added the following Firewall rule so all traffic for the IP is passed to the server:

config rule
        option family 'ipv6'
        option target 'ACCEPT'
        list dest_ip '2a05:xxxx:xxxx:5500::a2a'
        option src 'wan'
        option dest 'lan'
        option name 'Allow-Server-IPv6'
        list proto 'all'

However, I am getting Error Connection Refused, when I try to access the IP.

Am I missing something?

I guess its possible my ISP is blocking inbound IPv6. With CGNAT on IPv4 I would really hope not.

A potential solution would be for your home server to initiate the Wireguard link to the VPS as a "client." Then incoming connections will tunnel directly from the VPS to the server without needing router CPU to decrypt. That requires no changes to the firewall as it is an outgoing connection from home.

To test if ISP is blocking incoming IPv6, open a port on the router such as SSH then test with the WAN's GUA IPv6 from outside the network. A port scan site could be used since you only need to see if port is blocked or open.

Thanks for the comments mk24.

I was thinking about that. I just liked the idea of being able to connect directly to the home server when IPv6 connectivity is available bypassing the VPS completely. Plus I have also been looking at SOCAT IPv4 to IPv6 on the VPS which would remove the need for the encrypted tunnel and its overhead. So I am quite keen to get the IPv6 ingress working if I can.

How would I go about opening a port on the router to temporally allow SSH and test as you describe. I've not looked at this previously but looking at Administration->SSH Access the Interface is already unspecified (All). Do I just need to tick the Gateway Ports Check Box or is a Firewall rule required?


config rule
	option src 'wan'
	option name 'Forward IPv6 to internal-host'
	option dest 'lan'
	option target 'ACCEPT'
	option family 'ipv6'
	list dest_ip '2a01:c23:8d27:ac00:XX:XX:XX:XX/-64'

here is the rule I added to reach my IPv6 machine from the outside. Note that I gave that machine a IPv6 tokenized address (so that in spite if the changing prefix the interface identifier is always XX:XX:XX:XX) the '2a01:c23:8d27:ac00:XX:XX:XX:XX/-64' is OpenWrt config to tell the firewall to mask out the first 64bit of IPv6 addresses when matching. The end result is that in spite of variable prefix assignment I can reach the host... as long as I know the current prefix and interface-ID (but since the later is stable that is not too hard)...

P.S.: In my case I also had to modify the firewall of that host to actually allow SSH into it, otherwise I got the connection refused not from my router, but from that host itself.

Yes I had seen some of posts about the mask and did try that first. So far my prefix has remained static and to ensure that wasn't creating the issue with the mask wrong or something I switched to the complete address.

The server has firewalld and I temporally turned it off when testing, so confident its not a firewall issue on the server.

Bizarrely I don't even seem to be able to reach the server from the LAN with the IP 2a05:xxxx:xxxx:5500::a2a. Not sure if that normal or linked to the issue.

Well, when I log into my router via SSH I can open SSH sesssions to LAN-devices that actually offer SSH access. So I would recommend you first fix the "access over LAN" issue before tackling the access over WAN?

I can from the router itself but not from other LAN clients.

1 Like

Ah, OK then that should not be the issue.