IPv6 connectivity in wireguard tunnel & pbr

wokkocher · December 18, 2023, 4:48am

Hi there. I am updating my travelrouter TL-WR902ACv3 from OpenWRT 23.05.0 to 23.05.2 and I also updated som configuaration details like adding openvpn as a fallback. That broke my wireguard setup for IPv6 and I cannot find out why. For testing I turned off openvpn by disabling all instances with uci set openvpn.my_client.enabled="0" so the problem should not be in this. No openvpn activity appears in the system log.

I am running a private wireguard server with a changing public IPv6 prefix. This forces me to use nat66 on the server and use ula adressing inside the tunnel. The server has the following config with multiple clients. I reduced it to the relevant one (the other clients are working ok)

config interface 'wgmango'
        option proto 'wireguard'
        option listen_port '64425'
        option private_key ''
        list addresses 'ddaa:0:0:aab0::1/60'
        list addresses '192.168.224.1/21'

config wireguard_wgmango
        option public_key ''
        option private_key ''
        option preshared_key ''
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '192.168.227.0/24'
        list allowed_ips 'ddaa:0:0:aab6::/63'
        option description 'WR902ACv3'

Additionally I use a firewall rule for nat66 on server side, not on client side:

config nat 'nat66'
        option family 'ipv6'
        option src 'wan'
        option target 'MASQUERADE'
        option name 'WG NAT66'
        list proto 'all'
        option src_ip 'ddaa:0:0:aaaa::/59'

The subnet may appear too big, but this is desired to also cover an other wireguard instance.

Now to the client. The connectivity of the wireguard tunnel itself is great, even for IPv6. I can ping both sides. However I may have a routing issue on client side as I have no connectivity from a subnet on client side. Here is the full configuration:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'ddaa::/48'

config device 'lan_dev'
	option name 'br-lan'
	option type 'bridge'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ip6class 'local'
	option ip6hint '0'
	option ip4table '1'
	option ip6table '1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 6t'

config device 'vpn_dev'
	option type 'bridge'
	option name 'br-vpn'
	option mtu '1380'
	list ports 'eth0.1'

config interface 'vpn'
	option proto 'static'
	option device 'br-vpn'
	option ipaddr '192.168.200.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option peerdns '0'
	option ip6hint 'aab7'
	list dns '192.168.224.1'
	list dns 'ddaa:0:0:aab0::1'
	list ip6class 'local'
	option ip4table '2'
	option ip6table '2'

config interface 'wg'
	option proto 'wireguard'
	option private_key ''
	list dns '192.168.224.1'
	list dns 'ddaa:0:0:aab0::1'
	list addresses '192.168.227.1/24'
	list addresses 'ddaa:0:0:aab6::1/64'
	option sourcefilter '0'
	option auto '0'
	option ip4table '3'
	option ip6table '3'

config wireguard_wg 'wgserver'
	option public_key ''
	option preshared_key ''
	option endpoint_host ''
	option endpoint_port '12345'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

config rule 'vpn4_tunnel_rule'
	option in 'vpn'
	option lookup '3'
	option priority '30000'

config rule6 'vpn6_tunnel_rule'
	option in 'vpn'
	option lookup '3'
	option priority '30000'

config interface 'trm_wwan'
	option proto 'dhcp'
	option metric '0'

config interface 'trm_wwan6'
	option device '@trm_wwan'
	option proto 'dhcpv6'
	option sourcefilter '0'

config interface 'ovpn'
	option auto '0'
	option proto 'none'
	option device 'tun0'
	option ip4table '3'
	option ip6table '3'

config route 'ovpn_rt'
	option interface 'ovpn'
	option target '0.0.0.0/0'

config route6 'ovpn_rt6'
	option interface 'ovpn'
	option target '::/0'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option masq6 '1'
	list network 'wan'
	list network 'wan6'
	list network 'trm_wwan'
	list network 'trm_wwan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule 'icmp'
	option name 'Allow-Ping'
	option src '*'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule 'icmp6'
	option name 'Allow-ICMPv6-Input'
	option src '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'wifi_vpn'
	option name 'wifi_vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vpn'

config zone 'wg_zone'
	option name 'wg_zone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg'

config forwarding 'vpnwifi_wgzone'
	option src 'wifi_vpn'
	option dest 'wg_zone'

config rule 'wifi_vpn_dhcp'
	option name 'Allow-DHCP-VPN'
	option src 'wifi_vpn'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule 'wifi_vpn_dhcp6'
	option name 'Allow-DHCPv6-VPN'
	option src 'wifi_vpn'
	option dest_port '547'
	option proto 'udp'
	option family 'ipv6'
	option target 'ACCEPT'

config rule 'wifi_vpn_tcp'
	option name 'Acces device from local VPN'
	option proto 'tcp'
	option src 'wifi_vpn'
	option target 'ACCEPT'

config zone 'ovpn_zone'
	option name 'ovpn_zone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option masq6 '1'
	option mtu_fix '1'
	list network 'ovpn'

config forwarding 'vpnwifi_ovpnzone'
	option src 'wifi_vpn'
	option dest 'ovpn_zone'

My problem is: all (sub)clients on interface vpn do have IPv4 connectivity but not for IPv6. I can access the router itself but not even the wireguard IPv6 address of the other tunnel side (ddaa:0:0:aab0::1). My question is: Why? I have turned of source routing and the routing looks good to me. However, if I enable masq6 on the firewall for wg_zone I have a connectivity for IPv6. But I do not want this because it would be

double nat66
make clients inaccessable from the other (server) side of the tunnel

I have a similar setup for an other client with option ip6hint 'aab5'. This client is working fine. I compared all configuration files and I have no idea. Even if I activate soure routing and set an (additional) user-provided IPv6 prefix with

config interface 'wg'
	option ip6prefix='ddaa:0:0:aab7:/64'
	...

config interface 'vpn'
	list ip6class 'wg'

the result stays the same: no IPv6 connectivity for clients on interface vpn.

What can I do?

wokkocher · December 18, 2023, 2:03pm

Maybe a Screenshot about the routing can provide more information to someone?

trendy · December 18, 2023, 2:32pm

My guess is that there isn't correct source IP on the packets. Try a tcpdump -i wg -nv

mk24 · December 18, 2023, 4:23pm

Android really doesn't want a ULA as its link to the Internet. (I don't know about other OSs.) I would suggest running delegated GUAs inside the tunnel to provide a "real" IPv6 connection.

That seems complicated because the prefix may change, and then you'd need to change allowed_ips. But with a point to point Wireguard, you can set allowed_ips to 0::/0 on both ends and control routing externally from the Wireguard kernel and config scripts. Make an alias interface with @wgmango as its device and an ip6assign of 64. This will have standard UCI networking delegate a prefix and install a route.

This only works with one client per wg interface. If you have multiple travel routers or road warriors make a completely separate wg interface for each one.

wokkocher · December 18, 2023, 4:42pm

Yes, I know about this problem, I already faced this problem in the past and solved it:

I can say this is not the issue here. My openvpn tunnel does use the same adress and works fine. Also my phones with on other instances of wireguard connecting to the same server.

As far as I can say, Windows would use ULA as uplink. Android doesn't, but will if you use an unassigned prefix.

wokkocher · December 18, 2023, 5:14pm

Well, that is why I disabled the source filter.

config interface 'wg'
	...
	option sourcefilter '0'

Anyway, you helped me. I did not have enough space for tcpdump left. So I removed openvpn and ... it worked. That was surprising. So I reinstalled openvpn and it still works. I enabled openvpn again and both tunnels work if I use them with travelmate (either wireguard or openvpn). So... I guess there must have been some persistent leftovers from openvpn which were misconfigured. I dont know, but I am happy to have it working.

system · December 28, 2023, 5:16pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.