IPv6 internet access (OpenWRT router behind ISP router)

Hi,
I would like to establish IPv6 internet connection on devices in my local network. I have an OpenWRT router behind ISP router. My OpenWRT router receives an IPv6 /64 address from my ISP router (WAN IPv6 interface on my OpenWRT router is set to DHCPv6). If I enable DHCP relay mode on both WAN and LAN interface, my local clients also receive /64 GUA and ULA addresses (and IPv6 connection works). However, enabling relay mode disables (messes up) my adblock running on the OpenWRT router. I thought of using IPv4 like fall-back option, where OpenWRT would assign IPv6 ULA addresses to my clients and NAT66 would translate them to OpenWRT IPv6 GUA. I followed NAT6 guide on wiki, but it does not work. Any idea how to properly configure OpenWRT router in my case?

I also tried setting up IPv6 NPT, following wiki guide. But when I restart firewall, I get syntax error...

While you may have to use bridge-routing, did you check the ISP router if it can be configured for IPv6 prefix delegation somehow (that would make things a lot nicer)?

No, ISP router has no IPv6 settings.

When you enable relay mode for ipv6, then your ISP advertises its own IPv6 dns server via dhcpv6. This is what messes up adblocking on openwrt router.

You can solve this by setting up dns hijacking rule in firewall as shown here

Thanks! It seems, it is working. IPv6 addresses are now relayed from my ISP router to devices, but DNS traffic goes through my OpenWRT router (with adblock on).

What about Wireguard and my current setup (with ISP and OpenWRT router)? I guess IPv6 addresses cannot be relayed from WAN interface of OpenWRT router to Wireguard interface (on the same router). Could I manually select IPv6 addresses for my Wireguard clients? If yes, how should they relate to relayed IPv6 addresses?

Use your LAN interface as SLAAC server with the WAN prefix, then you should be able to RDNSS to make clients aware of your AdBlock DNS.

For WireGuard you can use ULA addresses and then do NAT66 or NPT66

Can you restrict NAT66 or NPT66 only to Wireguard interface (so that LAN is not affected by this)?

Yes you can masquerade only the wg subnet

Could you tell me exactly how the configuration should look like or point me to some tutorial?

Just setup according to the openwrt wiki and we take it from there see:

https://openwrt.org/docs/guide-user/services/vpn/wireguard/start

Well, I have working IPv4 wireguard interface. But, I have no idea (even after reading guides you posted) what to do to enable IPv6 connection for wireguard clients.

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip -6 route show
wg show

Will be tomorrow that I can have a look

ubus call system board

{
        "kernel": "6.6.30",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 0",
        "model": "FriendlyElec NanoPi R5C",
        "board_name": "friendlyarm,nanopi-r5c",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r26272-39f595d1d8",
                "target": "rockchip/armv8",
                "description": "OpenWrt SNAPSHOT r26272-39f595d1d8"

cat /etc/config/network


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0f:07f9:9457::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'eth0'
        option macaddr 'c2:d8:xx:xx:xx:xx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.1.1'
        list dns 'fd0f:07f9:9457::1'

config device
        option name 'eth1'
        option macaddr 'c2:d8:xx:xx:xx:xx'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option norelease '1'
        option sourcefilter '0'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option norelease '1'
        option ip6assign '128'
        option reqprefix 'auto'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'KCRHT7xxxxx'
        option listen_port '51820'
        list addresses '192.168.9.1/24'

config wireguard_vpn 'wgclient'
        option public_key 'hXn1LpBxxxx'
        option preshared_key 'n/lNuPskxxxxx'
        option description 'Laptop'
        option route_allowed_ips '1'
        list allowed_ips '192.168.9.2/32'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wireguard'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.1.1'
        option dest_port '51820'

config redirect
        option target 'DNAT'
        option name 'Intercept-DNS'
        option family 'any'
        option src 'lan'
        option src_dport '53'

ip route show

default via 192.168.64.1 dev eth1  src 192.168.64.100
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.9.0/24 dev vpn scope link  src 192.168.9.1
192.168.9.2 dev vpn scope link
192.168.64.0/24 dev eth1 scope link  src 192.168.64.100

ip -6 route show

default from 2a01:xxx:xxx:xxxx::/64 via fe80::666e:eaff:fe62:33c1 dev eth1  metric 640
2a01:xxx:xxx:xxxx::1 dev eth1  metric 1024
2a01:xxx:xxx:xxxx:xxxx:xxxx:fe6c:81a9 dev br-lan  metric 1024
2a01:xxx:xxx:xxxx:xxxx:xxxx:15f8:8b28 dev br-lan  metric 1024
2a01:xxx:xxx:xxxx:xxxx:xxxx:fec9:216f dev br-lan  metric 1024
2a01:xxx:xxx:xxxx:xxxx:xxxx:a96d:9abf dev br-lan  metric 1024
2a01:xxx:xxx:xxxx:xxxx:xxxx:91a3:c3df dev br-lan  metric 1024
2a01:xxx:xxx:xxxx::/64 dev eth1  metric 256
2a01:xxx:xxx:xxxx::/64 via fe80::666e:eaff:fe62:33c1 dev eth1  metric 384
unreachable 2a01:xxx:xxx:xxxx::/64 dev lo  metric 2147483647
fd0f:7f9:9457::/64 dev br-lan  metric 1024
fd0f:7f9:9457::/60 dev br-lan  metric 256  expires 0sec
fd0f:7f9:9457:10::/64 dev eth1  metric 256  expires 0sec
unreachable fd0f:7f9:9457::/48 dev lo  metric 2147483647
fe80::/64 dev br-lan  metric 256
fe80::/64 dev eth1  metric 256
anycast 2a01:xxx:xxx:xxxx:: dev eth1  metric 0
anycast fd0f:7f9:9457:: dev br-lan  metric 0
anycast fd0f:7f9:9457:10:: dev eth1  metric 0
anycast fe80:: dev br-lan  metric 0
anycast fe80:: dev eth1  metric 0
multicast ff00::/8 dev br-lan  metric 256
multicast ff00::/8 dev vpn  metric 256
multicast ff00::/8 dev eth1  metric 256

wg show

interface: vpn
  public key: xXN99xxxxxx
  private key: (hidden)
  listening port: 51820

peer: hXn1xxxxxxx=
  preshared key: (hidden)
  endpoint: 192.168.64.1:51820
  allowed ips: 192.168.9.2/32
  latest handshake: 16 minutes, 45 seconds ago
  transfer: 3.98 MiB received, 16.82 MiB sent

First assign a ULA address to your wg server with /64 prefix and for peers with a /128.

Then disable source routing for wan6 by doing

uci set network.wan6.sourcefilter="0"
uci commit network
service network restart

After that do the steps shown under IPv6 Selective NAT here remember to replace the source ip ULA with your wg server ULA.

Also why are you using a private ip address as your wg endpoint?

1 Like

You can remove the following rule as you already have the correct rule to allow traffic on port 51820 on your router so remove this:

@sid already gave you the correct directions, to elaborate:
Add an ULA address on the WG interface, you can generate your own ULA at: https://www.ip-six.de/index.php or just use the one below which I made for you or make one up.
ULA addresses are private addresses so no need to keep them secret

Add as Allowed IPs in the Peer section the ULA address you are going to give to the WG client (see below) with /128:

Your OpenwRT router does not have a default IPv6 route so your WG clients do not have IPv6 internet access.
This is due to the fact that it uses IPv6 source routing, only known IPv6 subnets are routed to the next hop.
The easiest way to get a default IPv6 route back is to disable source routing, add to the wan6 stanza in /etc/config/network: option sourcefilter '0':

In the firewall (etc/config/firewall) add a rule to selectively NAT66 your WG ULA subnet:

config nat 'nat6'
	option family 'ipv6'
	option src 'wan'
	option src_ip 'fddb:b40f:f9bc:3cd4::0/64'
	option target 'MASQUERADE'
	list proto 'all'

Next we setup your WG client.

Add the ULA address to your WG client e.g.: fddb:b40f:f9bc:3cd4::2/64
(This has already been set in the Peer section of the WG server)
The last thing is to make sure your WG client has an IPv6 default route to your WG server.
On the WG client add as allowed IPs: ::0/0
This will route all the IPv6 traffic on your WG client via the tunnel
Note some clients have no default route but use more specific source routing (e.g. an (OpenWRT) router) in that case add to the Allowed IPs: 8000::/1, ::/1

1 Like

Thank you for very thorough guide. Works like a charm!

1 Like

I used my private ip address for simplicity reasons, when I was setting up the Wireguard at home. My laptop was also on my home wifi.