And then set up the NDP.
This configuration works fine with a single peer. I can assign any address from this /64 on this peer and it will be routed exactly as supposed.
Now, I wanted to expand this to all the clients behind OpenWRT router peer. So, what I did:
Set up the wg interface with the IP from this /64: config interface 'wg0' list addresses '10.24.24.99' list addresses '2a0b:4142:684:d02::2/128'
Added an alias interface (I decided to separate the interfaces in case I want to play with NPT6 and mwan3)
This interface has the whole /64 prefix set manually to delegate to clients: config interface 'wan6_vpn' option proto 'static' option device '@wg0' option ip6prefix '2a0b:4142:684:d02::/64' option metric '30'
And created a separate zone for these interfaces:
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wg0'
list network 'wan6_vpn'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'vpn'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'vpn'
After that I restarted the interfaces and… nothing seems to work. And I can’t understand why!
The PD part works well - the clients behind the router get their addresses (why wouldn’t they?)
Yet, trying to ping the gateway - 2a0b:4142:684:d02::2 results in:
Destination unreachable: Address unreachable
Of course, I cannot ping anything outside either. My (manually created) routes:
Also, I found if I set the wg0 interface to 2a0b:4142:684:d02::1 instead of 2a0b:4142:684:d02::2 - the lan bridge will get the same address from PD (conflict?) That’s why the interface is d02.
Any help is appreciated. Maybe there’s a better way of doing this?
Yea, use ULA addresses on WG and configure masquerade 6 if you need Internet. Your description of statically assigning dynamic IPs from another interface isn't the best method.
You may need to make a route for the subnet to reach ::0 via your WAN since it'll be an ULA (the gateway will need to be specified, you can use the LLA shown in IPv6 Upstream status in the main LuCI page).
First make sure your tunnel ends have link-local IPs, as IPv6 really can't work without them. Since this is a point to point tunnel (more on that next), you can manually assign fe80::1/64 and fe80::2/64
I'm not certain exactly what you are trying to do here but I think that you have a VPS with a GUA /56 from the Internet and you want to route the whole /56 to your OpenWrt router and then reroute it as multiple /64 (or other smaller than /56) to various LANs and VPN clients.
Since the tunnel to the VPS must be able to receive packets from anywhere on the Internet, its allowed_ips have to include the whole Internet, which precludes accepting more than one peer with a GUA. So if you want incoming VPNs to OpenWrt you'll need to set up a separate Wireguard interface.
Then it is a fairly simple matter of setting ip6prefix on the wg0 interface and letting OpenWrt's internal delegation system distribute it to your LANs and incoming VPNs (on wg1).
First of all, thank you! @lleachii I wanted to do a basic PD first and then I was going to try NPT6 (probably with ULA as you suggested)
@mk24 I got /56 on VPS and I wanted to use /64 of it for wg. That’s why AllowedIPs is /64.
After reading your messages I got some confidence that I was not too wrong with my setup but still there is something I don’t understand.
First of all, after adding static ::/0 on wg - everything started to work! (So, 2000::/3 doesn’t, and ::/0 does? Why?)
The second and the most confusing part for me - why I am unable to ping 2a0b:4142:684:d02::2 (WG interface) but ping works fine with 2a0b:4142:684:d02::1 (LAN bridge that got it IP from delegation). They’re on the same router on the adjacent interfaces!
So, the current state of affairs:
Added ::/0 route on OpenWRT router through wg0 interface
All the clients behind OpenWRT router are getting their global routable IPs. Internet is reachable.
ICMP from OpenWRT clients reach 2a0b:4142:684:d02::1 (LAN bridge) - that is expected
ICMP from the same client fail with destination unreachable for 2a0b:4142:684:d02::2 (wg0)
From the VPS side - everything is reachable - 2a0b:4142:684:d02::1, 2a0b:4142:684:d02::2 and all the clients with their unique IPs
From my understanding is that the allowedips field is supposed to work like to make a route accessible for the current interface not the other side.
So in this context this only means for the interface in OpenWrt, this doesn't influence the peer config somewhere else on a client if this tunnel was omitted to function as a server (site to site vpn server), so for client this is fine.
Allowed_ips are the source addresses that you expect to see from the other end of the link. They are also used by Wireguard to decide which peer to route a return packet to. When a packet arrives with a source that is unknown in allowed_ips, or one tries to leave to a destination that is unknown in allowed_ips, the Wireguard kernel module will simply drop it.
This is internal "routing" in Wireguard which is separate from the kernel routing table(s). Setting route_allowed_ips causes the OpenWrt configuration scripts to copy each allowed_ip subnet into the kernel routing table with the Wireguard interface as its interface. route_allowed_ips is not a core feature of Wireguard, it is an extension by OpenWrt. Most other Wireguard clients do something similar by default.
2000::/3 does not work by itself but ::/0 does because the former does not allow any link-local IPs which as I said before are very important in IPv6.
