Hi! I want to make ipv6 routing work. I can only ping other computers from LAN. On my Openwrt i have yggdrasil tunnel, traffic from openwrt goes trough this tunnel,but from computers in lan it does not work.
I need to enable NAT for ipv6?
My ISP does not provide IPv6 so i'm only relying on tunnels.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
What tunnel?
Not if your tunnel provider issues a whole subnet.
root@OpenWrtGW:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
"kernel": "5.10.146",
"hostname": "OpenWrtGW",
"system": "ARMv8 Processor rev 4",
"model": "FriendlyElec NanoPi R4S",
"board_name": "friendlyarm,nanopi-r4s",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "22.03.2",
"revision": "r19803-9a599fee93",
"target": "rockchip/armv8",
"description": "OpenWrt 22.03.2 r19803-9a599fee93"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5e:3152:9435::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
option bridge_empty '1'
config device
option name 'eth1'
option macaddr 'ff:ff:ff:ff:ff:ff'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.99.1'
list ip6class 'local'
config device
option name 'eth0'
option macaddr 'ff:ff:ff:ff:ff:ff''
config interface 'wan'
option device 'eth0'
option proto 'static'
option ipaddr 'xx.xx.xx.27'
option netmask '255.255.255.0'
option gateway 'xx.xx.xx.1'
list dns '1.1.1.1'
list dns '1.0.0.1'
option metric '50'
option delegate '0'
option ip4table 'main'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config device
option type '8021q'
option ifname 'br-lan'
option vid '20'
option name 'br-lan.20'
option ipv6 '0'
config interface 'GUEST'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.66.1'
option netmask '255.255.255.0'
config interface 'VPN_***'
option proto 'wireguard'
option private_key '*****'
option listen_port '51820'
list addresses '10.**.**.**/24'
config wireguard_VPN_***
option description '***'
option public_key '***'
option preshared_key '***'
list allowed_ips '10.**.**.**/24'
config wireguard_VPN_***
option description **'
option public_key '***'
option preshared_key '***'
list allowed_ips '10.**.**.**/32'
config wireguard_VPN_***
option description '***'
list allowed_ips '10.99.0.28/32'
option preshared_key '***'
option public_key '***'
config interface 'yggdrasil'
option device 'ygg0'
option proto 'none'
config interface 'VPN_OVH'
option proto 'wireguard'
option private_key '***'
option listen_port '51822'
option defaultroute '0'
option peerdns '0'
list addresses '10.126.**.**/24'
config wireguard_VPN_OVH
config wireguard_VPN_OVH
option description 'ovh'
option public_key '***'
option preshared_key '***'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
config device
option type '8021q'
option ifname 'br-lan'
option vid '21'
option name 'br-lan.21'
config interface 'IOT'
option proto 'static'
option device 'br-lan.21'
option ipaddr '192.168.21.1'
option netmask '255.255.255.0'
config interface 'VPN_***'
option proto 'wireguard'
option private_key '***
option listen_port '51821'
list addresses '10.128.**.**/24'
config wireguard_VPN_***
option public_key '***'
option private_key '**'
option preshared_key '**'
option description '*'
option persistent_keepalive '25'
list allowed_ips '10.128.**.**/24'
list allowed_ips '192.168.**.**/24'
list allowed_ips '192.168.**.**/24'
list allowed_ips '192.168.**.**/24'
config route
option target '192.168.**.**/24'
option gateway '10.128.**.**'
option interface 'VPN_**'
config device
option type '8021q'
option ifname 'br-lan'
option vid '91'
option name 'br-lan.91'
config interface 'PUBLIC_LAN'
option proto 'static'
option device 'br-lan.91'
option ipaddr '192.168.81.2'
option netmask '255.255.255.0'
config device
option type '8021q'
option ifname 'br-lan'
option vid '33'
option name 'br-lan.33'
config interface 'GUEST_VPN'
option proto 'static'
option device 'br-lan.33'
option ipaddr '192.168.33.1'
option netmask '255.255.255.0'
option ip4table 'vpn'
config interface 'MULLVAD_VPN'
option proto 'none'
option device 'tun33'
option auto '0'
option ip4table 'vpn'
config rule
option out 'wan'
option lookup 'main'
option dest '0.0.0.0/0'
option disabled '1'
config rule
option lookup 'vpn'
option dest '0.0.0.0/0'
option priority '10'
option src '192.168.33.0/24'
config route
option table 'vpn'
option target '0.0.0.0/0'
option source '192.168.33.0/24'
option gateway '10.10.0.1'
option disabled '1'
config route6
option gateway '200::'
option interface 'lan'
option target '200::/7'
config rule6
option out 'yggdrasil'
option in 'lan'
option disabled '1'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option sequential_ip '1'
list notinterface 'wan'
option noresolv '1'
list server '/pool.ntp.org/8.8.8.8'
list server '127.0.0.53'
option cachesize '7000'
option dnsforwardmax '300'
option nonegcache '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_default '2'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'GUEST'
option interface 'GUEST'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config host
option name '***'
option dns '1'
option mac '***'
option ip '192.168.**.**'
config host
option name '***'
option mac '***'
option ip '192.168.**.**'
config domain
option name '**'
option ip '192.168.**.**'
config domain
option name 'nc'
option ip '192.168.**.**'
config domain
option name '**.**'
option ip '192.168.**.**'
config domain
option name 'nas'
option ip '192.168.**.**'
config domain
option name '**'
option ip '192.168.**.**'
config dhcp 'GUEST_VPN'
option interface 'GUEST_VPN'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6, 1.1.1.1'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'GUEST'
config forwarding
option src 'guest'
option dest 'wan'
config zone
option name 'vpn_rw'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'VPN_RW'
config forwarding
option src 'vpn_rw'
option dest 'guest'
config forwarding
option src 'vpn_rw'
option dest 'lan'
config forwarding
option src 'vpn_rw'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'guest'
config forwarding
option src 'lan'
option dest 'vpn_rw'
config redirect
option target 'DNAT'
option name 'nextcloudpi'
option src 'wan'
option src_dport '444'
option dest 'lan'
option dest_ip '192.168.**.**'
option dest_port '443'
list proto 'tcp'
config redirect
option target 'DNAT'
option name 'Nextcloudpi vpn'
list proto 'tcp'
option src 'vpn_rw'
option src_dport '444'
option dest 'lan'
option dest_ip '192.168.**.**'
option dest_port '443'
config redirect
option target 'DNAT'
option name 'Nextcloudpi GUEST'
list proto 'tcp'
option src 'guest'
option src_dport '444'
option dest 'lan'
option dest_ip '192.168.**.**'
option dest_port '443'
config redirect
option target 'DNAT'
option name 'allow ssh to jumpbox '
list proto 'tcp'
option src 'wan'
option src_dport '***'
option dest 'lan'
option dest_ip '192.168.**.**'
option dest_port '22'
option enabled '0'
config rule
option name 'Allow-Wireguard-RW'
list proto 'udp'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'
config zone 'yggdrasil'
option name 'yggdrasil'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option conntrack '1'
list network 'yggdrasil'
list device 'ygg0'
config rule
option name 'Allow-ICMPv6-yggdrasil'
option src 'yggdrasil'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option enabled '0'
option name 'Allow-SSH-yggdrasil'
option src 'yggdrasil'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
config rule
option enabled '0'
option name 'Allow-HTTP-yggdrasil'
option src 'yggdrasil'
option proto 'tcp'
option dest_port '80'
option target 'ACCEPT'
config rule
option enabled '0'
option name 'Allow-HTTPS-yggdrasil'
option src 'yggdrasil'
option proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
config forwarding
option src 'vpn_rw'
option dest 'yggdrasil'
config forwarding
option src 'lan'
option dest 'yggdrasil'
config zone
option name 'ovh'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
list network 'VPN_OVH'
config rule
option name 'Allow-Wireguard-OVH'
list proto 'udp'
option src 'wan'
option dest_port '51822'
option target 'ACCEPT'
config rule
option name 'Allow-ovh-ping'
list proto 'icmp'
option src 'ovh'
option target 'ACCEPT'
config include
option path '/etc/firewall.cs'
option enabled '1'
option reload '1'
config zone
option name 'iot'
option forward 'REJECT'
option input 'REJECT'
option output 'ACCEPT'
list network 'IOT'
config forwarding
option src 'vpn_rw'
option dest 'iot'
config forwarding
option src 'vpn_rw'
option dest 'ovh'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'lan'
option dest 'ovh'
config forwarding
option src 'guest'
option dest 'iot'
config redirect
option target 'DNAT'
list proto 'tcp'
option src 'ovh'
option src_dport '443'
option dest 'lan'
option dest_ip '192.168.**.**'
option dest_port '443'
option name ***'
config redirect
option target 'DNAT'
option name '***'
list proto 'tcp'
option src 'ovh'
option src_dport '80'
option dest 'lan'
option dest_ip '192.168.**.**'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'openspeedtest'
list proto 'tcp'
option src 'wan'
option src_dport '3000'
option dest_ip '192.168.**.**'
option dest_port '3000'
config rule
option name 'Allow-VPN-****'
option src 'wan'
option target 'ACCEPT'
list proto 'udp'
option dest_port '51821'
config rule
option name 'Allow-nextcloud-from-all-interfaces'
list proto 'tcp'
option src '*'
option dest '*'
list dest_ip '192.168.**.**'
option dest_port '443'
option target 'ACCEPT'
config zone
option name 'vpn_**'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'VPN_***'
config forwarding
option src 'vpn_***'
option dest 'guest'
config forwarding
option src 'vpn_***'
option dest 'iot'
config forwarding
option src 'vpn_***'
option dest 'lan'
config forwarding
option src 'vpn_***'
option dest 'ovh'
config forwarding
option src 'vpn_***'
option dest 'vpn_rw'
config forwarding
option src 'vpn_***'
option dest 'wan'
config forwarding
option src 'vpn_***'
option dest 'yggdrasil'
config forwarding
option src 'guest'
option dest 'vpn_***'
config forwarding
option src 'lan'
option dest 'vpn_***'
config forwarding
option src 'vpn_rw'
option dest 'vpn_***'
config zone
option name 'public_lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'PUBLIC_LAN'
config nat
option name 'public_lan'
list proto 'all'
option src 'public_lan'
option target 'SNAT'
option snat_ip '192.168.81.2'
option device 'br-lan.91'
config forwarding
option src 'guest'
option dest 'public_lan'
config forwarding
option src 'lan'
option dest 'public_lan'
config forwarding
option src 'vpn_rw'
option dest 'public_lan'
config forwarding
option src 'vpn_***'
option dest 'public_lan'
config forwarding
option src 'public_lan'
option dest 'wan'
config zone
option name 'guest_vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GUEST_VPN'
config forwarding
option src 'lan'
option dest 'guest_vpn'
config nat
option name 'mullvad_nat'
option src_ip '192.168.**.**/24'
option target 'MASQUERADE'
option device 'tun33'
list proto 'all'
option src '*'
config zone
option name 'wan_vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list device 'tun33'
list network 'MULLVAD_VPN'
config forwarding
option src 'guest_vpn'
option dest 'wan_vpn'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::8234:28ff:fe34:45af/64 scope link
valid_lft forever preferred_lft forever
5: ifb-dns: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 32
inet6 fe80::705d:deff:fe15:598c/64 scope link
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fd5e:3152:9435::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::8034:28ff:fe34:45af/64 scope link
valid_lft forever preferred_lft forever
8: br-lan.21@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::8034:28ff:fe34:45af/64 scope link
valid_lft forever preferred_lft forever
11: ifb-eth0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 32
inet6 fe80::acef:10ff:fe0d:fa96/64 scope link
valid_lft forever preferred_lft forever
12: ygg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 53049 state UNKNOWN qlen 500
inet6 200:f4e:7335:a5b4:776c:15aa:841:cb26/7 scope global
valid_lft forever preferred_lft forever
inet6 fe80::9235:c936:73dd:90ad/64 scope link flags 800
valid_lft forever preferred_lft forever
17: br-lan.91@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::8034:28ff:fe34:45af/64 scope link
valid_lft forever preferred_lft forever
101: tun33: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
inet6 fdda:d0d0:cafe:1196::1011/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::d468:de88:c66b:5a3a/64 scope link flags 800
valid_lft forever preferred_lft forever
102: br-lan.33@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::8034:28ff:fe34:45af/64 scope link
valid_lft forever preferred_lft forever
200::/7 dev ygg0 metric 256
fd5e:3152:9435::/64 dev br-lan metric 1024
fd5e:3152:9435::/60 dev br-lan metric 256 expires 0sec
unreachable fd5e:3152:9435::/48 dev lo metric 2147483647
fdda:d0d0:cafe:1196::/64 dev tun33 metric 256
fe80::/64 dev ifb-dns metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev br-lan.21 metric 256
fe80::/64 dev ifb-eth0 metric 256
fe80::/64 dev ygg0 metric 256
fe80::/64 dev eth0 metric 256
fe80::/64 dev br-lan.91 metric 256
fe80::/64 dev tun33 metric 256
fe80::/64 dev br-lan.33 metric 256
local ::1 dev lo table local metric 0
anycast 200:: dev ygg0 table local metric 0
local 200:f4e:7335:a5b4:776c:15aa:841:cb26 dev ygg0 table local metric 0
anycast fd5e:3152:9435:: dev br-lan table local metric 0
local fd5e:3152:9435::1 dev br-lan table local metric 0
anycast fdda:d0d0:cafe:1196:: dev tun33 table local metric 0
local fdda:d0d0:cafe:1196::1011 dev tun33 table local metric 0
anycast fe80:: dev ifb-dns table local metric 0
anycast fe80:: dev ifb-eth0 table local metric 0
anycast fe80:: dev ygg0 table local metric 0
anycast fe80:: dev br-lan table local metric 0
anycast fe80:: dev br-lan.21 table local metric 0
anycast fe80:: dev eth0 table local metric 0
anycast fe80:: dev br-lan.91 table local metric 0
anycast fe80:: dev tun33 table local metric 0
anycast fe80:: dev br-lan.33 table local metric 0
local fe80::705d:deff:fe15:598c dev ifb-dns table local metric 0
local fe80::8034:28ff:fe34:45af dev br-lan table local metric 0
local fe80::8034:28ff:fe34:45af dev br-lan.21 table local metric 0
local fe80::8034:28ff:fe34:45af dev br-lan.91 table local metric 0
local fe80::8034:28ff:fe34:45af dev br-lan.33 table local metric 0
local fe80::8234:28ff:fe34:45af dev eth0 table local metric 0
local fe80::9235:c936:73dd:90ad dev ygg0 table local metric 0
local fe80::acef:10ff:fe0d:fa96 dev ifb-eth0 table local metric 0
local fe80::d468:de88:c66b:5a3a dev tun33 table local metric 0
multicast ff00::/8 dev ifb-dns table local metric 256
multicast ff00::/8 dev br-lan table local metric 256
multicast ff00::/8 dev br-lan.21 table local metric 256
multicast ff00::/8 dev VPN_OVH table local metric 256
multicast ff00::/8 dev VPN_RW table local metric 256
multicast ff00::/8 dev ifb-eth0 table local metric 256
multicast ff00::/8 dev ygg0 table local metric 256
multicast ff00::/8 dev eth0 table local metric 256
multicast ff00::/8 dev VPN_*** table local metric 256
multicast ff00::/8 dev br-lan.91 table local metric 256
multicast ff00::/8 dev tun33 table local metric 256
multicast ff00::/8 dev br-lan.33 table local metric 256
0: from all lookup local
32766: from all lookup main
lrwxrwxrwx 1 root root 16 Oct 15 00:44 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx 1 root root 35 Nov 4 14:53 /tmp/resolv.conf -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r-- 1 root root 54 Dec 29 10:48 /tmp/resolv.conf.d/resolv.conf.auto
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 54 Dec 29 10:48 resolv.conf.auto
==> /etc/resolv.conf <==
# Interface wan
nameserver 1.1.1.1
nameserver 1.0.0.1
==> /tmp/resolv.conf <==
# Interface wan
nameserver 1.1.1.1
nameserver 1.0.0.1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 1.1.1.1
nameserver 1.0.0.1
It doesn't appear any of your tunnels have IPv6.
Yggdrasil
My tunnel provides this network 200::/7
1 Like
Propably there won't be any ip in configuration since yggdrasil tunnel is configured by daemon.
Can you show this?
Nooooo!
I doubt that. A /7 in IPv6 is quite HUGE; so 200::/7 is a huge chunk of the whole IPv6 Internet. You've mistaken.
What's in the setting they gave you to use?
???
This seems incorrect.
???
What is this?
You have none set as the protocol. This is definitely not a tunnel.
I see three or four different VPNs in there. Simplify it to one LAN, one WAN, and the one tunnel.
200::/7 is as noted, all the public GUAs that have so far been allocated (all IPv6 addresses that start with 2 or 3). Does your Yggdrasil provider provide you a GUA subnet?
root@OpenWrtGW:~# ip a | grep ygg -A5
12: ygg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 53049 qdisc fq_codel state UNKNOWN qlen 500
link/[65534]
inet6 200:f4e:7335:a5b4:776c:15aa:841:cb26/7 scope global
valid_lft forever preferred_lft forever
inet6 fe80::9235:c936:73dd:90ad/64 scope link flags 800
valid_lft forever preferred_lft forever
root@OpenWrtGW:~# ip -6 r | grep 200
200::/7 dev ygg0 metric 256
anycast 200:: dev ygg0 metric 0
root@OpenWrtGW:~# ping [319:3cf0:dd1d:47b9:20c:29ff:fe2c:39be]
PING [319:3cf0:dd1d:47b9:20c:29ff:fe2c:39be] (319:3cf0:dd1d:47b9:20c:29ff:fe2c:39be): 56 data bytes
64 bytes from 319:3cf0:dd1d:47b9:20c:29ff:fe2c:39be: seq=1 ttl=63 time=584.905 ms
64 bytes from 319:3cf0:dd1d:47b9:20c:29ff:fe2c:39be: seq=2 ttl=63 time=95.317 ms
64 bytes from 319:3cf0:dd1d:47b9:20c:29ff:fe2c:39be: seq=3 ttl=63 time=97.304 ms
64 bytes from 319:3cf0:dd1d:47b9:20c:29ff:fe2c:39be: seq=4 ttl=63 time=96.677 ms
^C
--- [319:3cf0:dd1d:47b9:20c:29ff:fe2c:39be] ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max = 95.317/218.550/584.905 ms
root@OpenWrtGW:~#
I've been experimenting with this rules. I have disabled two of them already. Ignore them 
Show corrected config, please.
What kind of tunnel is this???
No, i just configured peers for yggdrasil network and it started to work on openwrt. Now i want to route traffic from LAN to this tunnel.
Ok, i have disabled both rules.
> uci export network; \
> uci export dhcp; uci export firewall; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
"kernel": "5.10.146",
"hostname": "OpenWrtGW",
"system": "ARMv8 Processor rev 4",
"model": "FriendlyElec NanoPi R4S",
"board_name": "friendlyarm,nanopi-r4s",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "22.03.2",
"revision": "r19803-9a599fee93",
"target": "rockchip/armv8",
"description": "OpenWrt 22.03.2 r19803-9a599fee93"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5e:3152:9435::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
option bridge_empty '1'
config device
option name 'eth1'
option macaddr 'ff:ff:ff:ff:ff:ff'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.99.1'
list ip6class 'local'
config device
option name 'eth0'
option macaddr 'ff:ff:ff:ff:ff:ff''
config interface 'wan'
option device 'eth0'
option proto 'static'
option ipaddr 'xx.xx.xx.27'
option netmask '255.255.255.0'
option gateway 'xx.xx.xx.1'
list dns '1.1.1.1'
list dns '1.0.0.1'
option metric '50'
option delegate '0'
option ip4table 'main'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config device
option type '8021q'
option ifname 'br-lan'
option vid '20'
option name 'br-lan.20'
option ipv6 '0'
config interface 'GUEST'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.66.1'
option netmask '255.255.255.0'
config interface 'VPN_***'
option proto 'wireguard'
option private_key '*****'
option listen_port '51820'
list addresses '10.**.**.**/24'
config wireguard_VPN_***
option description '***'
option public_key '***'
option preshared_key '***'
list allowed_ips '10.**.**.**/24'
config wireguard_VPN_***
option description **'
option public_key '***'
option preshared_key '***'
list allowed_ips '10.**.**.**/32'
config wireguard_VPN_***
option description '***'
list allowed_ips '10.99.0.28/32'
option preshared_key '***'
option public_key '***'
config interface 'yggdrasil'
option device 'ygg0'
option proto 'none'
config interface 'VPN_OVH'
option proto 'wireguard'
option private_key '***'
option listen_port '51822'
option defaultroute '0'
option peerdns '0'
list addresses '10.126.**.**/24'
config wireguard_VPN_OVH
config wireguard_VPN_OVH
option description 'ovh'
option public_key '***'
option preshared_key '***'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
config device
option type '8021q'
option ifname 'br-lan'
option vid '21'
option name 'br-lan.21'
config interface 'IOT'
option proto 'static'
option device 'br-lan.21'
option ipaddr '192.168.21.1'
option netmask '255.255.255.0'
config interface 'VPN_***'
option proto 'wireguard'
option private_key '***
option listen_port '51821'
list addresses '10.128.**.**/24'
config wireguard_VPN_***
option public_key '***'
option private_key '**'
option preshared_key '**'
option description '*'
option persistent_keepalive '25'
list allowed_ips '10.128.**.**/24'
list allowed_ips '192.168.**.**/24'
list allowed_ips '192.168.**.**/24'
list allowed_ips '192.168.**.**/24'
config route
option target '192.168.**.**/24'
option gateway '10.128.**.**'
option interface 'VPN_**'
config device
option type '8021q'
option ifname 'br-lan'
option vid '91'
option name 'br-lan.91'
config interface 'PUBLIC_LAN'
option proto 'static'
option device 'br-lan.91'
option ipaddr '192.168.81.2'
option netmask '255.255.255.0'
config device
option type '8021q'
option ifname 'br-lan'
option vid '33'
option name 'br-lan.33'
config interface 'GUEST_VPN'
option proto 'static'
option device 'br-lan.33'
option ipaddr '192.168.33.1'
option netmask '255.255.255.0'
option ip4table 'vpn'
config interface 'MULLVAD_VPN'
option proto 'none'
option device 'tun33'
option auto '0'
option ip4table 'vpn'
config rule
option out 'wan'
option lookup 'main'
option dest '0.0.0.0/0'
option disabled '1'
config rule
option lookup 'vpn'
option dest '0.0.0.0/0'
option priority '10'
option src '192.168.33.0/24'
config route
option table 'vpn'
option target '0.0.0.0/0'
option source '192.168.33.0/24'
option gateway '10.10.0.1'
option disabled '1'
config route6
option gateway '200::'
option interface 'lan'
option target '200::/7'
option disabled '1'
config rule6
option out 'yggdrasil'
option in 'lan'
option disabled '1'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option sequential_ip '1'
list notinterface 'wan'
option noresolv '1'
list server '/pool.ntp.org/8.8.8.8'
list server '127.0.0.53'
option cachesize '7000'
option dnsforwardmax '300'
option nonegcache '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_default '2'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'GUEST'
option interface 'GUEST'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config host
option name '***'
option dns '1'
option mac '***'
option ip '192.168.**.**'
config host
option name '***'
option mac '***'
option ip '192.168.**.**'
config domain
option name '**'
option ip '192.168.**.**'
config domain
option name 'nc'
option ip '192.168.**.**'
config domain
option name '**.**'
option ip '192.168.**.**'
config domain
option name 'nas'
option ip '192.168.**.**'
config domain
option name '**'
option ip '192.168.**.**'
config dhcp 'GUEST_VPN'
option interface 'GUEST_VPN'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6, 1.1.1.1'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'GUEST'
config forwarding
option src 'guest'
option dest 'wan'
config zone
option name 'vpn_rw'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'VPN_RW'
config forwarding
option src 'vpn_rw'
option dest 'guest'
config forwarding
option src 'vpn_rw'
option dest 'lan'
config forwarding
option src 'vpn_rw'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'guest'
config forwarding
option src 'lan'
option dest 'vpn_rw'
config redirect
option target 'DNAT'
option name 'nextcloudpi'
option src 'wan'
option src_dport '444'
option dest 'lan'
option dest_ip '192.168.**.**'
option dest_port '443'
list proto 'tcp'
config redirect
option target 'DNAT'
option name 'Nextcloudpi vpn'
list proto 'tcp'
option src 'vpn_rw'
option src_dport '444'
option dest 'lan'
option dest_ip '192.168.**.**'
option dest_port '443'
config redirect
option target 'DNAT'
option name 'Nextcloudpi GUEST'
list proto 'tcp'
option src 'guest'
option src_dport '444'
option dest 'lan'
option dest_ip '192.168.**.**'
option dest_port '443'
config redirect
option target 'DNAT'
option name 'allow ssh to jumpbox '
list proto 'tcp'
option src 'wan'
option src_dport '***'
option dest 'lan'
option dest_ip '192.168.**.**'
option dest_port '22'
option enabled '0'
config rule
option name 'Allow-Wireguard-RW'
list proto 'udp'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'
config zone 'yggdrasil'
option name 'yggdrasil'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option conntrack '1'
list network 'yggdrasil'
list device 'ygg0'
config rule
option name 'Allow-ICMPv6-yggdrasil'
option src 'yggdrasil'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option enabled '0'
option name 'Allow-SSH-yggdrasil'
option src 'yggdrasil'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
config rule
option enabled '0'
option name 'Allow-HTTP-yggdrasil'
option src 'yggdrasil'
option proto 'tcp'
option dest_port '80'
option target 'ACCEPT'
config rule
option enabled '0'
option name 'Allow-HTTPS-yggdrasil'
option src 'yggdrasil'
option proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
config forwarding
option src 'vpn_rw'
option dest 'yggdrasil'
config forwarding
option src 'lan'
option dest 'yggdrasil'
config zone
option name 'ovh'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
list network 'VPN_OVH'
config rule
option name 'Allow-Wireguard-OVH'
list proto 'udp'
option src 'wan'
option dest_port '51822'
option target 'ACCEPT'
config rule
option name 'Allow-ovh-ping'
list proto 'icmp'
option src 'ovh'
option target 'ACCEPT'
config include
option path '/etc/firewall.cs'
option enabled '1'
option reload '1'
config zone
option name 'iot'
option forward 'REJECT'
option input 'REJECT'
option output 'ACCEPT'
list network 'IOT'
config forwarding
option src 'vpn_rw'
option dest 'iot'
config forwarding
option src 'vpn_rw'
option dest 'ovh'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'lan'
option dest 'ovh'
config forwarding
option src 'guest'
option dest 'iot'
config redirect
option target 'DNAT'
list proto 'tcp'
option src 'ovh'
option src_dport '443'
option dest 'lan'
option dest_ip '192.168.**.**'
option dest_port '443'
option name ***'
config redirect
option target 'DNAT'
option name '***'
list proto 'tcp'
option src 'ovh'
option src_dport '80'
option dest 'lan'
option dest_ip '192.168.**.**'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'openspeedtest'
list proto 'tcp'
option src 'wan'
option src_dport '3000'
option dest_ip '192.168.**.**'
option dest_port '3000'
config rule
option name 'Allow-VPN-****'
option src 'wan'
option target 'ACCEPT'
list proto 'udp'
option dest_port '51821'
config rule
option name 'Allow-nextcloud-from-all-interfaces'
list proto 'tcp'
option src '*'
option dest '*'
list dest_ip '192.168.**.**'
option dest_port '443'
option target 'ACCEPT'
config zone
option name 'vpn_**'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'VPN_***'
config forwarding
option src 'vpn_***'
option dest 'guest'
config forwarding
option src 'vpn_***'
option dest 'iot'
config forwarding
option src 'vpn_***'
option dest 'lan'
config forwarding
option src 'vpn_***'
option dest 'ovh'
config forwarding
option src 'vpn_***'
option dest 'vpn_rw'
config forwarding
option src 'vpn_***'
option dest 'wan'
config forwarding
option src 'vpn_***'
option dest 'yggdrasil'
config forwarding
option src 'guest'
option dest 'vpn_***'
config forwarding
option src 'lan'
option dest 'vpn_***'
config forwarding
option src 'vpn_rw'
option dest 'vpn_***'
config zone
option name 'public_lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'PUBLIC_LAN'
config nat
option name 'public_lan'
list proto 'all'
option src 'public_lan'
option target 'SNAT'
option snat_ip '192.168.81.2'
option device 'br-lan.91'
config forwarding
option src 'guest'
option dest 'public_lan'
config forwarding
option src 'lan'
option dest 'public_lan'
config forwarding
option src 'vpn_rw'
option dest 'public_lan'
config forwarding
option src 'vpn_***'
option dest 'public_lan'
config forwarding
option src 'public_lan'
option dest 'wan'
config zone
option name 'guest_vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GUEST_VPN'
config forwarding
option src 'lan'
option dest 'guest_vpn'
config nat
option name 'mullvad_nat'
option src_ip '192.168.**.**/24'
option target 'MASQUERADE'
option device 'tun33'
list proto 'all'
option src '*'
config zone
option name 'wan_vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list device 'tun33'
list network 'MULLVAD_VPN'
config forwarding
option src 'guest_vpn'
option dest 'wan_vpn'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::8234:28ff:fe34:45af/64 scope link
valid_lft forever preferred_lft forever
5: ifb-dns: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 32
inet6 fe80::705d:deff:fe15:598c/64 scope link
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fd5e:3152:9435::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::8034:28ff:fe34:45af/64 scope link
valid_lft forever preferred_lft forever
8: br-lan.21@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::8034:28ff:fe34:45af/64 scope link
valid_lft forever preferred_lft forever
11: ifb-eth0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 32
inet6 fe80::acef:10ff:fe0d:fa96/64 scope link
valid_lft forever preferred_lft forever
12: ygg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 53049 state UNKNOWN qlen 500
inet6 200:f4e:7335:a5b4:776c:15aa:841:cb26/7 scope global
valid_lft forever preferred_lft forever
inet6 fe80::9235:c936:73dd:90ad/64 scope link flags 800
valid_lft forever preferred_lft forever
17: br-lan.91@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::8034:28ff:fe34:45af/64 scope link
valid_lft forever preferred_lft forever
101: tun33: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
inet6 fdda:d0d0:cafe:1196::1011/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::d468:de88:c66b:5a3a/64 scope link flags 800
valid_lft forever preferred_lft forever
102: br-lan.33@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::8034:28ff:fe34:45af/64 scope link
valid_lft forever preferred_lft forever
200::/7 dev ygg0 metric 256
fd5e:3152:9435::/64 dev br-lan metric 1024
fd5e:3152:9435::/60 dev br-lan metric 256 expires 0sec
unreachable fd5e:3152:9435::/48 dev lo metric 2147483647
fdda:d0d0:cafe:1196::/64 dev tun33 metric 256
fe80::/64 dev ifb-dns metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev br-lan.21 metric 256
fe80::/64 dev ifb-eth0 metric 256
fe80::/64 dev ygg0 metric 256
fe80::/64 dev eth0 metric 256
fe80::/64 dev br-lan.91 metric 256
fe80::/64 dev tun33 metric 256
fe80::/64 dev br-lan.33 metric 256
local ::1 dev lo table local metric 0
anycast 200:: dev ygg0 table local metric 0
local 200:f4e:7335:a5b4:776c:15aa:841:cb26 dev ygg0 table local metric 0
anycast fd5e:3152:9435:: dev br-lan table local metric 0
local fd5e:3152:9435::1 dev br-lan table local metric 0
anycast fdda:d0d0:cafe:1196:: dev tun33 table local metric 0
local fdda:d0d0:cafe:1196::1011 dev tun33 table local metric 0
anycast fe80:: dev ifb-dns table local metric 0
anycast fe80:: dev ifb-eth0 table local metric 0
anycast fe80:: dev ygg0 table local metric 0
anycast fe80:: dev br-lan table local metric 0
anycast fe80:: dev br-lan.21 table local metric 0
anycast fe80:: dev eth0 table local metric 0
anycast fe80:: dev br-lan.91 table local metric 0
anycast fe80:: dev tun33 table local metric 0
anycast fe80:: dev br-lan.33 table local metric 0
local fe80::705d:deff:fe15:598c dev ifb-dns table local metric 0
local fe80::8034:28ff:fe34:45af dev br-lan table local metric 0
local fe80::8034:28ff:fe34:45af dev br-lan.21 table local metric 0
local fe80::8034:28ff:fe34:45af dev br-lan.91 table local metric 0
local fe80::8034:28ff:fe34:45af dev br-lan.33 table local metric 0
local fe80::8234:28ff:fe34:45af dev eth0 table local metric 0
local fe80::9235:c936:73dd:90ad dev ygg0 table local metric 0
local fe80::acef:10ff:fe0d:fa96 dev ifb-eth0 table local metric 0
local fe80::d468:de88:c66b:5a3a dev tun33 table local metric 0
multicast ff00::/8 dev ifb-dns table local metric 256
multicast ff00::/8 dev br-lan table local metric 256
multicast ff00::/8 dev br-lan.21 table local metric 256
multicast ff00::/8 dev VPN_OVH table local metric 256
multicast ff00::/8 dev VPN_RW table local metric 256
multicast ff00::/8 dev ifb-eth0 table local metric 256
multicast ff00::/8 dev ygg0 table local metric 256
multicast ff00::/8 dev eth0 table local metric 256
multicast ff00::/8 dev VPN_*** table local metric 256
multicast ff00::/8 dev br-lan.91 table local metric 256
multicast ff00::/8 dev tun33 table local metric 256
multicast ff00::/8 dev br-lan.33 table local metric 256
0: from all lookup local
32766: from all lookup main
lrwxrwxrwx 1 root root 16 Oct 15 00:44 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx 1 root root 35 Nov 4 14:53 /tmp/resolv.conf -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r-- 1 root root 54 Dec 29 10:48 /tmp/resolv.conf.d/resolv.conf.auto
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 54 Dec 29 10:48 resolv.conf.auto
==> /etc/resolv.conf <==
# Interface wan
nameserver 1.1.1.1
nameserver 1.0.0.1
==> /tmp/resolv.conf <==
# Interface wan
nameserver 1.1.1.1
nameserver 1.0.0.1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 1.1.1.1
nameserver 1.0.0.1
Yggdrasil
root@OpenWrtGW:~# cat /etc/config/yggdrasil
config yggdrasil 'yggdrasil'
option PublicKey '***'
option PrivateKey '***'
option AdminListen 'unix:///var/run/yggdrasil.sock'
option NodeInfoPrivacy '0'
option IfMTU '65535'
option IfName 'ygg0'
option NodeInfo '{"kernel": "5.10.90", "hostname":"OpenWrt", "system": "ARMv8 Processor rev 4", "model": "FriendlyElec NanoPi R4S", "board_name": "friendlyarm,nanopi-r4s"}'
config multicast_interface
option beacon '1'
option listen '1'
option port '0'
option regex '.*'
config peer
option uri 'tls://pl1.servers.devices.cwinfo.net:11129'
config peer
option uri 'tls://54.37.137.221:11129'
config peer
option uri 'tcp://y.zbin.eu:7743'
config peer
option uri 'tcp://195.123.245.146:7743'
config peer
option uri 'tcp://37.205.14.171:46370'
config peer
option uri 'tcp://phrl42.ydns.eu:8842'
config peer
option uri 'tcp://193.111.114.28:8080'
config peer
option uri 'tls://ygg-ukr.incognet.io:8884'
config peer
option uri 'tcp://ygg-ukr.incognet.io:8883'
Lemne re-ask this way:
What protocol does the Yggdrasil tunnel use???
We can't guess.
Your router can't hold a /7 because that is the whole Internet. Typically your IP would be a /48 to /64. Traffic from your router or elsewhere in the house originates from a specific IP within that subnet. The VPN provider knows to route return traffic from the Internet to these IPs to your tunnel.
You need to know something about the address allocations and routing on the other side of the tunnel to set it up.
1 Like
the protocol is named Yggdrasil.
I had to add network and specify protocol 'none' to be visible as network connection.
So i cannot set it on ipv6 like on ipv4 that all traffic goes to gateways from routing table on openwrt?
Just a nitpicking comment: 200::/7 is deprecated since 18 years...
https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml
I just based on routes configured by yggdrasil
Yes looking some more, Yggdrasil uses 0200::/7 (which I had confused with 2000::) as their private worldwide network.
Each "node" seems to get a /128 IP which is derived from the node's public encryption key. It appears the intent is for every endpoint producer or consumer of packets to be an independent node, and not to route into nodes. If you do want to route into a node, NAT66 would need to be used, since similar to IPv4, the node holds only a single IP on the "WAN" side and the rest of the network expects traffic to originate from it.
1 Like