Lose IPv6 Internet for all devices when I set up Wireguard

Sylvan · October 11, 2021, 5:19am

Currently my router is running on an RPi4 with 21.02 stable over a fiber connection via pppoe.
Everything works fine - especially IPv6 works.

Now I am trying to set up a wireguard server. I have taken the following steps to do this:

Install wireguard with opkg update && opkg install kmod-wireguard luci-app-wireguard wireguard-tools
Create and configure wireguard-interface by adding the following to /etc/config/network (I created the keys via wg genkey):

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	option listen_port '1337'
	option mtu '1300'
	list addresses 'fd02::1/64'
	list addresses '10.55.0.1/24'

config wireguard_vpn 'wgclient'
	option public_key 'YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY'
	option description 'testdevice'
	option route_allowed_ips '1'
	list allowed_ips '10.55.0.2/32'
	list allowed_ips 'fd02::2/64'
	list allowed_ips 'fe80::/64'
	list allowed_ips '2000::/3'

add the interface to the firewall-zone lan:

config zone 'lan'
    [...]
	list network 'vpn'

open the port for wireguard in the /etc/config/firewall:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option dest_port '1337'

With this configuration the client connection to my router via VPN works great. IPv6 over wireguard does not work but that's what I expected and wanted to look at it in peace - problem is probably that you have to specify fixed global IP ranges?

Now Wireguard runs as desired - but on all other interfaces the clients have no IPv6 anymore. They get their addresses assigned but communication over IPv6 to wan is no longer possible.
What could be the reason for this?

For completeness, here are my two config files before the adjustments described above:

/etc/config/network

config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1' 
    option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '1ce:1ce:babe::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option igmp_snooping '1'

config interface 'lan'
	option broadcast '192.168.0.255'
	option device 'br-lan.1'
	option igmp_v3 '1'
	option ip6assign '64'
	option netmask '255.255.255.0'
	option proto 'static'
	option ipaddr '192.168.0.2'
	option ip6ifaceid '::2'
	list dns '127.0.0.1'

config interface 'tor'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.4.2'
	option stp '1'
	option device 'br-lan.4'

config interface 'gast'
	option device 'br-lan.3'
	option force_link '0'
	option gateway '192.168.0.2'
	option ip6assign '64'
	option ip6ifaceid '::3:2'
	option ipaddr '192.168.3.2'
	option netmask '255.255.255.0'
	option proto 'static'
	list dns '192.168.3.2'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '7'
	option name 'eth1.7'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth0:t'

config interface 'wan'
	option proto 'pppoe'
	option device 'eth1.7'
	option username 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	option password 'YYYYYYYYYYYYYYYYYYYY'
	option ipv6 'auto'
	option ip6assign '64'
	option ip6ifaceid '::2'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'
	list network 'wan'

config zone
	option name 'gast'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option input 'REJECT'
	option conntrack '1'
	list network 'gast'

config zone
	option output 'ACCEPT'
	option name 'tor'
	option conntrack '1'
	option syn_flood '1'
	option input 'DROP'
	option forward 'REJECT'
	list network 'tor'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option dest 'lan'
	option src 'gast'

config forwarding
	option dest 'wan'
	option src 'gast'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config rule
	option dest_port '67-68'
	option src 'gast'
	option name 'allow-gast-dhcp-router'
	option target 'ACCEPT'

config rule
	option dest_port '53'
	option src 'gast'
	option name 'allow-gast-dhcp-dns'
	option target 'ACCEPT'

config rule
	option src 'gast'
	option name 'allow-gast-input-icmp-router'
	option target 'ACCEPT'
	list proto 'icmp'
	option family 'ipv6'

config rule
	option src 'gast'
	option name 'allow-gast-icmp-requests'
	option family 'ipv6'
	option target 'ACCEPT'
	option dest 'wan'
	list proto 'icmp'

config rule
	option dest_port '53'
	option src 'gast'
	option name 'Allow-PiHole-from-gast'
	option dest 'lan'
	option target 'ACCEPT'
	list proto 'udp'
	list dest_ip '192.168.0.9'
	list dest_ip 'fe80::dea6:32ff:fe30:907d'

config rule
	option name 'Allow-Tor-DNS-Proxied'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '9053'
	option src 'tor'

config rule
	option name 'Allow-Tor-Proxy'
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '9040'
	option src 'tor'

config rule
	option name 'Allow-Tor-DHCP'
	option target 'ACCEPT'
	option proto 'udp'
	option src 'tor'
	option dest_port '67'

vgaetera · October 11, 2021, 8:38am

Use NAT6 unless you can provide a static GUA prefix to the VPN network:

Sylvan · October 11, 2021, 12:00pm

Yes it did!
Thank you!
Now I'm going to try to understand the problem.
As I understand it so far, the problem was that the IPv6 traffic from LAN was trying to go out via the vpn interface? So the solution is to weight down the routes of the vpn-interface so that the traffic goes through the others?

That's how it works for now - thanks again.
Now I'll take my time and see if I can still manage IPv6 via Wireguard - but that's not so crucial.

trendy · October 11, 2021, 12:54pm

The main problem is that you allowed and routed these IPs from and to the wg client. You only need to allow the fd02::2/128 address. It is also not necessary to route the allowed IPs for this client, the server has already the larger prefix.

Sylvan · October 11, 2021, 3:35pm

Thank you - that makes everything a bit clearer.

system · October 21, 2021, 3:36pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.