Currently my router is running on an RPi4 with 21.02 stable over a fiber connection via pppoe.
Everything works fine - especially IPv6 works.
Now I am trying to set up a wireguard server. I have taken the following steps to do this:
- Install wireguard with
opkg update && opkg install kmod-wireguard luci-app-wireguard wireguard-tools
- Create and configure wireguard-interface by adding the following to
/etc/config/network
(I created the keys viawg genkey
):
config interface 'vpn'
option proto 'wireguard'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option listen_port '1337'
option mtu '1300'
list addresses 'fd02::1/64'
list addresses '10.55.0.1/24'
config wireguard_vpn 'wgclient'
option public_key 'YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY'
option description 'testdevice'
option route_allowed_ips '1'
list allowed_ips '10.55.0.2/32'
list allowed_ips 'fd02::2/64'
list allowed_ips 'fe80::/64'
list allowed_ips '2000::/3'
- add the interface to the firewall-zone
lan
:
config zone 'lan'
[...]
list network 'vpn'
- open the port for wireguard in the
/etc/config/firewall
:
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option proto 'udp'
option target 'ACCEPT'
option dest_port '1337'
With this configuration the client connection to my router via VPN works great. IPv6 over wireguard does not work but that's what I expected and wanted to look at it in peace - problem is probably that you have to specify fixed global IP ranges?
Now Wireguard runs as desired - but on all other interfaces the clients have no IPv6 anymore. They get their addresses assigned but communication over IPv6 to wan is no longer possible.
What could be the reason for this?
For completeness, here are my two config files before the adjustments described above:
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '1ce:1ce:babe::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
option igmp_snooping '1'
config interface 'lan'
option broadcast '192.168.0.255'
option device 'br-lan.1'
option igmp_v3 '1'
option ip6assign '64'
option netmask '255.255.255.0'
option proto 'static'
option ipaddr '192.168.0.2'
option ip6ifaceid '::2'
list dns '127.0.0.1'
config interface 'tor'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.4.2'
option stp '1'
option device 'br-lan.4'
config interface 'gast'
option device 'br-lan.3'
option force_link '0'
option gateway '192.168.0.2'
option ip6assign '64'
option ip6ifaceid '::3:2'
option ipaddr '192.168.3.2'
option netmask '255.255.255.0'
option proto 'static'
list dns '192.168.3.2'
config device
option type '8021q'
option ifname 'eth1'
option vid '7'
option name 'eth1.7'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth0:u*'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'eth0:t'
config bridge-vlan
option device 'br-lan'
option vlan '4'
list ports 'eth0:t'
config interface 'wan'
option proto 'pppoe'
option device 'eth1.7'
option username 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option password 'YYYYYYYYYYYYYYYYYYYY'
option ipv6 'auto'
option ip6assign '64'
option ip6ifaceid '::2'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan6'
list network 'wan'
config zone
option name 'gast'
option output 'ACCEPT'
option forward 'ACCEPT'
option input 'REJECT'
option conntrack '1'
list network 'gast'
config zone
option output 'ACCEPT'
option name 'tor'
option conntrack '1'
option syn_flood '1'
option input 'DROP'
option forward 'REJECT'
list network 'tor'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option dest 'lan'
option src 'gast'
config forwarding
option dest 'wan'
option src 'gast'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config rule
option dest_port '67-68'
option src 'gast'
option name 'allow-gast-dhcp-router'
option target 'ACCEPT'
config rule
option dest_port '53'
option src 'gast'
option name 'allow-gast-dhcp-dns'
option target 'ACCEPT'
config rule
option src 'gast'
option name 'allow-gast-input-icmp-router'
option target 'ACCEPT'
list proto 'icmp'
option family 'ipv6'
config rule
option src 'gast'
option name 'allow-gast-icmp-requests'
option family 'ipv6'
option target 'ACCEPT'
option dest 'wan'
list proto 'icmp'
config rule
option dest_port '53'
option src 'gast'
option name 'Allow-PiHole-from-gast'
option dest 'lan'
option target 'ACCEPT'
list proto 'udp'
list dest_ip '192.168.0.9'
list dest_ip 'fe80::dea6:32ff:fe30:907d'
config rule
option name 'Allow-Tor-DNS-Proxied'
option target 'ACCEPT'
option proto 'udp'
option dest_port '9053'
option src 'tor'
config rule
option name 'Allow-Tor-Proxy'
option target 'ACCEPT'
option proto 'tcp'
option dest_port '9040'
option src 'tor'
config rule
option name 'Allow-Tor-DHCP'
option target 'ACCEPT'
option proto 'udp'
option src 'tor'
option dest_port '67'