I have a OpenWrt setup with a working IPv6 support. I'm getting a /64 prefix from my ISP. It seems that the prefix and router detection work by router advertisement / neighborhood discovery protocol. (No DHCP6, apparently.) I'm using odhcpd in a "relay" mode for all settings:
Recently I installed Wireguard so that I could connect to my LAN from a remote network, and use the internet through my router. I generally connect from my Mac laptop. (Useful when travelling, so I get my home IP for some services.) This works fine in IPv4.
However, when trying to get IPv6 working, I'm not getting proper connectivity. I came up with two "local link addresses" to type in WireGuard config:
fe80::9999::1 for the router, and
fe80::9999::2 for my laptop. I am able to successfully ping the router using
PING6(56=40+8+8 bytes) fe80::9999:2%utun1 --> fe80::9999:1%utun1 16 bytes from fe80::9999:1%utun1, icmp_seq=0 hlim=64 time=92.117 ms 16 bytes from fe80::9999:1%utun1, icmp_seq=1 hlim=64 time=56.860 ms
Note that here
utun1 is the WireGuard interface on Mac. However, if I only ping with
ping6 fe80::9999:1, it errors:
PING6(56=40+8+8 bytes) fe80::9999:2%utun1 --> fe80::9999:1 ping6: sendmsg: No route to host ping6: wrote fe80::9999:1 16 chars, ret=-1
Am I correct to assume that this means that it doesn't know automatically to route
fe80::9999:1 to the WireGuard interface?
Also, when I try to access IPv6 internet:
curl -6 ifconfig.co
Here's a TCPdump of the Wireguard interface; the first packet is an attempt to connect to
ifconfig.co, and the second is from the router, saying that "destination unreachable, unknown unreach code (5)":
13:44:39.423690 IP6 (flowlabel 0xd71dc, hlim 64, next-header TCP (6) payload length: 44) fe80::9999:2.52712 > 2606:4700:3032::681c:125e.http: Flags [SEW], cksum 0x8ef8 (correct), seq 122439060, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 900769551 ecr 0,sackOK,eol], length 0 0x0000: 600d 71dc 002c 0640 fe80 0000 0000 0000 `.q..,.@........ 0x0010: 0000 0000 9999 0002 2606 4700 3032 0000 ........&.G.02.. 0x0020: 0000 0000 681c 125e cde8 0050 074c 4594 ....h..^...P.LE. 0x0030: 0000 0000 b0c2 ffff 8ef8 0000 0204 0550 ...............P 0x0040: 0103 0306 0101 080a 35b0 a70f 0000 0000 ........5....... 0x0050: 0402 0000 .... 13:44:39.488152 IP6 (flowlabel 0x7b359, hlim 64, next-header ICMPv6 (58) payload length: 92) fe80::9999:1 > fe80::9999:2: [icmp6 sum ok] ICMP6, destination unreachable, unknown unreach code (5) 0x0000: 6007 b359 005c 3a40 fe80 0000 0000 0000 `..Y.\:@........ 0x0010: 0000 0000 9999 0001 fe80 0000 0000 0000 ................ 0x0020: 0000 0000 9999 0002 0105 f608 0000 0000 ................ 0x0030: 600d 71dc 002c 0640 fe80 0000 0000 0000 `.q..,.@........ 0x0040: 0000 0000 9999 0002 2606 4700 3032 0000 ........&.G.02.. 0x0050: 0000 0000 681c 125e cde8 0050 074c 4594 ....h..^...P.LE. 0x0060: 0000 0000 b0c2 ffff 8ef8 0000 0204 0550 ...............P 0x0070: 0103 0306 0101 080a 35b0 a70f 0000 0000 ........5....... 0x0080: 0402 0000 ....
According to the RFC, the code 5 means something like "invalid ingress/egress policy", but I'm not entirely sure what that means, I suspect that it's something like "you can't send that packet to the internet with a link local address, it will be filtered and/or your peer won't be able to send a reply with that."
So, it would seem that my laptop would need a global prefix, but it doesn't have one.
My router and the hosts directly connected to LAN are able to find a global IPv6 prefix and get a global address. They also advertise that address using Neighbour Advertisement ICMP6 messages, and respond to Neighbor Solicitation messages from the upstream router. With TCPdump, I have been able to confirm, that the Router Advertisement messages from the upstream router, containing the global prefix info, are able to reach my laptop behind WireGuard. I think this means that my odhcp "relay" settings for the WireGuard interface are successful:
config dhcp 'wg0' option interface 'wg0' option ignore '1' option ra 'relay' option dhcpv6 'relay' option ndp 'relay'
However, I'm not seeing any neighbour solicitation or advertisement messages from or to my laptop, I see some when connected directly to LAN though.
However, my Mac doesn't seem to pick up an address. But even if it did, I'm confused how to set the "allowed IPs" of the laptop peer on OpenWrt: if the laptop is going to "statelessly" assume any IPv6 address with the prefix, and the prefix might change dynamically according to the whims of my ISP, that means that I would need to allow any IPv6 address for my peer. That goes against most of the WireGuard setup guides I've seen, but then again, they have been mostly about IPv4 which is usually NATted, and thus using always private range.
Does this seem more of an macOS problem or is there something in my OpenWrt settings I can do? Does my setup seem sensible?
Here's a summarisation of my questions:
- Does ping6 not working without explicitly specifying interface that I have a local routing problem in macOS?
- Does the "ICMP6, destination unreachable, unknown unreach code (5)" from my router here mean what I suspect, that I need to send packets with a global IPv6 address as a source address, otherwise it never works?
- Should I configure the WireGuard peer settings to allow any IP from my laptop, to be able to send packets with global IPv6?
- Is there anything I could do to get my laptop to assume a global IPv6 address? When directly on the LAN, it works.
- Does the lack of neighbour solicitation / advertisement sound like a problem itself, or is it a consequence of my laptop not assuming a global address?