No internet access on IPv6 wireguard server

Hello.

I am editing this after following the suggestions in the comments and still failing. Now I don't have internet access either through my wireguard server or when connected to the router itself.

My relevant configurations are as follows:

ubus call system board

{
	"kernel": "6.6.73",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "ASUS RT-AX53U",
	"board_name": "asus,rt-ax53u",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "ramips/mt7621",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdce:8382:1d41::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'REDACTED'
	option password 'REDACTED'
	option ipv6 'auto'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'
	option peerdns '0'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
	option sourcefilter '0'

config interface 'WireGuard'
	option proto 'wireguard'
	option private_key 'REDACTED'
	option listen_port '55443'
	list addresses '172.22.22.1/24'
	list addresses 'fdba:b090:f5cb:0::1/64'

config wireguard_WireGuard
	option description ' Phone 1'
	option public_key 'REDACTED'
	option private_key 'REDACTED'
	option route_allowed_ips '1'
	option endpoint_port '55443'
	option persistent_keepalive '25'
	list allowed_ips '172.22.22.2/32'
	list allowed_ips 'fdba:b090:f5cb:0::2/128'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '2g'
	option channel '1'
	option htmode 'HE20'
	option country 'default'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'psk2'
	option key 'REDACTED'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option country 'default'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt5G'
	option encryption 'psk2'
	option key 'REDACTED'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq6 '1'
	list masq_src 'fdba:b090:f5cb:0::0/64'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'allow-55443'
	option family 'ipv4'
	list proto 'udp'
	option src 'wan'
	option dest_port '55443'
	option target 'ACCEPT'

config zone
	option name 'WireGuard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'WireGuard'

config forwarding
	option src 'WireGuard'
	option dest 'lan'

config forwarding
	option src 'WireGuard'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'WireGuard'

config rule
	option name 'access-from-wg'
	option src 'wgserver'
	list dest_ip '192.168.5.199'
	option target 'ACCEPT'
	list proto 'all'
	option dest '*'

config nat
	option name 'SNAT-WireGuard'
	list proto 'all'
	option src 'lan'
	option src_ip '177.22.22.0/24'
	option target 'MASQUERADE'

So you already have IPv6 in your network working?

My notes about a WireGuard server setup also cover IPv6 but in essence you can just use the IPv6 address of the WAN to connect and WireGuard tunnels IPv4 traffic over this connection.
So your DDNS address can be the routers WAN IPv6 address

My notes:

You need the Server setup guide and it is best to download it as github only show the first 5 pages

Thanks, I'll definitely read them. Though I am still uncertain as to where I can get my IPv6 address, since in LUCI I see an address for each interface and don't know which one to pick .

Well yes...

Screenshot From 2025-02-28 14-11-34960×617 79.6 KB

But actually no...

Screenshot From 2025-02-28 14-11-54960×984 55.4 KB

I tried following this guide, but apparently something changed or didn't work in the first place. Could it be due to my AdGuard Home settings?

I do have full dual stack running but I am not an expert on IPv6

I did find that that ipv6-test.com is sometimes slow to react, try this to test:
https://test-ipv6.com

https://ip.bieringer.net - try this. It's more detailed and shows EUI64_SCOPE.

Using this site seems to give a better result and work more quickly than http://ipv6-test.com/.

Screenshot From 2025-02-28 15-24-30960×691 85.3 KB

Though some pages are still unreachable...

Screenshot From 2025-02-28 15-26-46960×998 174 KB

So I'm assuming that IPv6 is properly set up. IPv6 traceroute and ping to openwrt.org also work.

Now I just need to set up my DDNS properly and try following the notes then.

Hi, thanks for the site suggestion, this is the result:

Screenshot From 2025-02-28 16-21-22960×998 104 KB

As for the EUI64_SCOPE it's local

Hello again. I followed the guide and internet access is still not working.

I have edited my initial post to include relevant configs.

I would remove this:

But otherwise I do not see any obvious mistakes in your setup

Make sure to reboot.

Test from your phone or laptop on cellular and first ping your routers IPv6 address to see if that is reachable.
For Android I use an app called fing (free version)

For the WireGuard client config on e.g. your phone use the ipv6 address of your router, usually you have to put it between brackets like this:

Endpoint: [20aa:1d22:5d84:1100::3]:55443

What is the output of 'wg showfrom the router and what is the Client (phone) showing? Either use tcpdump to view traffic arriving at your router or look at the firewall:nft list ruleset | grep 55443`

Right, this is probably my last comment since I'd rather not keep crowding the place with my noob problem, but here's the status:

While I'm connected to the network and using the VPN everything works properly, though my DDNS (Duck DNS) doesn't update my IPv6 address so I have to recreate the configuration manually every time. However, there's still no internet when using the VPN on another network. I did check the basics, i.e. if it (the other network) allocates an IPv6 address, but other than that I couldn't ping anything, be it my router or any site (in fact, Vernet didn't even manage to send the packets, much less receive anything).

wg show

interface: WireGuard
  public key: (hidden just because I'm paranoid)
  private key: (hidden)
  listening port: 55443

peer: /
(hidden because of my paranoia, again)
  endpoint: [ipv6 address]:55443
  allowed ips: 172.22.22.2/32, fdce:8382:1d41::2/128    # changed the allowed IPv6 based on the ULA prefix in /etc/config/network
  latest handshake: 20 minutes, 12 seconds ago
  transfer: 821.28 KiB received, 21.35 MiB sent
  persistent keepalive: every 25 seconds

nft list ruleset | grep 55443

udp dport 55443 counter packets 0 bytes 0 accept comment "!fw4: allow-55443"

As for the paranoia, my internet seems to be dropping during the evening for unclear reason, LOL. Probably just went overboard with AdGuard blocklists.