Sid
October 6, 2025, 11:02am
1
My isp only provides a single /64 address to me, which mean no ipv6 over Wireguard due to lack of subnetting.
As per the openwrt guide for Symmetric Dynamic NPTv6 here https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_nat#symmetric_dynamic_ipv6_npt
I’ve setup NPTv6 using this script
cat << "EOF" > /etc/nftables.d/npt6.sh
WG_IF="wg0"
WG_ULAPFX="fd58:fc7f:13e4::/64"
WAN_DEV="eth0"
WAN_PFX="2405:xxxx:xxxx:xxxx::/64"
sleep 5
. /lib/functions/network.sh
network_flush_cache
network_get_device WG_DEV "${WG_IF}"
LAN_PFX="${WG_ULAPFX}"
nft add rule inet fw4 srcnat \
oifname "${WAN_DEV}" snat ip6 prefix to ip6 \
saddr map { "${LAN_PFX}" : "${WAN_PFX}" }
nft add rule inet fw4 srcnat \
oifname "${WG_DEV}" snat ip6 prefix to ip6 \
saddr map { "${WAN_PFX}" : "${LAN_PFX}" }
EOF
uci -q delete firewall.wg_npt6
uci set firewall.wg_npt6="include"
uci set firewall.wg_npt6.path="/etc/nftables.d/npt6.sh"
uci commit firewall
service firewall restart
And these rules appear in nft list ruleset
chain srcnat {
oifname "eth0" snat ip6 prefix to ip6 saddr map { fd58:fc7f:13e4::/64 : 2405:xxxx:xxxx:xxxx::/64 }
oifname "wg0" snat ip6 prefix to ip6 saddr map { 2405:xxxx:xxxx:xxxx::/64 : fd58:fc7f:13e4::/64 }
}
But I still can’t get ipv6 to work over my wg peer phone
_bernd
October 6, 2025, 11:05am
2
Ipv4 is mostly preferred over IPv6 gua.
You can hack the address selection algorithm by using for instance the IPv6 gua for documentation purposes: 2001:db8::/32 or 3fff::/20
Edit and then do npt to the ISP assigned gua.
Sid
October 6, 2025, 12:00pm
3
I have wg in a separate firewall zone
option name 'wg0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
option masq '1'
list device 'wg0'
config forwarding
option src 'wg0'
option dest 'lan'
config forwarding
option src 'wg0'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wg0'
I tried using the documentation GUA as you suggested but still no go
oifname "eth0" snat ip6 prefix to ip6 saddr map { 2001:db8:5a3f:e9c1::/64 : 2405:xxxx:xxxx:xxxx::/64 }
oifname "wg0" snat ip6 prefix to ip6 saddr map { 2405:xxxx:xxxx:xxxx::/64 : 2001:db8:5a3f:e9c1::/64 }
egc
October 6, 2025, 12:13pm
4
WireGuard is often setup with ULA adresses and Masquerading (selective NAT66) works for me
My note how I setup:WireGuard Server Setup Guide
1 Like
_bernd
October 6, 2025, 12:33pm
5
NPT != NAT66 !!!!The firewall zone wg does not need masq! Only wan!
Do you have a maching route ? You need a route like:
default from <ula>::/64 dev <wan-interface>
egc
October 6, 2025, 12:59pm
6
Instead of a matching route (which might be preferable) you can disable source routing but you need one or the other to have internet access from your peers
P.S. not sure if this rule will work without specifying a gateway, I have just disabled source routing
_bernd
October 6, 2025, 2:00pm
7
I have the default behavior regarding source specific routing and yes if the general default route has a gateway, or in this IPv6 case a next hop then an extra default route with the SSR part (from), then it's valid...
Edit ps. I may should have added this information to the previous post that the default route stated is an extra route added to the table.
1 Like
Sid
October 7, 2025, 2:33am
8
Do you have a maching route ? You need a route
Yes I’ve added the route like this
default from 2001:db8:5a3f:e9c1::/64 dev eth0 proto static metric 1024 pref medium
And also have source routing enabled but nothing seems to work
I guess my main problem is that I do not get any prefix from isp, only a single /64 address on wan6
NAT66 as suggested by @egc does work, but I wanted to try NPT since it’s preferred.
