I'm trying to get some IPv6 routing to behave, and struggling slightly with how.
I have a /60 routed to me by my ISP, and that has been up and running fine for some time. What I'm trying to do now is to add a subnet that will will be routed via a WireGuard VPN. IPv4 was fairly straightforward, using PBR to route traffic from the subnet. IPv6 has proven to be more challenging.
I have a /56 routed to the remote server, and am trying to route a /60 from that to OpenWRT. The wireguard interface gets the address 2001:0db8:e004:7e00::c from the server (addresses altered), and the remote end of the tunnel is 2001:0db8:e004:7e00::1. The block 2001:0db8:e004:7ec0::/60 is routed down the tunnel and I'm aiming to assign 2001:0db8:e004:7eca::/64 to my subnet. Relevant bit of /etc/config/network look like this:
config interface 'overvpn'
option device 'eth0.202'
option proto 'static'
option ipaddr '192.168.202.254'
option netmask '255.255.255.0'
list ip6class 'wg_baloo6'
option ip6assign '64'
option ip6hint 'a'
option defaultroute '0'
config interface 'wg_baloo'
option proto 'wireguard'
option private_key '<verysecret>'
option defaultroute '0'
option nohostroute '1'
list addresses '10.55.202.12'
config interface 'wg_baloo6'
option proto 'static'
option device '@wg_baloo'
list ip6addr '2001:0db8:e004:7e00::c/128'
option ip6prefix '2001:0db8:e004:7ec0::/60'
option ip6gw '2001:0db8:e004:7e00::1'
config wireguard_wg_baloo
option description 'Baloo'
option public_key '<notquitesosecret>'
option endpoint_host 'nnn.nnn.nnn.nnn'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
I failed to get PBR to work, and eventually resorted to manually setting routes using ip. This confused me for a while, but I eventually realised that before I could set up a route via the gateway I first had to set up a route to the gateway. So I finally got to this:
ip -6 route add 2001:0db8:e004:7e00::1 dev wg_baloo
ip -6 route add default from 2001:0db8:e004:7ec0::/60 via 2001:0db8:e004:7e00::1
Which worked fine.
Now I want to come up with a config to make this persistent. This is what I've tried:
config route6
option interface 'wg_baloo'
option target '2001:0db8:e004:7e00::1/128'
config route6
option target '::/0'
option gateway '2001:0db8:e004:7e00::1'
option source '2001:0db8:e004:7ec0::/60'
This does actually work, but not how I expect it to. What I get in the routing table is
2001:0db8:e004:7e00::1 dev wg_baloo proto static metric 1024 pref medium
2001:0db8:e004:7e00::c dev wg_baloo proto kernel metric 256 pref medium
default via 2001:0db8:e004:7e00::1 dev wg_baloo proto static metric 1024 pref medium
What I was expecting was something more like
2001:0db8:e004:7e00::1 dev wg_baloo proto static metric 1024 pref medium
2001:0db8:e004:7e00::c dev wg_baloo proto kernel metric 256 pref medium
default from 2001:0db8:e004:7ec0::/60 via 2001:0db8:e004:7e00::1 dev wg_baloo proto static metric 1024 pref medium
What do I need to do to get the 'from' bit in there? I've put it in option source because of what I found at https://openwrt.org/docs/guide-user/network/routing/routes_configuration, where 'source' is described as "The route source address in source-address dependent routes. It's called “from” in the ip command."
I think the reason it is working is that the default route inserted for the IPv6 /60 from my ISP does have the 'from' part. So anything from that /60 is being routed correctly, not over WireGuard.