Separate routing table does not work for IPv6

Hi, I have VPS with running wireguard and 2 LAN networks at home. One network I would like to route via the wireguard and the other to go directly to my provider (which at this moment still does not support ipv6). I would like to have IPv6 connectivty on wireguard LAN, I'm using ULA for that network (which I know is not ideal, but afaik it should work with correctly setup routing). On VPS server I am running nftables with masquareding on both ipv6 and ipv4, but currently I am not even able to ping wireguard devices via IPv6. Error message I get is Network is unreachable, which looks like it cannot find my routes.

I was able to successfully setup separate IPv4 routing table with routing rules for wireguard LAN which works and I can access both internal wireguard devices and outside network via my VPS. I'm new both to openwrt and ipv6 but I assume the setup should be analogous but it looks like it's not.

My network config

# Globals #
###########

config globals 'globals'
        option ula_prefix 'fd98:9f04:9500::/48'




# Devices #
###########

# Port Location Designation
# eth1  cage 1   wan
# sfp2  cage 2   lanwg0
# wan   0        wan
# lan1  1        lanwg0
# lan2  2        lanwg0
# lan3  3        lanwg0
# lan4  4        lan




# wan
config device
        option name 'eth1'
        option macaddr '72:6e:d4:59:8e:82'

config device
        option name 'wan'
        option macaddr '72:6e:d4:59:8e:82'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'wan'




# lanwg0
config device
        option name 'lan1'
        option macaddr '72:6e:d4:59:8e:81'

config device
        option name 'lan2'
        option macaddr '72:6e:d4:59:8e:81'

config device
        option name 'lan3'
        option macaddr '72:6e:d4:59:8e:81'

config device
        option name 'sfp2'
        option macaddr '72:6e:d4:59:8e:81'

config device
        option name 'br-lanwg0'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'sfp2'




# lan
config device
        option name 'lan4'
        option macaddr '72:6e:d4:59:8e:84'




# Interfaces #
##############

# local
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'




# wg0
config interface 'wg0'
       option proto 'wireguard'
       option private_key 'xxx'
       list addresses '192.168.199.11/32'
       list addresses 'fd97:04d2:fa3b:199::65/128'

config wireguard_wg0
        option description 'wireguard'
        option public_key 'xxx'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option route_allowed_ips '0'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option endpoint_host 'xxx'




# lanwg0
config interface 'lanwg0'
        option device 'br-lanwg0'
        option proto 'static'
        option ipaddr '192.168.233.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ip6addr fd98:9f04:9500:233::1/64




# wan
config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'br-wan'
        option proto 'dhcpv6'




# lan
config interface 'lan'
        option device 'lan4'
        option proto 'static'
        option ipaddr '192.168.29.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6hint '0029'




# Routing rules #
#################

# lanwg0
config rule
        option in 'lanwg0'
        option lookup 'wg0'

config rule
        option out 'lanwg0'
        option lookup 'wg0'

config rule
        option src '192.168.233.0/24'
        option lookup 'wg0'

config rule
        option dest '192.168.233.0/24'
        option lookup 'wg0'

config rule6
        option in 'lanwg0'
        option lookup 'wg0'

config rule6
        option out 'lanwg0'
        option lookup 'wg0'

config rule6
        option src 'fd98:9f04:9500:233::/64'
        option lookup 'wg0'

config rule6
        option dest 'fd98:9f04:9500:233::/64'
        option lookup 'wg0'




# Static routes #
#################

# lanwg0
config route
        option interface 'wg0'
        option target '0.0.0.0/0'
        option table 'wg0'

config route
        option interface 'lanwg0'
        option target '192.168.233.0/24'
        option table 'wg0'
        option source '192.168.233.1'

config route6
        option interface 'wg0'
        option target '::/0'
        option table 'wg0'

config route6
        option interface 'lanwg0'
        option target 'fd98:9f04:9500:233::/64'
        option table 'wg0'
        option source 'fd98:9f04:9500:233::1/64'

Welcome to the community!

  • Your SRC IP is invalid as it does not exist on the WG interface, hence the route is likely invalid

I assume you are not refering to Global IPv6 connectivity - just between the VPS and the OpenWrt, correct?

Hi, thanks for an answer,

Not exactly sure what you mean, it's there to ensure connectivity inside of the LAN. There is equivalent ipv4 route with same source specification.

        option source '192.168.233.1'

I do have table name specified in the rt_tables, cat /etc/iproute2/rt_tables:

#
# reserved values
#
128     prelocal
201     wg0
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep

Routing table output ip -6 route show table wg:

fd98:9f04:9500:233::/64 from fd98:9f04:9500:233::/64 dev br-lanwg0 proto static metric 1024 pref medium
default dev wg0 proto static metric 1024 pref medium

Also global outgoing connectivity with use of NAT66. I mentioned I have nftables masquareding setup on VPS

1 Like

OK, apologies, I didn't see anywhere that you installed NAT66, just a mention of nftables masquerading.

  • What IP are you attempting to ping, what is the DST Interface?
  • On what Interface is the SRC client located, and what is it's SRC IP?
  • Did you make corresponding routes and rules on the remote endpoint (or its router)?

I'm trying to reach fd97:04d2:fa3b:199::1 which is the wg0 interface on the VPS.

I just checked it. It looks ok to me. Communication between VPS and router works fine via ipv6. What doesn't work is between my lanwg0 and VPS (or anything else pretty much. Here are routes from the VPS.

xxx dev ens3 proto kernel metric 256 pref medium
fd97:4d2:fa3b:199::1 dev wg0 proto kernel metric 256 pref medium
fd97:4d2:fa3b:199::64 dev wg0 metric 1024 pref medium
fd97:4d2:fa3b:199::65 dev wg0 metric 1024 pref medium
fd98:9f04:9500:233::/64 dev wg0 metric 1024 pref medium
fe80::ffff:1:1 dev ens3 metric 1024 pref medium
fe80::/64 dev ens3 proto kernel metric 256 pref medium
default via fe80::ffff:1:1 dev ens3 metric 1024 pref medium

:spiral_notepad: I see no OpenWrt route for fd97:04d2:fa3b:199::/64. You have 2 options:

  • Add the subnet to the Allowed IPs WG config and then check the "Route Allowed IPs" button (EDIT: this may cause issues since you have a ::0/0 route); or
  • Alternatively, I suggest you make a route in the network config:
config route6
        option interface 'wg0'
        option target 'fd97:04d2:fa3b:199::/64'
        option table 'wg0'

didn't help :confused: shouldn't it be covered by default route anyway? I also tried to add some link local routes to wg0 table and dropped the source on lan route, but it still doesn't work

currently looks like this on router

# ip -6 route show table wg0
fd97:4d2:fa3b:199::/64 dev wg0 proto static metric 1024 pref medium
fd98:9f04:9500:233::/64 dev br-lanwg0 proto static metric 1024 pref medium
fe80::/64 dev br-lanwg0 metric 1024 pref medium
default dev wg0 proto static metric 1024 pref medium

Communication works lanwg0 <-> router, and router <-> VPS (but this is probably because have still routes in main table, which i plan to later drop). What doesn't work is lanwg0 <-> VPS.

uci set dhcp.lanwg0.ra_default="1"
uci commit dhcp
/etc/init.d/odhcpd restart
while uci -q delete network.@rule[0]; do :; done
while uci -q delete network.@route[0]; do :; done
uci -q delete network.lanwg0.delegate
uci -q delete network.lanwg0.ip6addr
uci set network.lanwg0.ip6class="local"
uci set network.lanwg0.ip6assign="64"
uci set network.lanwg0.ip6hint="233"
uci set network.@wireguard_wg0[0].route_allowed_ips="1"
for IPV in 4 6
do
uci set network.lan.ip${IPV}table="1"
uci set network.wg0.ip${IPV}table="2"
uci set network.lanwg0.ip${IPV}table="3"
uci -q delete network.lan_wg${IPV%4}
uci set network.lan_wg${IPV%4}="rule${IPV%4}"
uci set network.lan_wg${IPV%4}.in="lanwg0"
uci set network.lan_wg${IPV%4}.lookup="2"
uci set network.lan_wg${IPV%4}.priority="30000"
done
uci commit network
/etc/init.d/network restart

Also add fd98:9f04:9500::/48 to the allowed IPs for the OpenWrt peer on the VPN server side.

2 Likes

Thank you very much, works like a literal magic to me as i'm still not exactly sure what is going on :smiley:

Why does both lanwg0 and wg0 get separate routing table? Is that sort of just to avoid having additional route rules to determine what is selected and using ip6table option?

Why did my setup work with ipv4 before setting route_allowed_ips on wireguard?

What exactly does ra_default do? It allows to pass different default gateway? I'm not exactly smart from docs description:

ra_default Override default route. Set to 0 (default), 1 (ignore, no public address) or 2 (ignore all).

1 Like

How it works: Policy-based routing

Yes, this method utilizes the built-in features of netifd, so you only need a couple of routing rules and no static routes.

You can achieve the same result with different methods.

It announces the IPv6 default route for non-GUA prefixes.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.