Unable to get IPv6 to work with Mullvad VPN WireGuard

I have been using my OpenWRT router to tunnel the traffic from the devices in my home to a Mullvad VPN server running WireGuard. It works flawlessly using IPv4, however unfortunately I can't say the same for IPv6. Although my VPN supports IPv6 exit traffic and I'm able to ping ipv6 websites directly from the SSH console of the router, the devices connected to my LAN can only browse the internet through the VPN with IPv4. However I would like the devices to be able to use the VPN through IPv6 as well as my home internet does not have a native IPv6 connection. I see that OpenWRT is doing some NAT or something for IPv4 from LAN to WG, but I'm not sure how to do the same/similar thing for IPv6 traffic through WG, like a masquerade rule for IPv6 or something. I have been trying for the past week or two to get IPv6 working but unfortunately I'm unable to. Has anyone else successfully been able to do this?

Is the tunnel from Hurricane Electric?
What is the output of uci export network ?

The tunnel is from WireGuard, it is both IPv6 and v4.
Here is the output of uci export network (with MAC addresses removed):

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd60:7d90:3245::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ip6assign '60'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'

config device 'lan_dev'
option name 'eth0.1'
option macaddr '[Redacted]'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option peerdns '0'
option dns '9.9.9.9'

config device 'wan_dev'
option name 'eth0.2'
option macaddr '[Redacted]'

config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '1t 6t'

config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '0 6t'

config switch_vlan
option device 'switch0'
option vlan '3'
option vid '25'
option ports '1 6t'

config switch_vlan
option device 'switch0'
option vlan '4'
option vid '60'
option ports '1t 2 4 6t'

config switch_vlan
option device 'switch0'
option vlan '5'
option vid '40'
option ports '3 6t'

config interface 'LAN1'
option proto 'static'
option ifname 'eth0.25'
option ipaddr '192.168.1.1/24'
option netmask '255.255.255.0'

config interface 'LAN2'
option proto 'static'
option ifname 'eth0.60'
option ipaddr '192.168.100.1/24'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6hint '2'

config interface 'LAN3'
option proto 'static'
option ifname 'eth0.40'
option ipaddr '192.168.200.1/24'
option netmask '255.255.255.0'

config interface 'WG0'
option proto 'wireguard'
option private_key '[Redacted]'
list addresses '10.65.242.85/32'
list addresses 'fc00:bbbb:bbbb:bb01::8:9de1/128'
option force_link '1'

config wireguard_WG0
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_port '51820'
option public_key '[Redacted]'
option endpoint_host '[Redacted]'

Unless Mullvad are providing you with a /64 subnet to allocate to your local LAN (which I very much doubt they are) then I really wouldn't waste any more time trying to get this to work. Using NAT to share a single IPv6 address is pointless, may as well just stick with IPv4 in that scenario.

3 Likes

Usually I'd be inclined to agree, however unfortunately this VPN is one of the only possible ways for me get IPv6 connectivity, as I have been pestering my ISP about IPv6 support since around 2015 and if left to their own devices, it seems they would take another 10 years to deploy IPv6 if they could, so having to NAT all my IPv6 requests to one IP does not bother me as long as I'm able to have IPv6 connectivity.

If you really want IPv6 and you're not particularly bothered about speed then you'd be much better off using something like www.tunnelbroker.net to get proper connectivity through a 6in4 tunnel. There are more advanced options such as using a VPS if you need more speed, but going down that route is more complicated, costs money, and is unnecessary if you're happy with the speeds you can get through tunnelbroker.

3 Likes

If I have a few VPS servers I'm already paying for which have IPv6, how can I use one of my servers to tunnel my IPv6 traffic? (They are all running Ubuntu 18.04 LTS if it makes a difference) as I would rather go that route than tunnel the traffic through public servers like HE's IPv6 Tunnel Broker.

Depends who your servers are with. The first step is to find out what prefix they give you. If it's a /64 then the next step is to see if they'll give you something better like a /56 or /48.

Get a different VPN. If you don't mind insecure PPTP and a speed limitation of 15 Mbit/s (or 30 Mbit/s if you are OK with dynamic IP addresses), then please check out Swiss VPN. They give you a public IPv4 address (static if you want) that does not belong to a datacenter IP range (i.e. they have legitimate corporate offices nearby, IOW this cannot be reliably detected as a VPN by ASN lookup only). And they give you a /64 of IPv6.

Another option is Ivacy (or PureVPN, they share the same infrastructure) + a he.net tunnel, the downside is that you will not be able to edit wikipedia and use some other web sites, because the he.net IPv6 subnets are blacklisted as "known proxies used for circumventing restrictions".

Did you notice that Mullvad's address already begins with fc00? They are already putting their clients behind an IPv6 NAT. So configuring an extra IPv6 NAT layer (option masq6 '1' in /etc/config/firewall on the VPN zone) is, well, not the biggest evil in this situation. Still, the recommendation is to change the VPN.

1 Like

I saw this post and decided to try the same thing on my router, it works perfectly and now my devices ULA prefix IP is being NATed to the WireGuard.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.