Hi,
Update at bottom.
I have set up a Mullvad VPN connection with Wireguard recently. Since they only give me a single /128 address I have NAT6 configured. Every device on the network can get a v6 address and can connect to remote v6 addresses.
My ISP have IPv6 support too, but I turned off prefix delegation after setting up the VPN so only NATed addresses are in use on LAN.
I have some devices on the LAN that I want to exclude from the VPN and route it through WAN.
With IPv4 it works perfectly, if I check the IP from the excluded device I get the WAN's public IP address, however if I check the v6 public address, I see the VPNs public v6 address instead of the WANs.
I have tried to set the source address to a /48 network but same issue.
For some reason the default v4 gateway is WAN and the default v6 gateway is WG1_MULLVAD. v6 should be WAN too. The WAN has lower metric too, so I don't understand.
What did I miss? I can't figure it out and I'd like to ask for some help with this. Thank you!
Here are my configuration files:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdab:1234:abcd::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.200.1'
list ip6class 'local'
config interface 'wan'
option device 'eth0'
option proto 'pppoe'
option username 'xxx'
option password 'xxx'
option ipv6 'auto'
option peerdns '0'
list dns '9.9.9.9'
list dns '2620:fe::fe'
list dns '1.1.1.1'
list dns '2606:4700:4700::1111'
list dns '8.8.8.8'
list dns '2001:4860:4860::8888'
option metric '10'
option delegate '0'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth0'
option reqaddress 'try'
option reqprefix 'auto'
option delegate '0'
option defaultroute '0'
option peerdns '0'
option sourcefilter '0'
option metric '10'
config interface 'WG0'
option proto 'wireguard'
option private_key 'xxx'
list addresses '10.8.4.2/24'
list addresses 'fd42:88:44::3/64'
option peerdns '0'
option delegate '0'
config wireguard_WG0
option description 'somevpn'
option public_key 'xxx'
option endpoint_host 'xxx'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
config interface 'WG1_MULLVAD'
option proto 'wireguard'
option private_key 'xxx'
list addresses '10.65.188.x/32'
list addresses 'fc00:bbbb:bbbb:bb01::x:x/128'
option delegate '0'
option metric '1024'
config wireguard_WG1_MULLVAD
option description 'mullvad'
option endpoint_port '51820'
option persistent_keepalive '25'
option public_key 'xxx'
option endpoint_host '193.32.249.xx'
option route_allowed_ips '1'
list allowed_ips '::/0'
list allowed_ips '0.0.0.0/0'
cat /etc/config/vpn-policy-routing
config policy
option interface 'wan'
option name 'omv'
option proto 'all'
option src_addr '192.168.200.100'
config policy
option name 'omv6'
option proto 'all'
option interface 'wan'
option src_addr 'fdab:1234:abcd::4e2'
config policy
option interface 'WG1_MULLVAD'
option name 'web'
option dest_port '80,8080,81,443'
config vpn-policy-routing 'config'
option verbosity '2'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option strict_enforcement '0'
option enabled '1'
option ipv6_enabled '1'
list ignored_interface 'vpnserver wgserver'
option webui_enable_column '1'
option webui_protocol_column '1'
option webui_chain_column '1'
option webui_show_ignore_target '1'
list supported_interface 'wan_6'
If check IP on router via curl IPv4 is WAN, IPv6 is over VPN WG1.
Update: I figured out, that "route_allowed_ips" did override the IPv6 gateway. After turning that off I get both IPv4 and 6 going out on WAN, however now my clients have no IPv6 connectivity to remote addresses at all. I can ping v6 addresses from the router, but I can not do that from any client on the network.
Update 2: I managed to fix IPv6 connectivity for clients by following this guide and disabling IPv6 support in PBR: https://gist.github.com/ByteAndNibble/3bd8413029b1f728c1f00bc1ac0e98b4
Now I have to get PBR to work with v6.
Update 3: With static v6 routes I can route clients on LAN selectively by matching source address. Not ideal, because I want to specify ports instead of all traffic but good enough for now. If you know how to get PBR to work with v6, please reply. Thanks!