VPN Router - IPv6 not working

Carsten12 · July 13, 2024, 9:11pm

Hello,

I am using vanilla OpenWrt SNAPSHOT (r26928-238aa35c49) on a MT-2500 from a GL.inet. WAN is connected to a Fritz!Box getting a 62 bit Prefix delegated from my ISP to the MT-2500 who builds a subnet 1 for LAN, where a single mac OSX client is attached. VPN provider is hide.me who offers an installation script for Wireguard and support ipv4 and ipv6. Firewall rules exist for a zone hideme.

The problem is that pinging google.com via ipv4 will work but via ipv6 will not receive any answers. I tried to capture some information with tcpdump -I any icmp:

22:24:47.867428 eth1   In  IP6 2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 > ham11s01-in-x0e.1e100.net: ICMP6, echo request, id 2700, seq 0, length 16
22:24:47.867428 br-lan In  IP6 2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 > ham11s01-in-x0e.1e100.net: ICMP6, echo request, id 2700, seq 0, length 16
22:24:47.867503 wghide Out IP6 2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 > ham11s01-in-x0e.1e100.net: ICMP6, echo request, id 2700, seq 0, length 16
22:24:47.913505 lo     In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 49080, length 197
22:24:47.914048 lo     In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 32991, length 185
22:24:47.916725 eth0   Out IP6 2a04:4540:740d:8200:9683:c4ff:fe2f:3878 > wpad.fritz.box: ICMP6, destination unreachable, unreachable port, 2a04:4540:740d:8200:9683:c4ff:fe2f:3878 udp port 55694, length 197
22:24:48.022989 lo     In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 60374, length 197
22:24:48.024603 lo     In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 39058, length 463
22:24:48.871271 eth1   In  IP6 2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 > ham11s01-in-x0e.1e100.net: ICMP6, echo request, id 2700, seq 1, length 16
22:24:48.871271 br-lan In  IP6 2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 > ham11s01-in-x0e.1e100.net: ICMP6, echo request, id 2700, seq 1, length 16
22:24:48.871331 wghide Out IP6 2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 > ham11s01-in-x0e.1e100.net: ICMP6, echo request, id 2700, seq 1, length 16
22:24:52.331864 eth1   In  IP6 fe80::105f:952:37db:3129 > fe80::9683:c4ff:fe2f:3879: ICMP6, neighbor solicitation, who has fe80::9683:c4ff:fe2f:3879, length 32
22:24:52.331864 br-lan In  IP6 fe80::105f:952:37db:3129 > fe80::9683:c4ff:fe2f:3879: ICMP6, neighbor solicitation, who has fe80::9683:c4ff:fe2f:3879, length 32
22:24:52.331947 br-lan Out IP6 fe80::9683:c4ff:fe2f:3879 > fe80::105f:952:37db:3129: ICMP6, neighbor advertisement, tgt is fe80::9683:c4ff:fe2f:3879, length 24
22:24:52.331959 eth1   Out IP6 fe80::9683:c4ff:fe2f:3879 > fe80::105f:952:37db:3129: ICMP6, neighbor advertisement, tgt is fe80::9683:c4ff:fe2f:3879, length 24
22:24:52.421375 lo     In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 59720, length 146
22:24:52.421783 lo     In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 53800, length 146

Configuration:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option delegate '0'
	option ip6hint '1'
	option ip6ifaceid '::1'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'wghide'
	option proto 'wghidemevpn'
	option server 'de-v4.hideservers.net'

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_slaac '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'iMacDevnCarsten'
	option ip '192.168.1.8'
	option hostid '08'
	option duid '000100012da105b36805ca12a571'
	list mac '68:05:CA:12:A5:71'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'hideme'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'
	list network 'wghide'

config forwarding
	option src 'lan'
	option dest 'hideme'

Client configuration:

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=40b<RXCSUM,TXCSUM,VLAN_HWTAGGING,CHANNEL_IO>
	ether 68:05:ca:12:a5:71 
	inet6 fe80::105f:952:37db:3129%en0 prefixlen 64 secured scopeid 0x8 
	inet6 2a04:4540:740d:8200:18a0:7314:9ffd:7c5 prefixlen 64 deprecated autoconf secured 
	inet6 2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 prefixlen 64 deprecated autoconf temporary 
	inet6 fd00::fe:f5f5:f31b:4392 prefixlen 64 deprecated autoconf secured 
	inet 192.168.1.8 netmask 0xffffff00 broadcast 192.168.1.255
	inet6 2a04:4540:740d:82fd::8 prefixlen 64 dynamic 
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active

Internet6:
Destination                             Gateway                         Flags           Netif Expire
default                                 fe80::9683:c4ff:fe2f:3879%en0   UGcg              en0       
default                                 fe80::%utun0                    UGcIg           utun0       
default                                 fe80::%utun1                    UGcIg           utun1       
default                                 fe80::%utun2                    UGcIg           utun2       
default                                 fe80::%utun3                    UGcIg           utun3       
default                                 fe80::%utun4                    UGcIg           utun4       
::1                                     ::1                             UHL               lo0       
2a04:4540:740d:8200::/64                link#8                          UC                en0       
2a04:4540:740d:8200:18a0:7314:9ffd:7c5  68:5:ca:12:a5:71                UHL               lo0       
2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 68:5:ca:12:a5:71                UHL               lo0       
2a04:4540:740d:82fc::/62                fe80::9683:c4ff:fe2f:3879%en0   UGc               en0       
2a04:4540:740d:82fd::/64                link#8                          UC                en0       
2a04:4540:740d:82fd::1                  94:83:c4:2f:38:79               UHLWIi            en0       
2a04:4540:740d:82fd::8                  68:5:ca:12:a5:71                UHL               lo0       
fd00::/64                               link#8                          UC                en0       
fd00::fe:f5f5:f31b:4392                 68:5:ca:12:a5:71                UHL               lo0       
fe80::%lo0/64                           fe80::1%lo0                     UcI               lo0       
fe80::1%lo0                             link#1                          UHLI              lo0       
fe80::%en0/64                           link#8                          UCI               en0       
fe80::105f:952:37db:3129%en0            68:5:ca:12:a5:71                UHLI              lo0       
fe80::464e:6dff:fede:92de%en0           44:4e:6d:de:92:de               UHLWIr            en0       
fe80::9683:c4ff:fe2f:3879%en0           94:83:c4:2f:38:79               UHLWIir           en0       
fe80::%utun0/64                         fe80::a595:5659:95ef:e54b%utun0 UcI             utun0       
fe80::a595:5659:95ef:e54b%utun0         link#9                          UHLI              lo0       
fe80::%utun1/64                         fe80::48e1:841c:ad76:8c1d%utun1 UcI             utun1       
fe80::48e1:841c:ad76:8c1d%utun1         link#10                         UHLI              lo0       
fe80::%utun2/64                         fe80::ce81:b1c:bd2c:69e%utun2   UcI             utun2       
fe80::ce81:b1c:bd2c:69e%utun2           link#11                         UHLI              lo0       
fe80::%utun3/64                         fe80::a79f:2819:431e:f857%utun3 UcI             utun3       
fe80::a79f:2819:431e:f857%utun3         link#12                         UHLI              lo0       
fe80::%utun4/64                         fe80::6316:9f38:a6cb:2bac%utun4 UcI             utun4       
fe80::6316:9f38:a6cb:2bac%utun4         link#13                         UHLI              lo0       
ff00::/8                                ::1                             UmCI              lo0       
ff00::/8                                link#8                          UmCI              en0       
ff00::/8                                fe80::a595:5659:95ef:e54b%utun0 UmCI            utun0       
ff00::/8                                fe80::48e1:841c:ad76:8c1d%utun1 UmCI            utun1       
ff00::/8                                fe80::ce81:b1c:bd2c:69e%utun2   UmCI            utun2       
ff00::/8                                fe80::a79f:2819:431e:f857%utun3 UmCI            utun3       
ff00::/8                                fe80::6316:9f38:a6cb:2bac%utun4 UmCI            utun4       
ff01::%lo0/32                           ::1                             UmCI              lo0       
ff01::%en0/32                           link#8                          UmCI              en0       
ff01::%utun0/32                         fe80::a595:5659:95ef:e54b%utun0 UmCI            utun0       
ff01::%utun1/32                         fe80::48e1:841c:ad76:8c1d%utun1 UmCI            utun1       
ff01::%utun2/32                         fe80::ce81:b1c:bd2c:69e%utun2   UmCI            utun2       
ff01::%utun3/32                         fe80::a79f:2819:431e:f857%utun3 UmCI            utun3       
ff01::%utun4/32                         fe80::6316:9f38:a6cb:2bac%utun4 UmCI            utun4       
ff02::%lo0/32                           ::1                             UmCI              lo0       
ff02::%en0/32                           link#8                          UmCI              en0       
ff02::%utun0/32                         fe80::a595:5659:95ef:e54b%utun0 UmCI            utun0       
ff02::%utun1/32                         fe80::48e1:841c:ad76:8c1d%utun1 UmCI            utun1       
ff02::%utun2/32                         fe80::ce81:b1c:bd2c:69e%utun2   UmCI            utun2       
ff02::%utun3/32                         fe80::a79f:2819:431e:f857%utun3 UmCI            utun3       
ff02::%utun4/32                         fe80::6316:9f38:a6cb:2bac%utun4 UmCI            utun4

Any hints? My ipv6 knowledge grew over time but currently I have no clue.

Best Regards,
Carsten.

egc · July 13, 2024, 9:17pm

proto 'wghidemevpn'

That does not seem to be WireGuard.

For a WireGuard client you usually get a config file from your provider which you can import in the WG interface.
But otherwise you can setup manually: https://openwrt.org/docs/guide-user/services/vpn/wireguard/client

Carsten12 · July 13, 2024, 9:29pm

Yes, I know. But do you think it is causing the issue? Currently, hide.me does not provide a config file but only an installation script. I am in the process to identify the necessary parameters for a standard installation.

BR,C.

egc · July 13, 2024, 9:39pm

No idea, I do not know how it works and if it even is WireGuard and if it is compatible with OpenWRT.

Ask over there, you are paying for their support

Carsten12 · July 13, 2024, 9:55pm

Thanks for trying to help me.

My main problem is that GL.iNet guys think ipv6 is not supported although it is and here people are mostly referring to GL.iNet without looking at the information I provide, although I now use vanilla openwrt .

You're right, the hide.me wireguard stuff is maybe questionable. So I will next try out with manually configure openvpn in order to get support here (which seems to be of better quality ).

BR,
Carsten.

Carsten12 · July 13, 2024, 10:05pm

Added note: configuring openvpn with openwrt vanilla will not solve the issue.

I maybe forgot to mention it will work on the router itself, but not for the client. It also works when I disable the VPN tunnel.

So it is not related to GL.iNet or hide.me stuff but maybe just a wrong configuration from my side where I kindly ask for help from more knowledgeable people. Thanks in advance!

As we can see, the icmp6 is sent out correctly but nothing is received. I once thought it would be a firewall issue but found nothing in the logs.

00:06:36.266821 eth1  In  IP6 iMacDevnCarsten.lan > ham11s07-in-x0e.1e100.net: ICMP6, echo request, id 3911, seq 0, length 16
00:06:36.266821 br-lan In  IP6 iMacDevnCarsten.lan > ham11s07-in-x0e.1e100.net: ICMP6, echo request, id 3911, seq 0, length 16
00:06:36.266876 tun0  Out IP6 iMacDevnCarsten.lan > ham11s07-in-x0e.1e100.net: ICMP6, echo request, id 3911, seq 0, length 16
00:06:36.282555 lo    In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 41537, length 197
00:06:36.284268 lo    In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 34542, length 463
00:06:36.285259 lo    In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 54324, length 179
00:06:36.286621 lo    In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 43089, length 185

Here openvpn configs

config openvpn 'custom_config'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option verb '3'

config openvpn 'hideme'
	option config '/etc/openvpn/hideme.ovpn'
	option enabled '1'

client
dev tun
proto udp
remote de.hideservers.net 3000
cipher AES-256-CBC
auth SHA256
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
auth-user-pass /etc/openvpn/hideme.auth
reneg-sec 900
remote-cert-tls server
verify-x509-name "*.hide.me" name
tls-version-min 1.2

<ca>...

BR,
Carsten.

mk24 · July 14, 2024, 2:37pm

You will need to NAT the IPv6 into the VPN tunnel. The packets you are sending still have the source IP derived from your ISP's GUI. Without NAT, the VPN provider does not know how to return traffic to you.

In later versions of OpenWrt, IPv6 NAT is simply done by adding option masq6 '1' to the firewall zone that contains the VPN tunnel, the same as masq works for v4. That functionality was recently added, so older scripts and instructions probably access the nftables / iptables system directly. Since OpenWrt changed from iptables to nftables, if you are using really old installation scripts / instructions, they may be broken on newer OpenWrt.

This hideme script has really taken over the router by adding additional system scripts or programs to define a whole new network protocol. This is something that is not a good idea unless the third party is maintaining the whole OS build to be sure it does not break when a new version is released. And it's not necessary here as setting up a Wireguard connection is not that complicated.

You need from the provider:

your private key, or (more secure) they allow you to generate your own private key then submit the corresponding public key to them to register in the configuration of your account.
your tunnel IP address. For a VPN it is usually a ULA (starts with fd).
their public key
the pre-shared key, if used. Pre-shared keys are optional, but if one end of the connection uses it, the other end must also use the same matching key.
their server's hostname / IP and port that accepts encrypted packets from you.

Carsten12 · July 15, 2024, 6:43am

Mike, you are my hero!

Not only that your hint worked immediately, I also understood your explanation .

So also my personal objective to learn ipv6 was successful.

Thanks,
Carsten.

system · July 25, 2024, 6:44am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.