Back to the original question...
Here's my setup:
- Algo instance in the cloud
- Wireguard on my OpenWRT router (wguk interface) connects to Algo
- wguk is in wan firewall zone
- wifi using subnet (wifivpn interface, 192.168.2.1/24)
- firewall zone wifivpn > lan, wan
- vpn-policy-routing sends 192.168.2.1/24 to wguk
This works great for IPv4. Any client on the wifi gets routed through the VPN. However, I haven't had any luck making it work for IPv6 as well. Algo assigned fd9d:bc11:4021::b/48 to the peer. Any clue how I can have wifivpn clients obtain v6 IPs and get routed through the tunnel?
I would really appreciate some help, because any resources I found so far were above my level of understanding.
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3d:bb21:19a0::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '64'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option peerdns '0'
option dns '9.9.9.9 149.112.112.112'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
option dns '2620:fe::fe 2620:fe::9'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'wguk'
option proto 'wireguard'
option private_key 'REDACTED'
list addresses '10.19.49.11/24'
list addresses 'fd9d:bc11:4021::b/48'
config wireguard_wguk
option public_key 'REDACTED'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'REDACTED'
option endpoint_port '51820'
option persistent_keepalive '25'
option preshared_key 'REDACTED'
config interface 'wifivpn'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option type 'bridge'
config interface 'wgserver'
option proto 'wireguard'
option private_key 'REDACTED'
option listen_port 'REDACTED'
list addresses '192.168.77.1/24'
config wireguard_wgserver
option public_key 'REDACTED'
option persistent_keepalive '25'
list allowed_ips '192.168.77.77/32'
option description 'Thomas Phone'
config wireguard_wgserver
option public_key 'REDACTED'
list allowed_ips '192.168.77.78/32'
option persistent_keepalive '25'
option description 'Thomas PC'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wgserver lan6'
config zone
option name 'wifivpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wifivpn'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wguk wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option src 'wifivpn'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wifivpn'
config forwarding
option src 'wifivpn'
option dest 'lan'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port 'REDACTED'
option name 'Allow-Wireguard-Inbound'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
list server '9.9.9.9'
list server '149.112.112.112'
list server '2620:fe::fe'
list server '2620:fe::9'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wifivpn'
option interface 'wifivpn'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'