Wireguard Client on IPv6 not working

I'm facing an issue where my ISP has blocked IPv4 internet access, but my IPv6 connection is working fine. However, when I use Cloudflare's Warp VPN, I can access both IPv4 and IPv6 without any issues. Based on this, I generated a WireGuard configuration using Cloudflare's Warp VPN, and it works flawlessly on my local machine, but it doesn't seem to work on my OpenWRT router.

Here's what I have done so far:

Router Setup:

  • OpenWRT Version: 24.10.0 (r28427-6df0e3d02a)
  • Packages Installed:
    • kmod-wireguard
    • luci-proto-wireguard
    • wireguard-tools
  • Rebooted after installation.

WireGuard Setup:

  1. Added the WireGuard interface via the OpenWRT GUI.
  2. Loaded the WireGuard config file (wg.conf) with the necessary settings.
    note: It's safe for me to share the config. I can create more
[Interface]
PrivateKey = SLklmNY22NAtHBMtLVUViyfDAX7eDaBn+XzauV3ZS2Q=
Address = 172.16.0.2/32, 2606:4700:110:8f58:24bf:ee7a:9676:e6ca/128
DNS = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
MTU = 1280

[Peer]
PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [2606:4700:d0::a29f:c001]:2408
  1. Configured the network interface.
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd26:6452:df09::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'ac:84:c6:3e:f8:ee'

config interface 'wan'
        option device 'eth0.2'
        option proto 'pppoe'
        option username '3737462'
        option password '01810041051'
        option ipv6 'auto'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wwan'
        option proto 'dhcp'

config interface 'cloudflare'
        option proto 'wireguard'
        option private_key 'SLklmNY22NAtHBMtLVUViyfDAX7eDaBn+XzauV3ZS2Q='
        list addresses '172.16.0.2/32'
        list addresses '2606:4700:110:8f58:24bf:ee7a:9676:e6ca/128'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'
        option mtu '1280'

config wireguard_cloudflare
        option description 'Imported peer configuration'
        option public_key 'bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host '2606:4700:d0::a29f:c001'
        option endpoint_port '2408'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6' 'wwan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6' 'wwan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='cloudflare'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq6='1'
firewall.@zone[2].network='cloudflare'
firewall.@zone[2].masq='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='cloudflare'

Firewall Setup:

  1. Added a new firewall zone for WireGuard interface.
  2. Configured the firewall rules accordingly.
root@OpenWrt:~# cat /etc/config/firewall

config defaults
       option input 'ACCEPT'
       option output 'ACCEPT'
       option forward 'ACCEPT'

config zone
       option name 'lan'
       option input 'ACCEPT'
       option output 'ACCEPT'
       option forward 'ACCEPT'
       list network 'lan'

config zone
       option name 'wan'
       option input 'REJECT'
       option output 'ACCEPT'
       option forward 'REJECT'
       option masq '1'
       option mtu_fix '1'
       list network 'wan'
       list network 'wan6'
       list network 'wwan'

config forwarding
       option src 'lan'
       option dest 'wan'

config rule
       option name 'Allow-DHCP-Renew'
       option src 'wan'
       option proto 'udp'
       option dest_port '68'
       option target 'ACCEPT'
       option family 'ipv4'

config rule
       option name 'Allow-Ping'
       option src 'wan'
       option proto 'icmp'
       option icmp_type 'echo-request'
       option family 'ipv4'
       option target 'ACCEPT'

config rule
       option name 'Allow-IGMP'
       option src 'wan'
       option proto 'igmp'
       option family 'ipv4'
       option target 'ACCEPT'

config rule
       option name 'Allow-DHCPv6'
       option src 'wan'
       option proto 'udp'
       option dest_port '546'
       option family 'ipv6'
       option target 'ACCEPT'

config rule
       option name 'Allow-MLD'
       option src 'wan'
       option proto 'icmp'
       option src_ip 'fe80::/10'
       list icmp_type '130/0'
       list icmp_type '131/0'
       list icmp_type '132/0'
       list icmp_type '143/0'
       option family 'ipv6'
       option target 'ACCEPT'

config rule
       option name 'Allow-ICMPv6-Input'
       option src 'wan'
       option proto 'icmp'
       list icmp_type 'echo-request'
       list icmp_type 'echo-reply'
       list icmp_type 'destination-unreachable'
       list icmp_type 'packet-too-big'
       list icmp_type 'time-exceeded'
       list icmp_type 'bad-header'
       list icmp_type 'unknown-header-type'
       list icmp_type 'router-solicitation'
       list icmp_type 'neighbour-solicitation'
       list icmp_type 'router-advertisement'
       list icmp_type 'neighbour-advertisement'
       option limit '1000/sec'
       option family 'ipv6'
       option target 'ACCEPT'

config rule
       option name 'Allow-ICMPv6-Forward'
       option src 'wan'
       option dest '*'
       option proto 'icmp'
       list icmp_type 'echo-request'
       list icmp_type 'echo-reply'
       list icmp_type 'destination-unreachable'
       list icmp_type 'packet-too-big'
       list icmp_type 'time-exceeded'
       list icmp_type 'bad-header'
       list icmp_type 'unknown-header-type'
       option limit '1000/sec'
       option family 'ipv6'
       option target 'ACCEPT'

config rule
       option name 'Allow-IPSec-ESP'
       option src 'wan'
       option dest 'lan'
       option proto 'esp'
       option target 'ACCEPT'

config rule
       option name 'Allow-ISAKMP'
       option src 'wan'
       option dest 'lan'
       option dest_port '500'
       option proto 'udp'
       option target 'ACCEPT'

config zone
       option name 'cloudflare'
       option input 'REJECT'
       option output 'ACCEPT'
       option forward 'REJECT'
       option masq6 '1'
       list network 'cloudflare'
       option masq '1'

config forwarding
       option src 'lan'
       option dest 'cloudflare'

ip addr show

root@OpenWrt:~# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether ac:84:c6:3e:f8:ed brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ae84:c6ff:fe3e:f8ed/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ac:84:c6:3e:f8:ed brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2401:f40:105a:890::1/64 scope global dynamic noprefixroute
       valid_lft 252145sec preferred_lft 226225sec
    inet6 fd26:6452:df09::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::ae84:c6ff:fe3e:f8ed/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
5: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether ac:84:c6:3e:f8:ed brd ff:ff:ff:ff:ff:ff
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ac:84:c6:3e:f8:ee brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ae84:c6ff:fe3e:f8ee/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
7: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp
    inet 10.250.222.231 peer 172.16.100.51/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 fc00:f40:105a:4cd:7890:8728:b41b:4060/64 scope global dynamic noprefixroute
       valid_lft 2591774sec preferred_lft 604574sec
    inet6 fe80::7890:8728:b41b:4060 peer fe80::df8e:65ca:f3:b58f/128 scope link nodad
       valid_lft forever preferred_lft forever
21: cloudflare: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 172.16.0.2/32 brd 255.255.255.255 scope global cloudflare
       valid_lft forever preferred_lft forever
    inet6 2606:4700:110:8f58:24bf:ee7a:9676:e6ca/128 scope global
       valid_lft forever preferred_lft forever

ip route show

root@OpenWrt:~# ip route show
default dev cloudflare proto static scope link
172.16.100.51 dev pppoe-wan proto kernel scope link src 10.250.222.231
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

Issue:

  • On my local machine (using the same WireGuard configuration), both IPv4 and IPv6 work perfectly through Cloudflare's Warp VPN.
  • On the router, It does not work at all.

Any solution to this issue?

Use as allowed ips besides what you have

8000::/1
::/1


not solved

Does wg show show that the peers have completed a handshake (less than 2 minutes ago)? Can you ping somewhere on the Internet (try v4 and v6) from the router itself? Does traceroute on the router itself show the first hop is into the tunnel?

no handshake


cloudflare interface image

tracerouting ipv6 address found from interface tab

tracerouting peer ipv6 from router gives timeout

Check your settings with my notes, see:

You need the WireGuard Client Setup guide
Direct download WireGuard Client Setup guide

followed you guidelines with easy firewall setup
not solved


no handshake

If everything is setup correctly and you can ping the endpoint address it might be a problem with the keys or maybe you already have a lan client still using this same keypair, you can only use it with one client at the same time.

But we can check your settings if you like, if so, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip -6 route show
wg show

Does your setup (without VPN) allow access to the Internet v6? Obviously that has to work first. If your ISP or country is taking measures to prevent VPN usage they may be simply blocking the server IPs of well-known VPN companies.

i thought so BUT
without setting up the VPN, i can access any ipv6 stuff.
also i can use the same wireguard config on my local machine
so there is no issue with the ISP or config