Wireguard IPv6 not working

SuperMitic · March 5, 2024, 5:54pm

I am trying to setup a wireguard server on OpenWRT router. I don't have a public ipv4 address because i am under CGNAT, so i've used IPv6.
I managed to get it working with this config:

config interface 'wg0'
        option proto 'wireguard'
        option private_key = '....'
        option listen_port '51820'
        list addresses '10.5.0.1/24'

config wireguard_wg0
        option description 'iPhone'
        option public_key '...'
        option route_allowed_ips '1'
        list allowed_ips '10.5.0.10/32'
        option endpoint_host 'DDNS IPv6 address of router'

On my vpn client (iPhone), if i put 192.168.1.0/24 as allowed IP i am able to connect to local device in my home network, and i am able to use internet on my iphone using LTE ipv4 and ipv6 address. If i put 0.0.0.0/0, ::0 i am able to reach internet using IPV4 address of my home network, but IPV6 is not working (neither of LTE or home network). I would like to know how should i set up the vpn in order to reach internet using ipv6 address of my home network.

NPeca75 · March 6, 2024, 12:45pm

Hi

my idea is that you have "at home" OWRT router which hide IPv4 local addresses behind NAT. So anything that try to go to WAN from LAN, will be NAT-ed (masquerade). It is normal/expected. So your "whatever ipv4 Iphone wirequard" will work as it is automaticaly NAT-ed trough WAN

but

in case of IPv6, things are different
Default OWRT settings does NOT do NAT on IPv6 WAN6

so, it depends on available v6 addresses you have
either you need valid v6 address from pool (PD) assigned to your router by ISP to route trough WG

or

simpy assign random LUA address to WG an do IPv6 NAT on WAN6 interface

mk24 · March 6, 2024, 1:12pm

Any Wireguard tunnel can carry both IPv4 and IPv6 simultaneously inside the tunnel, regardless of which address type is being used on the outside (encrypted) packets.

For anything IPv6 to work inside the tunnel, both ends of the tunnel need (link unique) link-local addresses, which OpenWrt does not automatically assign. I usually use fe80::1/64 and fe80::2/64.

Exactly. If you have full IPv6 service with a routed prefix you can put option ip6assign 64 on the Wireguard interface and run an RA server on it, and the phone will typically see the RAs and set up IPv6 on its end of the tunnel automatically. Since the phone chooses the last 64 bits of its address randomly, the whole /64 needs to be an allowed_ip. This means you'll need a completely separate Wireguard interface per road warrior, i.e. each one is a point to point connection; instead of multiple remotes sharing one "server" interface. When Wireguard is point to point you can simply set allowed_ips ::/0 on both ends and control routing externally. This prevents needing to change the Wireguard settings if the ISP changes your prefixes.

If you don't have a routed prefix then all the usual workarounds to share a single /64 apply.

SuperMitic · March 6, 2024, 1:29pm

I have only a /64 assigned by the ISP and the prefix change every 4 hours.

SuperMitic · March 6, 2024, 1:30pm

So what are the usual workarounds?

NPeca75 · March 6, 2024, 3:59pm

well

since you using (suppose) relay mode to pass one /64 from wan6 to lan ...
it is a bit complicated

lets say that LAN->WAN is straight
and WG->WAN is from "side"

then maybe you could assign ULA fd00::1/64 fd00::2/64 for WG and Iphone
and then in firewall try something like
if src is fd00::/64
and dst is WAN6
then masqerade ipv6

key is src address
this should "hide" your Iphone behind existing /64
and will leave LAN as it is

NPeca75 · March 6, 2024, 4:04pm

there is a firewall option

option masq6 '1'

but it will "hide" all v6 addresses, so it is not recomended in case you want real GUA addresses on LAN clients

egc · March 6, 2024, 4:34pm

You should be able to do it with LuCi: firewall WAN zone > Advanced Settings, enable IPv6 MASQUERADING and add the ULA source address like described by @NPeca75.

For allowed IPs you can use e.g.: fd00::2/128

BigG · March 7, 2024, 2:11am

Sorry for the offtopic but what is the ISP? They need to be listed on the list of shame. /56 is the absolute minimum a ISP should allocate and /48 should be the standard.

knuxyl · March 7, 2024, 3:20am

are you sure? I remember reading wireguard had to be either ipv4 or ipv6, not both. I setup a server and client with both but never got it to give out ipv6 address. I think as long as the server can access ipv6 address you can still use them, but I dont think wireguard can actually assign both. I could be wrong and this could just be from years ago.

SuperMitic · March 7, 2024, 6:10am

It's a LTE ISP in Italy. Here in Italy, the majority of ISP dont' have IPv6, so I consider myself lucky to have a /64 dynamic every 4 hours.

mk24 · March 7, 2024, 4:32pm

The single /64 is industry standard for LTE. Since almost every LTE connection is a single endpoint, not a router, I don't think that anyone has bothered to build an LTE network that can route additional prefixes to a customer.

SuperMitic · March 7, 2024, 6:26pm

I have changed some settings: now I have a separate firewall zone for the wireguard VPN and I have enabled masquerade on LAN so I can access all the LAN devices in 192.168.1.0/24 from the VPN.
On my Wireguard client if i set 0.0.0.0/0, ::/0 I can use IPv4 of my home network, but IPv6 is not working (neither the client IPv6 or the home IPv6).
I have a /64 dynamic prefix assigned by the ISP every 4 hours and I would like to allow the wireguard client to use one of the IPv6 of the LAN.
I don't know whether to assign this IP through DHCPv6 or SLAAC, but SLAAC is working on my LAN and i have the entire /64 prefix there (so i think i can't make it working)
I don't want to negatively impact the home LAN network.
Can someone help me? I read that i should enable IPv6 masquerading on wan zone (does this cause something negative to my existing LAN network?) and then add ULA source address. Where do i need to assign the ULA address? Do i need to enable relay mode of RA?

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd55:2a2c:3bff::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'LTE'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option apn 'internet.it'
	option auth 'none'
	option pdptype 'ipv4v6'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '...'
	option listen_port '51820'
	list addresses '10.5.0.1/24'

config wireguard_wg0
	option description 'Lele-iPhone'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '10.5.0.10/32'
	option endpoint_host 'IPV6 DDNS'

config wireguard_wg0
	option description 'MacBook-Air'
	option public_key '...'
	list allowed_ips '10.5.0.20/32'
	option route_allowed_ips '1'
	option endpoint_host 'IPV6 DDNS'

/etc/config/firewall


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'LTE'

config rule
	option name 'Allow-Wireguard'
	option family 'ipv6'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'wan'
	option dest 'vpn'

atownlede · March 8, 2024, 2:32am

Possible help on this wiki page: https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior
sounds like IPv6 Configuration B meets your environment.

SuperMitic · March 8, 2024, 7:11am

I have tried the script and configured a new Wireguard Interface. Now I have

config interface 'wg_newvpn'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51821'
	option mtu '1280'
	list addresses 'fd55:2a2c:3bff:4::1/64'
	list addresses '10.6.0.1/24'

config wireguard_wg_newvpn
	option public_key ''
	option preshared_key ''
	option description 'iPhone14new'
	list allowed_ips '10.6.0.3/32'
	list allowed_ips 'fd55:2a2c:3bff:4::10.6.0.3/128'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

But on client device when i try to do ping6 i get

➜  ~ ping6 google.it
PING6(56=40+8+8 bytes) fd55:2a2c:3bff:4::a06:3 --> 2a00:1450:4002:403::2003

but it's not working. So it seems DNS is working (?) but internet connection through ipv6 is not.
How can i fix?

SuperMitic · March 8, 2024, 1:38pm

I have assinged ULA address to the VPN and peers, but i can't access internet using IPv6. How can I set this firewall rule?

NPeca75 · March 8, 2024, 3:28pm

Hi @SuperMitic

something like this

mk24 · March 8, 2024, 3:57pm

Source fd00::/64 does not cover the fd55:etc IPs that you are using (it means exactly a 64 bit prefix of fd and 56 zeros: fd00:0000:0000:0000). To include any "non central" ULA use fd00::/8.

NPeca75 · March 8, 2024, 4:18pm

sorry, did not notice that @SuperMitic using fd55::

tnx

SuperMitic · March 8, 2024, 5:16pm

I have set this NAT rules, but IPv6 through wireguard is not working.