Wireguard IPv6 Routing

thekillah · October 15, 2023, 1:17am

I am currently setting up Wireguard side to side with ipv6. I already have a site-to-site configuration based on ipv4. Side A is my home network with an Openwrt router (Dynalink DL-WRX36) on the other side is an OPNsense firewall/router virtualized on proxmox in a datacenter, behind it are some servers like adguardhome and samba. On both sides at least the assignment of IPv6 addresses works. From the Openwrt router and directly from the OPNsense I can ping the peers.

From the Windows and Linux client in the LAN I cannot reach the IPv6 addresses. How do I have to proceed ? What is different in the routing of the IPv6 addresses?

lleachii · October 15, 2023, 1:51am

Did you create a route for the subnet in question of the remote subnet (and vice versa) or check the box to route allowed IPs?

thekillah · October 15, 2023, 9:57am

I created a route for the subnet.

Could this possibly be a problem?

/etc/config/firewall
...
config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'
        option masq '1'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

vgaetera · October 15, 2023, 10:16am

A typical site-to-site setup looks like this:

Configure allowed IPs:
- Add the peer's A LAN prefix to allowed IPs on peer B.
- Add the peer's B LAN prefix to allowed IPs on peer A.
Configure routing:
- Make each peer the default gateway for its respective LAN.
- Enable routing for allowed IPs on both peers.
Configure firewall:
- Assign the VPN interface to the LAN zone on each peer.

You can simplify it by using a common prefix with hints as explained here:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#ipv6_site-to-site

mk24 · October 15, 2023, 2:14pm

Make sure the wireguard interfaces have link-local IPs. OpenWrt does not install them by default. IPv6 really does not work well without them, as it is technically the gateway to the LANs on a router. This means that the other side's link-local needs to be an allowed IP.

If your network is not only site to site but also point to point (the only peer on both wireguard interfaces is the other site) then you can simplify things by setting allowed ips to ::/0 on both ends and don't route allowed ips. Control the routing outside of Wireguard.