Wireguard not connecting with IPv6 endpoint while other devices on network can

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello!

I'm trying to connect my OpenWRT to my other home network where I run Wireguard (server) on Rpi4.

The router connects and works fine over IPv4 but fails to do so with IPv6. All the other devices on the router and devices on different network can still connect to my wg server.

I tried playing with firewall and everything but got nowhere. I don't know what's happening anymore. I'll insert the relevant dump below.

{
	"kernel": "5.10.161",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Netgear R6800",
	"board_name": "netgear,r6800",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.3",
		"revision": "r20028-43d71ad93e",
		"target": "ramips/mt7621",
		"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
	}
}

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd05:3ee3:7f14::/48'
	option packet_steering '1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option auto '0'
	option peerdns '0'
	option reqaddress 'try'
	option reqprefix 'no'


config interface 'homev6'
	option proto 'wireguard'
	option private_key '*='
	option listen_port '51822'
	list addresses '10.100.200.1'
	option peerdns '0'
	list dns '10.123.123.3'

config wireguard_homev6
	option description 'rpi'
	option public_key '*='
	option endpoint_host 'xxxx:xxxx:xx:xxxx:xxxx:xxxx:xxxx:d522'
	option endpoint_port '1234'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'


7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxxx:xxxx:xx:xxxx:xxxx:xxxx:xxxx:405d/64 scope global dynamic noprefixroute 
       valid_lft 229290sec preferred_lft 56490sec
    inet6 xxxx:xxxx:xx:xxxx:xxxx:xxxx:xxxx:39eb/128 scope global dynamic noprefixroute 
       valid_lft 232588sec preferred_lft 59788sec
    inet6 fe80::b239:56ff:fe68:405d/64 scope link 
       valid_lft forever preferred_lft forever
			 
unreachable default dev lo table pbr_wan metric 1024 pref medium
unreachable default dev lo table pbr_home metric 1024 pref medium
default from xxxx:xxxx:xx:xxxx:xxxx:xxxx:xxxx:39eb via fe80::925c:44ff:fefc:6ece dev wan proto static metric 384 pref medium
default from xxxx:xxxx:xxxx:xxxx::/64 via fe80::925c:44ff:fefc:6ece dev wan proto static metric 384 pref medium
xxxx:xxxx:xx:xxxx:xxxx:xxxx:xxxx:d522 via fe80::925c:44ff:fefc:6ece dev wan proto static metric 384 pref medium
xxxx:xxxx:xxxx:xxxx::/64 dev wan proto static metric 256 pref medium
xxxx:xxxx:xxxx:xxxx::/64 via fe80::925c:44ff:fefc:6ece dev wan proto static metric 512 pref medium
unreachable xxxx:xxxx:xxxx:xxxx::/64 dev lo proto static metric 2147483647 pref medium
unreachable fd05:3ee3:7f14::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev vpn-UA_be proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2a02:1810:3915:5e00:: dev wan table local proto kernel metric 0 pref medium
local xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:39eb dev wan table local proto kernel metric 0 pref medium
local xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:405d dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
local fe80::600d:6b39:809f:b3cd dev vpn-cisco table local proto kernel metric 0 pref medium
local fe80::b239:56ff:fe68:405b dev eth0 table local proto kernel metric 0 pref medium
local fe80::b239:56ff:fe68:405b dev wlan0 table local proto kernel metric 0 pref medium
local fe80::b239:56ff:fe68:405b dev br-lan table local proto kernel metric 0 pref medium
local fe80::b239:56ff:fe68:405c dev wlan1 table local proto kernel metric 0 pref medium
local fe80::b239:56ff:fe68:405d dev wan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wlan0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wlan1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev homev6 table local proto kernel metric 256 pref medium
0:	from all lookup local
30000:	from all fwmark 0x10000/0xff0000 lookup 256
30002:	from all fwmark 0x30000/0xff0000 lookup pbr_home
30003:	from all fwmark 0x40000/0xff0000 lookup pbr_ws
30004:	from all fwmark 0x50000/0xff0000 lookup pbr_wan
32766:	from all lookup main

Thanks!

2

I'm not quite sure if you're looking for a road-warrior setup or a site-2-site setup, my suggestions below cover the road-warrior approach.

That seems to be wrong, I'd rather expect something like list addresses '10.100.200.10/24 here.

I don't really see how that's going to work with wireguard (it's a routed protocol, no DHCP, just peers - you will have to set that on the client side) - so delete those two lines.

Neither of these are necessary, and especially the later is very unlikely to do what you want (delete).

This looks wrong, you're only looking for a single address here (/32 for IPv4 and /128 for IPv6, for IPv6 the ULA address comes to mind, the GUA only in case it's stable (prefix)).

3

I did everything mentioned above. It didn't change anything. Same configuration on my phone connects and works flawlessly but on my router they don't talk with each other.

SmartSelect_20230206_051810_Chrome
SmartSelect_20230206_051810_Chrome656×611 93.3 KB

4

I'm strongly suspecting that maybe it has something to do with firewall and IPv6 itself.

From the router, I cannot ssh into my Rpi4 but I can from other devices.