Wireguard over IPV6 with Starlink, IPV4 ok, no ipv6 route

KipK · August 21, 2023, 3:56pm

Hi

Starlink use CGNat on ipV4 and has working IPV6 ( at least here in France ) .
A /56 prefix is given to the router. And for now it seems IP is stable. ( Got no changes in a month yet, neither when rebooting Dishy )
So I have setup a WG server on the router listening on the wlan ipv6.

I have a ddns setup on this public ipv6 address and can connect to wireguard server using it.
IPV4 internal network + Outisde ipv4 Internet works ok using the vpn.

The problem I get is whatever I've tried, I can't use IPV6 inside my tunnel.
Can't ping clients from server and vis versa using either GUA address or local ones.
edit: This is solved now, IPV6 works locally through the tunnel.
Problem now is the ipv6 traffic from wg interface is not going to the internet, even when client interface got GUA, but GUAs are pingable locally

Here is /etc/config/network

config globals 'globals'
        option ula_prefix 'fd35:0000:0000::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'
        option igmp_snooping '1'


config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option isolate '0'
        option ip6ifaceid '::1'
        option ip6assign '60'
        option metric '128'
        option ip6hint '0000'
        list ip6class 'wan6'

config device
        option name 'eth0'
        option macaddr 'aa:aa:aa:aa:aa:aa'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option ipv6 '1'
        option metric '10'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqprefix '56'
        option disabled '0'
        option reqaddress 'try'
        option device '@wan'
        option sourcefilter '0'
        list ip6class 'local'
        list ip6class 'wan6'

config switch
        option name 'switch0'
        option reset '0'
        option enable_vlan '0'

config rule 'policy_bypass_vpn'
        option mark '0x60000/0x60000'
        option lookup '53'
        option priority '53'

config rule 'policy_via_vpn'
        option mark '0x80000/0x80000'
        option lookup '52'
        option priority '52'

config rule 'policy_dns'
        option mark '0x100000/0x100000'
        option lookup '51'
        option priority '51'

config route
        option target '192.168.2.0/24'
        option gateway '192.168.27.66'
        option interface 'lan'


config interface 'wg0'
        option proto 'wireguard'
        option private_key 'Redacted'
        option listen_port '51822'
        option tunlink 'wan6'
        option ip6prefix '64'
        list ip6class 'wan6'
        list ip6class 'local'
        list addresses '10.100.0.1/24'
        list addresses 'fe80::xxxx:xxxx:xxxx:3418/64'
        option ip6assign '64'
        option ip6hint 'ad'

config wireguard_wg0
        option description 'Client1'
        option public_key 'Redacted'
        option endpoint_port '51822'
        option persistent_keepalive '25'
        option endpoint_host 'Redacted'
        option route_allowed_ips '1'
        list allowed_ips '10.100.0.2/32'
        list allowed_ips 'fd35:xxxx:xxxx:xxxx::2/128'
        list allowed_ips '2a0d:xxxx:xxxx:xxxx::2/128'
        list allowed_ips 'fe80::xxxx:xxxx:xxxx:5abc/128'

I have a wireguard zone allowing everything:

Thanks for helping

mk24 · August 21, 2023, 4:06pm

With multiple clients, the group of allowed_ips have to be non-overlapping. You have set both clients to ::/0 which will not work. Per client allowed IPs are the IPs that you expect to see as source IPs from the client (and also destination IP to return packets to the client). For a road warrior phone, it would be a single /128.

KipK · August 21, 2023, 4:19pm

ah ok thanks for the tip.
I've put on the server conf in allowed_ips only the /32 ipv4 and /128 ipv6 adresses they're supposed to use then.

But still same problem for now.

Do I have to enable / disable the "Route Allowed IPs" ?
I think I've tried booth but doesn't make a difference, everything still ok with ipv4 and no ipv6 traffic

egc · August 21, 2023, 4:21pm

To add to @mk24 excellent advice , do the same for IPv4 (although you are not using it it may bork IPv4 routing) so set the peers/client IPv4 address as IPv4 allowed e.g.:
list allowed_ips '10.100.0.2/32'

Furthermore set option route_allowed_ips '1' for all peers (although in this case it does not matter much)

Your second client/peer has an endpoint set if it is a fixed client you can do that but you need only an endpoint on one side (the side we usually call the client side although WG is actually peer to peer) , if you do then also set option persistent_keepalive '25'

For Firewall settings just allow port 51822 and add the WG interface to the LAN zone should be enough.

KipK · August 21, 2023, 4:25pm

I've edited the conf in the first post with the changes.
And removed the second client for easyness here.

Firewall already has the 51822 open and everything works on this side. I connect to the vpn using the wan ipv6 adress.
It's inside the tunnel it doesn't work. ( IPV4 is all good )

egc · August 21, 2023, 4:32pm

I noticed your WG interface only has the above IPv6 address.

when I setup I use an ULA address, I see your peer has

So I would expect the interface to have fd35:xxxx:xxxx:xxxx::1/64 as address
Not sure if this is the problem though

KipK · August 21, 2023, 4:40pm

the fd35 ULA and 20ad GUA are automatically added to the wg0 interface. I had set the delegate IPV6 prefix to a /64 with an assignement hint

I can see the interface has all the ip configured ok

wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.100.0.1 P-t-P:10.100.0.1 Mask:255.255.255.0
inet6 addr: fd35:xxxx:xxxx:xxxx::1/64 Scope:Global
inet6 addr: 2a0d:xxxx:xxxx:xxxx::1/64 Scope:Global
inet6 addr: fe80::xxxx:xxxx:xxxx:3418/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:44641 errors:8354 dropped:0 overruns:0 frame:8354
TX packets:41107 errors:1 dropped:436 overruns:0 carrier:1
collisions:0 txqueuelen:1
RX bytes:7736328 (7.3 MiB) TX bytes:31481880 (30.0 MiB)

KipK · August 21, 2023, 4:44pm

Ho I think I have something interesting.

I have 2 differents problems here.

I was testing with my android phone as client. But I've just remembered Android needs SLAAC addresses.
Have no idea if it's possible with wg and how to do that.

I then tried using my computer with the 4G connection. And guess what, I can ping the local gateway from the client, and same on the other side

But still no internet ipv6 traffic yet

egc · August 21, 2023, 5:00pm

Note that your local LAN clients might have their own firewall and can block traffic from a connected Wireguard client.

KipK · August 21, 2023, 5:36pm

sure, I've disabled everything on client side just in case.

mk24 · August 21, 2023, 7:02pm

This is probably leading toward one wg interface for each client rather than a shared one.
Then give each wg interface a /64 out of your /56 and set up a RA server on it. Allowed_ips would be the whole /64 since you don't know what the phone will choose.

Android itself uses SLAAC only, but maybe the wireguard client allows assigning static tunnel IPs?

KipK · August 21, 2023, 7:33pm

That's pretty clever, I will try to test. Thanks
But it would be a pain to manage for lot of peers.

edit: saw this related post : Automatic GUA IPv6 address for Wireguard client

I got ipv4 back on the window machine, seems it was related to MTU.
Ipv6 still only for local network and is not forwarded outside.

KipK · August 21, 2023, 8:55pm

@mk24 , SLAAC works by delegating an interface per client. Great. I can now browse local network using ipv6 on android.

On the windows where I've added fixed GUA , I can ping local network GUAs, but all traceroute -6 outside stop at the router

( It works on lan without passing through wg tunnel )

egc · August 22, 2023, 10:00am

Maybe it is possible to use a /60 interface for your WG server so that you can hand out /64 addresses?

KipK · August 22, 2023, 10:17am

yep I've thought about that yesterday, and will try on a second stage.

First I'd like to solve why the external ipv6 traffic through vpn is blocked.
I could confirm that I can access the Starlink router GUA from wireguard tunnel ( I can access the openwrt interface using the GUA , it is suppoed to be accisble only from the local network. )
So the routing on client side seems to be ok.

Here is the ipv6 routes on openwrt router:

2a0d:xxxx:xxxx:xxxx::/64 dev eth0 proto static metric 256 pref medium
unreachable 2a0d:xxxx:xxxx:xxxx::/64 dev lo proto static metric 2147483647 error 4294967183 pref medium
2a0d:xxxx:xxxx:xx00::/64 dev br-lan proto static metric 128 pref medium
2a0d:xxxx:xxxx:xxad::/64 dev wg0 proto static metric 1024 pref medium
unreachable 2a0d:xxxx:xxxx:xx00::/56 dev lo proto static metric 2147483647 error 4294967183 pref medium
fd35:xxxx:xxxx:ad::/64 dev wg0 proto static metric 1024 pref medium
unreachable fd35:xxxx:xxxx::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wg0 proto kernel metric 256 pref medium
default via fe80::200:5eff:fe00:101 dev eth0 proto static metric 512 pref medium
default dev wg0 proto static metric 1024 pref medium

and here is the android client wg interface , we can see it got GUA and ULA with SLAAC

 tun0      Link encap:UNSPEC
          inet addr:10.100.0.2  P-t-P:10.100.0.2  Mask:255.255.255.255
          inet6 addr: fd35:9a3b:16f5:ad:xxxx:xxxx:xxxx:9ff6/64 Scope: Global
          inet6 addr: 2a0d:xxxx:xxxx:52ad:xxxx:xxxx:xxxx:dcae/64 Scope: Global
          inet6 addr: fe80::2/64 Scope: Link
          inet6 addr: fe80::7bac:9299:fbad:350/64 Scope: Link
          UP POINTOPOINT RUNNING  MTU:1280  Metric:1
          RX packets:5841 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5716 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:3587559 TX bytes:1174449

KipK · August 22, 2023, 10:26am

and here is the route on android, while wireguard is connected:
2a01:: are the ipv6 from my 4G connection.
Starlink has 2a0d::
I

2a01:xxxx:xxxx:xxxx::/64 dev rmnet1 table 1000000015 proto static metric 1024 pref medium
2a01:xxxx:xxxx:xxxx::/64 dev rmnet2 table 1000000016 proto static metric 1024 pref medium
fe80::/64 dev tun0 table 1146 proto kernel metric 256 pref medium
fe80::/64 dev tun0 table 1146 proto static metric 1024 pref medium
default dev tun0 table 1146 proto static metric 1024 pref medium
fe80::/64 dev tun0 table 1000000146 proto static metric 1024 pref medium
fe80::/64 dev dummy0 table 1002 proto kernel metric 256 pref medium
default dev dummy0 table 1002 proto static metric 1024 pref medium
2a01:xxxx:xxxx:xxxx::/64 dev rmnet1 table 1015 proto kernel metric 256 pref medium
2a01:xxx:xxxx:xxxx::/64 dev rmnet1 table 1015 proto static metric 1024 pref medium
fe80::/64 dev rmnet1 table 1015 proto kernel metric 256 pref medium
default dev rmnet1 table 1015 proto static metric 1024 mtu 1500 pref medium
2a01:xxxx:xxxx:xxxx::/64 dev rmnet2 table 1016 proto kernel metric 256 pref medium
2a01:xxxx:xxxx:xxxx::/64 dev rmnet2 table 1016 proto static metric 1024 pref medium
fe80::/64 dev rmnet2 table 1016 proto kernel metric 256 pref medium
default dev rmnet2 table 1016 proto static metric 1024 mtu 1340 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2a01:xxxx:xxxx:xxxx:xxxxxxxxb:xxxx:8601 dev rmnet1 table local proto kernel metric 0 pref medium
anycast 2a01:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:b368 dev rmnet1 table local proto kernel metric 0 pref medium
local 2a01:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:d401 dev rmnet2 table local proto kernel metric 0 pref medium
local fe80::2 dev tun0 table local proto kernel metric 0 pref medium
local fe80::200:ff:fe00:0 dev rmnet1 table local proto kernel metric 0 pref medium
local fe80::200:ff:fe00:0 dev rmnet2 table local proto kernel metric 0 pref medium
local fe80::d8df:4eff:fe50:2ade dev dummy0 table local proto kernel metric 0 pref medium
local fe80::f56b:9030:e7ab:4e8f dev tun0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev dummy0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev rmnet1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev rmnet2 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium

KipK · August 22, 2023, 11:12am

and FW traffic rules:

uci firewall output here

mk24 · August 22, 2023, 2:24pm

The wireguard interface is set as a default route in the router, that should not be. The default route is only the WAN.

Run tcpdump on the wg0 interface to confirm that the phone is routing requests for the V6 internet through the tunnel. Then you can look at the wan interface to see if they are being forwarded.

KipK · August 22, 2023, 2:54pm

I've removed the ::/0 route from wg , now it looks like this:

2a0d:xxxx:xxxx:2e74::/64 dev eth0 proto static metric 256 pref medium
unreachable 2a0d:xxxx:xxxx:2e74::/64 dev lo proto static metric 2147483647 error 4294967183 pref medium
2a0d:xxxx:xxxx:xx00::/64 dev br-lan proto static metric 128 pref medium
2a0d:xxxx:xxxx:xxad::/64 dev wg0 proto static metric 1024 pref medium
unreachable 2a0d:xxxx:xxxx:xx00::/56 dev lo proto static metric 2147483647 error 4294967183 pref medium
fd35:xxxx:xxxx:xxxx::/64 dev wg0 proto static metric 1024 pref medium
unreachable xxxx:xxxx:xxxx::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev wg0 proto static metric 1024 pref medium
default via fe80::200:5eff:fe00:101 dev eth0 proto static metric 512 pref medium
default via fe80::200:5eff:fe00:101 dev eth0 proto ra metric 1024 expires 294sec hoplimit 64 pref medium

I don't get where this LL fe80::200:5eff:fe00:101 is coming from. It doesn't even answer to ping.
But again ipv6 is working flawlessly from the lan to wan. It only fails from wg to wan.

KipK · August 22, 2023, 3:02pm

some tcpdump on wg0, when requesting ipv6.google.com from the android device through wg:

16:58:40.353283 IP6 2a0d:xxxx:xxxx:xxad:xxxx:xxxx:xxxx:c09.35812 > 2a00:1450:4009:81e::200e.443: Flags [S], seq 2664213445, win 65535, options [mss 1220,sackOK,TS val 2347020285 ecr 0,nop,wscale 9], length 0
16:58:40.353509 IP6 2a0d:xxxx:xxxx:xxad:xxxx:xxxx:xxxx:c09.35824 > 2a00:1450:4009:81e::200e.443: Flags [S], seq 2109174054, win 65535, options [mss 1220,sackOK,TS val 2347020301 ecr 0,nop,wscale 9], length 0
16:58:40.368721 IP6 2a0d:xxxx:xxxx:xxad:xxxx:xxxx:xxxx:c09.39938 > 2404:6800:4006:812::200e.443: UDP, length 1230