WireGuard road-warrior automated ULA

I have set up a Wireguard server using the WireGuard road-warrior automated script. My ISP gives me a dynamic /56 prefix so I chose " IPv6 Configuration B". I can ping other IPv6 ULAs on my local network, but I can't browse the public IPv6 internet. https://ipquail.com says I only have a public IPv4 address (the same as my home network). I have run the enable-ula.sh script which gives:

uci: Entry not found
Interface wan6 not found

My wan is pppoe and it automatically spawns the wan_6 interface. I have manual set uci set network.wan.sourcefilter='0'. The wan_6 interface is not editable. I have only setup IPv4 ingress.

I am looking for advice on what I could check to tunnel IPv6 over the Wireguard tunnel? Many thanks.

First off: confirm that IPv6 routing works from your LAN out to the internet. If that doesn't work, then get that working first, then come back to the wireguard/road-warrior VPN configuration.

The enable-ula.sh script on the roadwarrior page (https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior) will need adjustment for your pppoe configuration. You'd need to replace wan6 with wan_6 (what you say you get for your interface).
And check what's the result of uci get network.wan_6.proto, if it's not 6in4 or dhcpv6 we'll need some more thinking/research.

IPv6 is working when connected locally:

Screenshot 2024-05-05 at 7.23.45 PM1288×676 230 KB

uci get network.wan_6.proto gives uci: Entry not found even tho in LuCI the wan_6 interface is shown:

Screenshot 2024-05-05 at 7.18.17 PM1910×444 62.1 KB

OK, this part is unfamiliar to me (pppoe setup for IPv6). It also seems strange to me that wan_6 is not assigned to a firewall zone?
We'll need someone familiar with how this setup works to advise on how to set the sourcefilter for IPv6 on this virtual interface.

I didn't setup the wan_6 interface so I dont know anything about how it works. It is spawned automatically since the wan interface is setup to automatically obtain a prefix:

Screenshot 2024-05-05 at 7.33.29 PM810×144 7.32 KB

Not sure if because it is effectively an alias of wan it uses that firewall zone. Notice how the LuCI "Edit" button is grayed out so I can't do anything with it.

I have disabled IPv6 source routing in the wan interface, which I presume affects the wan_6 interface:

Screenshot 2024-05-05 at 7.40.13 PM1802×852 90.8 KB

Can you verify that the srcnat_wan firewall rule is working when you ping from the router itself?
You should see this in the firewall status on LuCI, status menu -> firewall, search for srcnat_wan, should be something like:

image1956×286 18.9 KB

If you run ping on your router, using as a source address the ULA address assigned to your LAN interface, you want to see that traffic size count increasing, and ping succeeding:

root@LEDE:~# ifconfig br-lan.1 |grep 'inet6.*: f.*Global'
          inet6 addr: fd2c:e7de:cb6b:1::1/64 Scope:Global

root@LEDE:~# ping -c 5 -I fd2c:e7de:cb6b:1::1 -6 forum.openwrt.org
PING forum.openwrt.org (2a03:b0c0:3:d0::168b:9001) from fd2c:e7de:cb6b:1::1: 56 data bytes
64 bytes from 2a03:b0c0:3:d0::168b:9001: seq=0 ttl=48 time=99.111 ms
64 bytes from 2a03:b0c0:3:d0::168b:9001: seq=1 ttl=48 time=104.569 ms
64 bytes from 2a03:b0c0:3:d0::168b:9001: seq=2 ttl=48 time=105.837 ms
64 bytes from 2a03:b0c0:3:d0::168b:9001: seq=3 ttl=48 time=99.135 ms
64 bytes from 2a03:b0c0:3:d0::168b:9001: seq=4 ttl=48 time=103.736 ms

--- forum.openwrt.org ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 99.111/102.477/105.837 ms

If that's not working, then that'll also mean the internal hosts on VPN or LAN interfaces can't send out traffic via IPv6 from the ULA source address.

This can be done with GUAs. It would work better of course if you had a static prefix, but it can work with a dynamic prefix and distribute a changed prefix to compatible clients (those that can listen for RAs on the Wireguard interface).

The main restricition is that each client must have its own Wireguard interface. If you have multiple clients they each have their own interface with a separate /64. It will not work to set up the clients as multiple peers on a shared interface.

When Wireguard is point to point, it is permissible to set allowed_ips to ::/0 on both ends and control routing within the server externally by not selecting route_allowed_ips. Route_allowed_ips would still be set on each road warrior. If you set ip6assign '64' on each OpenWrt server interface, that will properly install a /64 route to each interface, and also hopefully reconfigure it to the new IP every time the ISP changes it. Then build a DHCP section for each interface with RA enabled (DHCPv6 will also work). Generally a client will use SLAAC to choose a random IP within the /64, which is OK since the entire /64 is routed to it.

When I wrote the guide, I wasn't aware of any Wireguard client that used DHCP or DHCPv6 to get its IP address for the interface. Have you found some that do? Which operating systems?

Thanks for the suggestion but I think this could get unmanageable very quickly. I currently have 3 (ipv4) Wireguard interfaces for each of my 3 VLANs running on separate ports. With around 10-20 clients on each interface, this could get quite messy if each client on each wg server needed its own interface. It's also a waste of a good chunk of the 256 /64s that I get from my /56 prefix.

I don't have anything related to ipv6 under the "srcnat_wan" chain, could this be the issue?

Screenshot 2024-05-06 at 9.36.04 AM1920×244 21.3 KB

Likewise LAN ULA can't ping IPv6:

root@WhitesServer:~#  ifconfig br-home |grep 'inet6.*: f.*Global'
          inet6 addr: fd66:eb99:1505:2::1/64 Scope:Global
root@WhitesServer:~# ping -c 5 -I fd66:eb99:1505:2::1 -6 forum.openwrt.org
PING forum.openwrt.org (2a03:b0c0:3:d0::168b:9001) from fd66:eb99:1505:2::1: 56 data bytes
ping: sendto: Network unreachable

oh shoot, my personal config has diverged from what the scripts set up (years ago in my case).
The script creates firewall rules in /etc/nftables.d/nat6_wg_XXX.nft ; what's yours look like? Perhaps the script didn't get it created correctly for current OpenWrt network configs.

You can try instead to create the rule that I'm using. In the network -> firewall menu, NAT rules tab:

image1136×970 64.6 KB

The rules have been added in /etc/nftables.d/:

# Created by wg_roadwarrior_home.sh
chain srcnat_ula6_home_vpn {
  type nat hook postrouting priority srcnat; policy accept;
  oifname "$wan_devices" ip6 saddr fd66:eb99:1505:b::/64 counter masquerade comment "!fw4: ULA masquerade6"
}

And show up on LuCI:

Screenshot 2024-05-06 at 2.52.48 PM1944×688 91.3 KB

I have added the WAN rule manually:

Screenshot 2024-05-06 at 2.52.05 PM1944×1062 182 KB

Screenshot 2024-05-06 at 2.51.55 PM1944×346 31.8 KB

Which now shows up:

Screenshot 2024-05-06 at 2.52.24 PM1944×646 70.9 KB

But ULA addresses are still not routable:

Screenshot 2024-05-06 at 2.49.39 PM1034×776 169 KB

Using the lan interface GUA address, I can ping IPv6, so IPv6 is working correctly, just not NAT66.

I got the same ping: sendto: Network unreachable when I set my wan6 interface to use sourcefiltering:

root@LEDE:~# uci set network.wan6.sourcefilter=1
root@LEDE:~# ifup wan6
root@LEDE:~# ping -c 5 -I fd2c:e7de:cb6b:1::1 -6 forum.openwrt.org
PING forum.openwrt.org (2a03:b0c0:3:d0::168b:9001) from fd2c:e7de:cb6b:1::1: 56 data bytes
ping: sendto: Network unreachable

and then when I return it to not do source filtering, we're good again:

root@LEDE:~# uci set network.wan6.sourcefilter=0
root@LEDE:~# uci commit
root@LEDE:~# ifup wan6
root@LEDE:~# ping -c 5 -I fd2c:e7de:cb6b:1::1 -6 forum.openwrt.org
PING forum.openwrt.org (2a03:b0c0:3:d0::168b:9001) from fd2c:e7de:cb6b:1::1: 56 data bytes
64 bytes from 2a03:b0c0:3:d0::168b:9001: seq=0 ttl=48 time=102.839 ms
64 bytes from 2a03:b0c0:3:d0::168b:9001: seq=1 ttl=48 time=105.631 ms
64 bytes from 2a03:b0c0:3:d0::168b:9001: seq=2 ttl=48 time=100.852 ms
64 bytes from 2a03:b0c0:3:d0::168b:9001: seq=3 ttl=48 time=99.696 ms
64 bytes from 2a03:b0c0:3:d0::168b:9001: seq=4 ttl=48 time=99.882 ms

--- forum.openwrt.org ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 99.696/101.780/105.631 ms

That suggests that your IPv6 wan is not actually turning off sourcefilter.

For DHCPv6, it works, and it's driven by /lib/netifd/proto/dhcpv6.sh which sets an environment variable NOSOURCEFILTER=1 for /usr/sbin/odhcp6c to pass through to /lib/netifd/dhcpv6.script, which manages the routes.

In my case, the net difference in the routing tables is visble in the default IPv6 route. You want something like this:

# ip -6 route |grep ^default
default via fe80::ae4b:c8ff:fe4d:b8f2 dev wan  metric 512 

to get the default route for all source addresses. If you see default from xyz::/56 ... then you've got source filtering.

Anybody know how to get the equivalent of sourcefilter disabled for pppoe-provisioned IPv6?

Maybe there's something you can do with /lib/netifd/ppp6-up by adding a callout script in /etc/ppp/ip-up.d ?
Or, looking at the ppp6-up script, it seems to be creating the virtual interface, it is mentioning dhcpv6 so maybe there's just something we missed with how to set the sourcefilter variable?

I've got:

root@WhitesServer:~# ip -6 route |grep ^default
default from 2a0a:xxxx:yyyy:zzzz::/56 via fe80::2621:24ff:fe87:323f dev pppoe-wan  metric 512 

So it would appear source routing has not been disabled correctly in my pppoe setup. I have no idea where to look to disable this.

I suggest a new post just asking how to disable source filtering/routing for ipv6 when using pppoe? (the title of this one won't get attention on that specific question)

New thread about this here:

Looks like no-one has an answer to this. I am going to have to revert to IPv4 only road warrior setup for now.