New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Unable to route IPv6 through Wireguard on OpenWRT router
As the title suggests, I cannot pass v6 traffic through wireguard. My ISP has just v4 CGNAT so I wanted to configure openwrt to route just v6 via wireguard to a VPS and use v4 from ISP.
The connection is successful. If I add '0.0.0.0/0' to allowed IPs, v4 gets tunnelled, but not v6. Adding '::/0' seems to have no effect at all.
Here are some configs and screenshots.
From /etc/config/network
config interface 'v6_AT'
option proto 'wireguard'
option private_key 'xxxx'
list addresses '10.7.0.2/24'
list addresses 'fddd:2c4:2c4:2c4::2/64'
list dns '1.1.1.1'
list dns '2606:4700:4700::1111'
option ip6table 'default'
option force_link '1'
config wireguard_v6_AT
option description 'id1-atharva'
option public_key 'xxxx'
option preshared_key 'xxxx'
option route_allowed_ips '1'
option endpoint_host 'xxxx'
option endpoint_port 'xxxx'
option persistent_keepalive '25'
list allowed_ips '::/0'
I believe this has to do something with firewalls and routing, but I have not been able to find anything useful yet. (came across some posts on openwrt forums, but those haven't worked for me)
Any help is greatly appreciated, thanks in advance!!
Comments
fddd:2c4:2c4:2c4::2is a unique local address, not a global address.You won't be able to reach the global Internet with this address.
You need to replace this with a global address.
The /64 prefix used by the home router needs to be listed in AllowedIPs on the WireGuard server side.
Don't forget to include the "/64" suffix, otherwise the server would treat it as single address.
This prefix shall be routed to the server; it cannot be an on-link prefix.
Refer to Routed IPv6 Hall of Fame for a list of providers that can supply routed IPv6 prefix.
Hi, thanks for the reply.
I think the config and IPs used are alright, I installed wg with Nyrs script. This same config, when used on mobile and windows PC, works pretty fine - both v4 + v6 and v6 only is routed correctly.
So I believe the issue is probably with the openwrt configuration of firewall/rules..
Hi!
My /etc/config/firewall looks this
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
So the forward chain drop by default. Can you do IPv6 ping with the router? If yes, you need to modify the following
config zone
option name 'wan'
list network 'wan'
list network 'v6_AT'
It is needed to enable the IPv6 forwarding because default forward policy is drop.
Which type of addressing do you use on the LAN side for IPv6? If the VPS provider gives to you more than a /64 subnet you can pass it to your LAN and address each device with a global unique address. If it is not possible, you need to create a local IPv6 subnet where clients addressed from and you need to perform NAT on IPv6.
Thanks, I think I'll need to setup NAT on v6.
I'll look into this.