I recently configured my router to be a WireGuard gateway, so that I can dial into my home to reach my NAS. After I had set it up and all seemed to be working well, I noticed that IPv6 packets didn’t get out to the internet, when I did a ping on my laptop:
$ ping6 ipv6.example.net
PING6(56=40+8+8 bytes) fd00:9::4 --> 2a01:123:456:7890::2
^C
--- ipv6.example.net ping6 statistics ---
624 packets transmitted, 0 packets received, 100.0% packet loss
I immediately suspected a routing issue, and so I did the below test on my router:
root@gw:~# ping6 -I fd00:9::1 ipv6.example.net
PING ipv6.example.net (2a01:123:456:7890::2) from fd00:9::1: 56 data bytes
ping6: sendto: Network unreachable
This seemed to have confirmed my suspicion. But why is there a routing issue?
I remembered that the WireGuard clients are all using reserved IP addresses — both IPv4 and IPv6. For IPv4 my router is doing masquerading, but it doesn’t do so for IPv6. It passes these addresses (from public address space!) out to the internet, which is the default setup for OpenWrt.
Now, in the case of the VPN network, where reserved addresses from the range of fd00:9::1/64
are used, packets with source addresses from the reserved IP address range can’t be routed on the internet, which is why I was seeing the “Network unreachable” error message.