I recently configured my router to be a WireGuard gateway, so that I can dial into my home to reach my NAS. After I had set it up and all seemed to be working well, I noticed that IPv6 packets didn’t get out to the internet, when I did a ping on my laptop:
$ ping6 ipv6.example.net
PING6(56=40+8+8 bytes) fd00:9::4 --> 2a01:123:456:7890::2
^C
--- ipv6.example.net ping6 statistics ---
624 packets transmitted, 0 packets received, 100.0% packet loss
I immediately suspected a routing issue, and so I did the below test on my router:
root@gw:~# ping6 -I fd00:9::1 ipv6.example.net
PING ipv6.example.net (2a01:123:456:7890::2) from fd00:9::1: 56 data bytes
ping6: sendto: Network unreachable
This seemed to have confirmed my suspicion. But why is there a routing issue?
I remembered that the WireGuard clients are all using reserved IP addresses — both IPv4 and IPv6. For IPv4 my router is doing masquerading, but it doesn’t do so for IPv6. It passes these addresses (from public address space!) out to the internet, which is the default setup for OpenWrt.
Now, in the case of the VPN network, where reserved addresses from the range of fd00:9::1/64 are used, packets with source addresses from the reserved IP address range can’t be routed on the internet, which is why I was seeing the “Network unreachable” error message.
So I needed to enable masquerading. I followed the instructions from OpenWrt’s wiki., which are as follows:
# Configure firewall uci set firewall.@zone[1].masq6="1" uci commit firewall service firewall restart # Configure network uci set network.wan6.sourcefilter="0" uci commit network service network restart
After applying the above changes, my “road warrior” (laptop with WireGuard client active) could now properly route IPv6 addresses. Hooray!
As I didn’t want to enable masquerading for all networks I have on my network (I have multiple as I use VLANs), but just for the VPN network, I made a small modification.
I went into Network > Firewall > Zones and clicked “Edit” for the “wan” zone. On the “Advanced Settings” tab, there is an entry field to “Restrict Masquerading to given source subnets”, in which I entered the VPN IPv6 network range of fd00:9::1/64. This is obviously called “Limited masquerading” by OpenWrt and shows as below (note the “warning” triangle in the “Masquerading” column):
After I had applied these settings, IPv6 routing was still working, but using a service like WhatIsMyIpAddress I confirmed that now my router’s public IPv6 address was used as the client address for my requests, instead of a client-specific address from the delegated range that my normal LAN clients use. For the normal LAN clients, no masquerading was applied, but their public IPv6 address continues to be used for communications towards the internet.
In case this was helpful for you, I’d appreciate some quick feedback from you. Thank you.
