Show Posts
1
Virtual private networks / Wireguard VPN and IPv6 routes
« on: September 21, 2023, 11:44:08 am »
Hi All,
I've only recently installed my new router with OPNsense (I previously came from the Ubiquiti EdgeRouter / VyOS world), so I'm still learning quite a lot. So far I've got almost everything running, except one thing, hence my question to you all.
Context: My OPNsense router serves as a Wireguard VPN server (among other things) for a set of 4 VPS servers I have running in the cloud. These 4 servers connect with a Wireguard client to my OPNSense server, so I can extend them into my home network. My home network runs under 192.168.137.0/24 and the 4 servers are in 192.168.136.0/24 (192.168.136.1 up through 192.168.136.4 to be precise). The OPNsense server runs under 192.168.136.254 for the Wireguard endpoint. So far so good, the Wireguard connection is running and stable, and I have added the necessary firewall rules so things can talk to each other. From my LAN (e.g. from 192.168.137.5) I can ping 192.168.136.1 and vice versa. IPv4 works perfectly.
My whole network is dual-stack IPv4/IPv6 however, with the local LAN using prefix delegation from my ISP. This is also all working as expected. I now wish to extend the Wireguard network to the VPS servers with IPv6 too. For this, I have updated the Wireguard settings on the servers to add an IPv6 ULA address to them, notably fd00:192:168:136::1 up through fd00:192:168:136::4 and have assigned fd00:192:168:136::254 to the OPNsense server. The VPN is up, I can ping the VPS servers from OPNsense and vice versa.
Now the problem: from my LAN, I have tried pining fd00:192:168:136::254 (i.e. the OPNsense server) and this works fine. However, I cannot reach anything beyond the OPNsense server over Wireguard on IPv6. I'm probably missing something very stupid like a route somewhere, but I cannot find what in the documentation or in the forums.
From a client in my LAN, a traceroute to fd00:192:168:136::1 goes to the IPv6 address of the OPNsense server, but stops there.
What am I missing here to make sure that my LAN can connect to the VPS servers connected to OPNSense over IPv6, like they can over IPv4?
I've only recently installed my new router with OPNsense (I previously came from the Ubiquiti EdgeRouter / VyOS world), so I'm still learning quite a lot. So far I've got almost everything running, except one thing, hence my question to you all.
Context: My OPNsense router serves as a Wireguard VPN server (among other things) for a set of 4 VPS servers I have running in the cloud. These 4 servers connect with a Wireguard client to my OPNSense server, so I can extend them into my home network. My home network runs under 192.168.137.0/24 and the 4 servers are in 192.168.136.0/24 (192.168.136.1 up through 192.168.136.4 to be precise). The OPNsense server runs under 192.168.136.254 for the Wireguard endpoint. So far so good, the Wireguard connection is running and stable, and I have added the necessary firewall rules so things can talk to each other. From my LAN (e.g. from 192.168.137.5) I can ping 192.168.136.1 and vice versa. IPv4 works perfectly.
My whole network is dual-stack IPv4/IPv6 however, with the local LAN using prefix delegation from my ISP. This is also all working as expected. I now wish to extend the Wireguard network to the VPS servers with IPv6 too. For this, I have updated the Wireguard settings on the servers to add an IPv6 ULA address to them, notably fd00:192:168:136::1 up through fd00:192:168:136::4 and have assigned fd00:192:168:136::254 to the OPNsense server. The VPN is up, I can ping the VPS servers from OPNsense and vice versa.
Now the problem: from my LAN, I have tried pining fd00:192:168:136::254 (i.e. the OPNsense server) and this works fine. However, I cannot reach anything beyond the OPNsense server over Wireguard on IPv6. I'm probably missing something very stupid like a route somewhere, but I cannot find what in the documentation or in the forums.
From a client in my LAN, a traceroute to fd00:192:168:136::1 goes to the IPv6 address of the OPNsense server, but stops there.
What am I missing here to make sure that my LAN can connect to the VPS servers connected to OPNSense over IPv6, like they can over IPv4?