Wireguard VPN and IPv6 routes

Started by ajunne, September 21, 2023, 11:44:08 AM

Previous topic - Next topic
Hi All,

I've only recently installed my new router with OPNsense (I previously came from the Ubiquiti EdgeRouter / VyOS world), so I'm still learning quite a lot. So far I've got almost everything running, except one thing, hence my question to you all.

Context: My OPNsense router serves as a Wireguard VPN server (among other things) for a set of 4 VPS servers I have running in the cloud. These 4 servers connect with a Wireguard client to my OPNSense server, so I can extend them into my home network. My home network runs under 192.168.137.0/24 and the 4 servers are in 192.168.136.0/24 (192.168.136.1 up through 192.168.136.4 to be precise). The OPNsense server runs under 192.168.136.254 for the Wireguard endpoint. So far so good, the Wireguard connection is running and stable, and I have added the necessary firewall rules so things can talk to each other. From my LAN (e.g. from 192.168.137.5) I can ping 192.168.136.1 and vice versa. IPv4 works perfectly.

My whole network is dual-stack IPv4/IPv6 however, with the local LAN using prefix delegation from my ISP. This is also all working as expected. I now wish to extend the Wireguard network to the VPS servers with IPv6 too. For this, I have updated the Wireguard settings on the servers to add an IPv6 ULA address to them, notably fd00:192:168:136::1 up through fd00:192:168:136::4 and have assigned fd00:192:168:136::254 to the OPNsense server. The VPN is up, I can ping the VPS servers from OPNsense and vice versa.

Now the problem: from my LAN, I have tried pining fd00:192:168:136::254 (i.e. the OPNsense server) and this works fine. However, I cannot reach anything beyond the OPNsense server over Wireguard on IPv6. I'm probably missing something very stupid like a route somewhere, but I cannot find what in the documentation or in the forums.

From a client in my LAN, a traceroute to fd00:192:168:136::1 goes to the IPv6 address of the OPNsense server, but stops there.

What am I missing here to make sure that my LAN can connect to the VPS servers connected to OPNSense over IPv6, like they can over IPv4?

September 21, 2023, 02:05:14 PM #1 Last Edit: September 21, 2023, 02:15:28 PM by Monviech
Do you have static IPv6 prefixes from your ISP? Then you could just use GUAs in Wireguard. That way I route IPv6 to multiple VPS through Wireguard.

Otherwise, be careful how you design your ULAs.

fd00:192:168:136::254 looks kinda wonky.

If you have different fd00 networks on different interfaces, you should write them like this:

See here that you need different ULA nets so you can route between them.

Net Wireguard fd00:0000:0000:0001::/64
Net LAN fd00:0000:0000:0002::/64

And in those networks the IP addresses would look like this with ipv4 embedded like you did:

Wireguard Server Endpoint fd00::1:192:168:136:254/64
Wireguard Peer IP fd00::1:192:168:136:1/128
Wireguard Peer IP fd00::1:192:168:136:2/128    etc...

LAN ULAs examples:

fd00::2:192:168:137:1/64
fd00::2:192:168:137:2/64 etc...
Hardware:
DEC740

Quote from: ajunne on September 21, 2023, 11:44:08 AM
fd00:192:168:136::1 up through fd00:192:168:136::4

This hurts (but should technically work).

WireGuard on the VPSs will only accept IPv6 packets with source addresses which you added to the allowed IPs there. If you only add fd00:192:168:136::/something, they won't accept packets from the OPNsense LAN. You'll have to add the OPNsense LAN subnet to the allowed IPs to make this work. If you can't do this because the prefix isn't static, you'll have to deploy static ULAs in addition to the dynamic GUAs in your LAN.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).

Quote from: Maurice on September 21, 2023, 02:58:21 PM
WireGuard on the VPSs will only accept IPv6 packets with source addresses which you added to the allowed IPs there.

Good point, I did not think of this. The problem is, my IPv6 prefix I'm getting from my ISP is not static. It doesn't change that often (modem reboots etc), but it is also not guaranteed to stay the same. So I cannot just simply configure it in the Wireguard configuration of my VPSes.

This could be the source of the problem. I'm coming from a publicly-routable address on my LAN, and going to the router which does not send it to the Wireguard interface towards the VPS. And therefore I do not see any packet arriving on the VPS at all.

So as I see it, there are two possible solutions here:
- NAT my IPv6 traffic coming from the LAN before it goes out to the Wireguard tunnel on the router towards the VPS, to make sure it fits in the Wireguard tunnel definition (I know, that will probably hurt you too, but I already have to do something similar, as my VPN provider Mullvad only gives me one IPv6 address, so I have to NAT my IPv6 LAN behind it)
- Provide my LAN clients with a PD IPv6 address (they already have this) but also a ULA address in the fd00:192:168:137::/64 range, which is solely in use for IPv6 traffic towards my VPSes (I know that hurts too, but it will work)

I've seen some discussions about advertising both a PD and a ULA address to the LAN. Might be worth looking into this.

Quote from: ajunne on September 22, 2023, 04:43:06 PM
I've seen some discussions about advertising both a PD and a ULA address to the LAN. Might be worth looking into this.

That's the way to go if you don't have a static GUA prefix. Many routers do this by default (like OpenWrt and Fritzbox) and I have deployed it with OPNsense, too.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).

Update: I have managed to get it all working.

The solution was indeed to add a ULA subnet to my LAN.

In OPNsense, this is pretty straightforward, but you need to know where to configure it. In the Interfaces section, under the LAN, configure the IPv6 Configuration Type to be Track Interface. This will distribute the public IPv6 prefix from the ISP to your LAN. All devices will receive a publicly-routable IPv6 address as they should (don't forget your firewall rules!). Then, under Interfaces -> Virtual IPs -> Settings add a Virtual IP of type IP Alias to the LAN interface. Give it an ULA address in a /64 subnet and save and apply. IPv6 router advertisement will now distribute two different addresses to all devices in your LAN (you might need to enable Allow manual adjustment of DHCPv6 and Router Advertisements in your LAN interface, and visit the Services -> Router Advertisements -> LAN page and hit the Save button once for the radvd configuration page to be written with the new subnet).

You will see that all devices in your LAN now receive two different IPv6 addresses:
- One internet-routable from the subnet from your ISP
- One ULA address in the subnet of the Virtual IP you configured on the LAN device of your router

You can ping anything on the internet, including the publicly routable IPv6 of the LAN interface of your router. But you can also ping the ULA address of the LAN interface of your router.

In my personal setup, the final thing to do was configure Router Advertisements to also push the IPv6 ULA subnet of the servers connected behind my Wireguard tunnels (which are in a different ULA subnet than my LAN) and those routes will get pushed to all LAN devices too.

One last thing this enabled me to do, is configure my DNS server (which is a pihole for ad blocking) to also have a static IPv6 address in the ULA I just configured for my LAN, and add this IPv6 address to the router advertisement as a DNS server. That way, my network is now fully dual stack, including a IPv6-reachable DNS server.

That's exactly how it's done, yes. Though I'm a bit surprised you had to advertise a route to the remote ULA subnet via RAs. As long as OPNsense is the default gateway, this shouldn't be required, right?
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).

Quote from: Maurice on November 17, 2023, 02:01:36 PM
That's exactly how it's done, yes. Though I'm a bit surprised you had to advertise a route to the remote ULA subnet via RAs. As long as OPNsense is the default gateway, this shouldn't be required, right?

Good point, I will remove the route from the RA and check. You are probably correct, since OPNsense is the default gateway anyway, packets to the ULA subnet should route correctly automatically.

Having said all this, I eventually ended up disabling the pushing of IPv6 DNS servers with a ULA address via the router advertisements. Not that it doesn't work, all my Linux and Windows computers worked just fine. The problem is with my Google TV. With an IPv6 DNS server advertised over the network, it would not remain connected to the Wi-Fi. It would connect just fine, would receive an IPv4 address via DHCP and an IPv6 address via RA, but would immediately disconnect from the Wi-Fi and stay in this loop forever. Some Googling pointed my in the direction of a buggy IPv6 stack in the Google TV devices. After disabling DNS servers pushed via RA, it would connect to the Wi-Fi as usual again. Very weird, but not an OPNsense issue.