Thats great news!
Well, now that everything is up and running for you, would you mind sharing what you ended up with in your wg11-up.sh and wg21-up.sh (mask any sensitive stuff ofcource).
I have included them below. It should be noted that I am still in the process of fully documenting exactly where I have ended up after testing various different options, so I may have missed some steps (I will edit this later if if find I have). The setup includes
- An ISP that provides a native but dynamic IPv6 (/56 range)
- Using SLAAC (not DHCP6 or similar) for IPv6 address allocation on the LAN
- Using a VPN provider that supports (not blocks) IPv6 tunnels.
- On the Router,
- setting WAN>Connect to DNS Server automatically to No
- leaving DNS1 and DNS2 blank
- Setting DNS Privacy to DoT (Strict) and adding IPv4 and IPv6 servers
- in IPv6 > Connect to DNS Server automatically to No and adding external DNS servers (does not work if blank)
- LAN > DNSFilter > Enable DNS-based Filtering > ON - Router
- Using Unbound as the local caching DNS
- Using Diversion for ad blocking, therefore needing dnsmasq in the mix
- Preventing any DNS queries going out in plain text (i.e need to be directly encrypted for Router queries and routed via VPN for lan enquiries.
- adding private address aliases on (or routed through) br0 <alias4>, <alias6>
- adding these private addresses as 'outgoing interfaces' to unbound
- adding these private addresses as rules to wg1x
- adding the wg1x devices via MAC ipsets (using SLAAC the IPv6 addresses will change over time), Devices routed over wg1x will need fixed MACs
- wg1x is run in policy mode (not default)
- these scripts require entware iptables - they can be modified to run without - @ZebMcKayhan is the expert on this.
In
wan-event (to add aliases)
Code:
if [ "$1" = "0" ] && [ "$2" = "connected" ]; then
ifconfig br0:1 <alias4> netmask 255.255.255.255
ip -6 address add dev eth5 <alias6>
fi
Notes: <alias6> is derived from creating a ULA (fdxx.xxxx.xxxx.xxxx::/64) then adding :100::1/128 so fdxx.xxxx.xxxx.xxxx:100::1/128
Adding the alias directly to br0 during startup so it was ready for when unbound started proved problematic. On testing, as all of eth1-eth8 route through br0 (unless explicitly routed elsewhere), it was easier to add the alias here, providing the interface is showing as up
i.e.
ip addr show | grep eth shows
br0 state UP. For an RT-AX88U, eth5 is the bridge to LAN5-LAN8 and will always be up
In
services-start (to backup mac-ipset)
Code:
cru a <mac-ipset> "45 6 * * * ipset save wg11-mac > /opt/tmp/<mac-ipset>"
in unbound.conf
Code:
server:
....
outgoing-interface: <alias4> # routing to wan-event + wgm policy rules
outgoing-interface: <alias6> # routing to wan-event + wgm policy rules
from
wgm create wg1x from VPN_provider.conf as normal
to update DNS (to use dnsmasq, aliases)
Code:
peer wg1x=dns=<local_4>,<link-local_6>
where <local_4> is LAN IP and <local_6> is the router's link-local address (e.g. fe80::xxxx:xxxx:xxxx:xxxx). This is generated based on the Router's MAC and (AFAIK) will not change.
to add aliases
Code:
peer wg1x rule add <alias_4> comment Unbound4VPN
peer wg1x rule add <alias_6> comment Unbound6VPN
from
ssh prompt to create mac-ipset
Code:
ipset create <ipset-mac> hash:mac
ipset add <ipset-mac> XX:XX:XX:XX:XX:XX
ipset add <ipset-mac> YY:YY:YY:YY:YY:YY
...
from
wgm to add<ipset-mac>
Code:
peer wg1x add ipset <ipset-mac>
Server Configuration
create a new server wg2x in the format
peer new ip=<wg2x_4_range>,<wg2x_6_range>
for <wg2x_4_range> use any non-overlapping (with other subnets on the router) range e.g. 10.50.1.1/24
for <wg2x_6_range> modify the ULA to a GUA by replacing the leading
fd (private) with a public starter (e.g.
aa) and defining scope, so
ULA (
fdxx.xxxx.xxxx.xxxx::/64) >
aaxx.xxxx.xxxx.xxxx:100::1/120 = <wg2x_range> - amend as necessary for additional servers.
wg21-up.sh
Code:
#!/bin/sh
###############################################################################
# Example for Wg21 ipv6 = aa00:aaaa:bbbb:cccc:100::1/120
# Change to your needs but keep formatting
Wg21Prefix=aa00:aaaa:bbbb:cccc:: #Wg21 ULA prefix with aa instead of fd
Wg21Suffix=100::1 #Wg21 Device suffix (last 64 bits)
Wg21PrefixLength=120 #Wg21 Prefix Length (120 recommended)
WanInterface=eth0
# Changing below lines should not be needed:
WanIp6Prefix=$(nvram get ipv6_prefix) #WanIp6Prefix=2001:1111:2222:3333::
Wg21_PrefIp=${Wg21Prefix%:*}${Wg21Suffix}/${Wg21PrefixLength} #aa00:aaaa:bbbb:cccc:100::1/120
WanWg21_PrefIp=${WanIp6Prefix%:*}${Wg21Suffix}/${Wg21PrefixLength} #2001:1111:2222:3333:100::1/120
# Execute firewall commands:
ip6tables -t nat -I POSTROUTING -s ${Wg21_PrefIp} -o ${WanInterface} -j NETMAP --to ${WanIp6Prefix}/64
ip6tables -t nat -I PREROUTING -i ${WanInterface} -d ${WanWg21_PrefIp} -j NETMAP --to ${Wg21Prefix}/64
###############################################################################
wg11-route-up.sh (to make sure ipset in place)
Code:
#!/bin/sh
IPSET_NAME=<ipset-mac>
if [ "$(ipset list -n "$IPSET_NAME" 2>/dev/null)" != "$IPSET_NAME" ]; then #if ipset does not already exist
if [ -s "/opt/tmp/$IPSET_NAME" ]; then #if a backup file exists
ipset restore -! <"/opt/tmp/$IPSET_NAME" #restore ipset
fi
fi
wg11-up.sh
Code:
#!/bin/sh
###############################################################################
#for use in default mode only
#ip -6 route add 0::/1 dev wg11
#ip -6 route add 8000::/1 dev wg11
#for use in policy mode only
WanIp6=$(nvram get ipv6_rtr_addr) #WanIp6=2001:1111:2222:3333::1
iptables -t nat -I POSTROUTING ! -s <vpn_ipv4> -o wg11 -j MASQUERADE
ip6tables -t nat -I POSTROUTING ! -s <vpn_ipv6> -o wg11 -j MASQUERADE
#emulates DNSFilter on Router for IPv6, needs entware iptables
ip6tables -t nat -A WGDNS1 -i br0 -j DNAT --to-destination ${WanIp6}
###############################################################################
Finally ensure that that
wg2x-down and
wg1x down are also created.
