WireGuard client with IPv6 enabled

[ali232]

Hello,
I'm using Cloudflare Warp as a WireGuard client on my AX86U with Cloudflare IPv4 ranges in the allowed IPs, so I only tunnel Cloudflare ranges through Warp.
It works well, but after I enabled IPv6 on my router and added IPv6 ranges to the allowed IP list, it not works.
What could be causing this? I have an IPv6 address in my WireGuard client config as well.

 

[ZebMcKayhan]

Hello,
I'm using Cloudflare Warp as a WireGuard client on my AX86U with Cloudflare IPv4 ranges in the allowed IPs, so I only tunnel Cloudflare ranges through Warp.
It works well, but after I enabled IPv6 on my router and added IPv6 ranges to the allowed IP list, it not works.
What could be causing this? I have an IPv6 address in my WireGuard client config as well.

Wireguard is vpn-director only and vpn-director is not setup for ipv6.

You could setup the rules yourself via ssh if you want but beware that the policy route table is not as updated as ipv4 but for specific internet destinations ip it should work fine.

 

[ali232]

Thanks.
Can you please give me an example of how to do it? I’d like to tunnel these ranges through WireGuard.

 

[ZebMcKayhan]

Thanks.
Can you please give me an example of how to do it? I’d like to tunnel these ranges through WireGuard.

Well, I just tested this on my router and it works:

ip -6 rule add from all to 2600:: table wgc1 prio 11210

Repeat for each ip/range and increase prio number by 1.

To list your rules:

ip -6 rule

To delete a rule:

ip -6 rule del prio 11210

They will not be persistent across reboots unless you add them when wireguard starts, so in /jffs/scripts/wgclient-start
And delete them when/if it stops in /jffs/scripts/wgclient-stop
https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts#wgclient-stop-and-wgclient-start

 

[ZebMcKayhan]

If someone reads this and tries to follow it to send local lan to wgc1 it will not work good. The reason is that the policy route table only contains routes to wgcX, not even to br0 (lan interface) so you might end up breaking your network connectivity. Luckily, as long as you don't setup the rules to autostart, a reboot will set everything back.

To only use policy table for unknown/internet destination we can use the same trick as wg-quick does. That is, process all routes in main table first, but not the default route (prefix length 0). So this rule must have a higher priority (lower prio number) then out other rules. It will not be perfect as routes to wan dns is usually specified but it's atleast something. Following the prio numbering from ipv4 gives roughly:

ip -6 rule add from all lookup main suppress_prefixlength 0 prio 10000

Now we should be able to add lan source ip with a lower priority (higher number) like:

#single ipv6 to wgc1:
ip -6 rule add from 2001:1234:5678::aaaa:bbbb:cccc:dddd lookup wgc1 prio 11210

Or

#all subnet to wgc1:
ip -6 rule add from 2001:1234:5678::/64 lookup wgc1 prio 11220

or even

#Auto subnet to wgc1:
ip -6 rule add from "$(nvram get ipv6_prefix)"/64 lookup wgc1 prio 11230

I can't test this as I'm not running ipv6 on my lan but I have it enabled on my router and as far as I can see everything is setup except rules and routes so I think this should work.

 

[juanantonio]

Excuse me, but I'm very interested in this topic because recently I had to get rid of @Martineau 's Wireguard Session Manager in order to enable HW acceleration on my RT-AX86U, for getting the fulll bandwidth my ISP can provide.

So, if I understood, if I want (as I do) to route my LAN devices through wgc1 client, all I need to do is running the previous commands on this thread, I mean:

#all subnet to wgc1: ip -6 rule add from 2001:1234:5678::/64 lookup wgc1 prio 11220

and

#Auto subnet to wgc1: ip -6 rule add from "$(nvram get ipv6_prefix)"/64 lookup wgc1 prio 11230

?

Thanks in advance.

 

[ZebMcKayhan]

So, if I understood, if I want (as I do) to route my LAN devices through wgc1 client, all I need to do is running the previous commands on this thread, I mean:

Well, almost.... ofcource you will need an imported client which has ipv6 ip.

First I would advice you to look at you current rules to get an understanding on how they look and work:
List your ipv4 rules (from vpndirector and fw):

ip rule

And for ipv6, altough at this stage it's probably empty (except for the local and main rule always there):

ip -6 rule

Notice how they are sectioned by prio number and interface (table).

To route your entire lan to, say wgc1, as I sad, you will need a global rule to not mess up internal routing. So you will need to add this first:

ip -6 rule add from all lookup main suppress_prefixlength 0 prio 10000

You can just paste it into the prompt and execute it. It should not give any output if all ok.

Now list your ipv6 rules and see it turned out OK.

At this point you have not really changed anything. But now you can add the rule for your lan to wgc1:

ip -6 rule add from "$(nvram get ipv6_prefix)"/64 lookup wgc1 prio 11230

Again, just copy the text into the ssh prompt and execute it. It should not output anything if all ok.

Now, look at your ipv6 rules again and see that the rule have your lan prefix in it, automatically, thanks to the nvram get...

If some rule did not turn out ok, or if you got duplicate rules you could delete these by

ip -6 rule del prio xxyyz

Replace xxyyz with the prio of the rule you want to remove.

When the 2 rules look ok, test on a lan device if it outputs ipv6 over vpn.

If something turns out really bad, you can remove the rules, or just reboot.

Test it manually like this before making them persistent.

 

[juanantonio]

Unfortunately, I tried your suggestion without luck, but I've seen some differences on the output of ip -6 command, which I post below:

juanantonio@RT-AX86U-6C38:/tmp/home/root# ip -6 rule
0:      from all lookup local
220:    from all lookup 220
220:    from all lookup 220
10000:  from all lookup main suppress_prefixlength 0
11220:  from 2a0c:5a80:480d:a800::/64 lookup wgc1
32766:  from all lookup main

Thanks a lot.

 

[ZebMcKayhan]

Unfortunately, I tried your suggestion without luck, but I've seen some differences on the output of ip -6 command, which I post below:

juanantonio@RT-AX86U-6C38:/tmp/home/root# ip -6 rule
0:      from all lookup local
220:    from all lookup 220
220:    from all lookup 220
10000:  from all lookup main suppress_prefixlength 0
11220:  from 2a0c:5a80:480d:a800::/64 lookup wgc1
32766:  from all lookup main

Thanks a lot.

So, what happens? Still over wan, or broken ipv6 connectivity?

What is that 220 rule? I don't have that. Did you put it there? Or fw?
What is in route table 220? If it's empty it shouldn't do any harm.

ip route show table 220

You may try to remove the 220 rules but if the route table is empty it should not matter.

 

[juanantonio]

Hi, I'm in the procces of migrating Session Manager to Merlin Wireguard client. I think those rules are inherited from it. I have no problem in deleting them. I will do it probably tomorrow, since here it's time to sleep. Thanks a lot one more time.

 

[ZebMcKayhan]

Hi, I'm in the procces of migrating Session Manager to Merlin Wireguard client. I think those rules are inherited from it. I have no problem in deleting them. I will do it probably tomorrow, since here it's time to sleep. Thanks a lot one more time.

Yea, I have a vague memory of these but I don't think wgm puts them there and route table 220 has always been empty so it should not interfere. Probably some Asus remnant.

Make sure wgc1 actually gets the interface ipv6 by

ifconfig wgc1

It's usually a ula address, starting with fd or fc.

And check so your AllowedIPs contains the ipv6 default route:

wg show wgc1

There needs to be "::/0" there in the list.

Finally, check the policy route table:

ip -6 route show table wgc1

There should be a couple of routes there pointing to wgc1 interface. Mine is:

::/3 dev wgc1 metric 1024 pref medium
2000::/4 dev wgc1 metric 1024 pref medium
3000::/4 dev wgc1 metric 1024 pref medium
fc00::/7 dev wgc1 metric 1024 pref medium

It's not a default route, but it should cover all currently assigned ipv6 - so, good enough.

All these things should be placed there by fw when you import a dual stack wg config file, and start it. Atleast it does for me.

 

[juanantonio]

So, what happens? Still over wan, or broken ipv6 connectivity?

What is that 220 rule? I don't have that. Did you put it there? Or fw?
What is in route table 220? If it's empty it shouldn't do any harm.

ip route show table 220

You may try to remove the 220 rules but if the route table is empty it should not matter.

First, it happened to be that my LAN devices were going out through the WAN.

After deleting 220 rule, it seems to be that is fw who put it there, because it appears again after a restart.

But I've found out that, deleting also the rule:

ip -6 rule add from all lookup main suppress_prefixlength 0 prio 10000

By doing:

ip -6 rule del prio 10000

I've know IPv6 connectivity through my wireguard client, which was my primary goal.

Here I paste the output of the different commands you adviced me to run:

juanantonio@RT-AX86U-6C38:/jffs/scripts# wg show wgc1
interface: wgc1
  public key: Am6is0qmJQPEftXw3eCtOxU5GsreUrMyR5uaq4r5lGY=
  private key: (hidden)
  listening port: 57602

peer: PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=
  preshared key: (hidden)
  endpoint: 194.99.104.34:1637
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 58 seconds ago. (sec:118)
  transfer: 3.60 GiB received, 979.84 MiB sent
  persistent keepalive: every 15 seconds

juanantonio@RT-AX86U-6C38:/jffs/scripts# ifconfig wgc1
wgc1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.151.13.172  P-t-P:10.151.13.172  Mask:255.255.255.255
          inet6 addr: fd7d:76ee:e68f:a993:d0c0:1334:273a:628b/128 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:3216093 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1986643 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3877157320 (3.6 GiB)  TX bytes:1028989656 (981.3 MiB)

juanantonio@RT-AX86U-6C38:/jffs/scripts# ip -6 route show table wgc1
::/3 dev wgc1 metric 1024 pref medium
2000::/4 dev wgc1 metric 1024 pref medium
3000::/4 dev wgc1 metric 1024 pref medium
fc00::/7 dev wgc1 metric 1024 pref medium

juanantonio@RT-AX86U-6C38:/jffs/scripts# ip -6 rule
0:      from all lookup local
11230:  from 2a0c:5a80:4806:f600::/64 lookup wgc1
32766:  from all lookup main

Best regards, and infinite thanks!

 

[ZebMcKayhan]

I've know IPv6 connectivity through my wireguard client, which was my primary goal.

yep, but you also potentially created a routing issue.... but your test shows that your internet usage is using something other than prefix 0 in main routing table. we should hunt that down and see how it is setup so we could bypass it properly.

you can list the main route table by:

ip route show table main

its going to be lots of stuff in there. but except for the default route is there anything that ends with /1, /2, /3, ... basically below /7 that would point to your WAN interface?

I need to read up a bit on the suppress_prefixlength directive if we need to add more or could just adjust it.

 

[juanantonio]

yep, but you also potentially created a routing issue.... but your test shows that your internet usage is using something other than prefix 0 in main routing table. we should hunt that down and see how it is setup so we could bypass it properly.

you can list the main route table by:

ip route show table main

its going to be lots of stuff in there. but except for the default route is there anything that ends with /1, /2, /3, ... basically below /7 that would point to your WAN interface?

I need to read up a bit on the suppress_prefixlength directive if we need to add more or could just adjust it.

Well, I suppose you're asking the output od the ip -6 route show table. Here it is:

juanantonio@RT-AX86U-6C38:/jffs/scripts# ip -6 route show table main
2a0c:5a80:4601:e00:1::1 dev wgs1 proto kernel metric 256 pref medium
2a0c:5a80:4806:f600::/64 dev br0 proto kernel metric 256 pref medium
2a0c:5a80:48ff:ffff::4f75:1225 dev ppp0 proto kernel metric 256 pref medium
fd7d:76ee:e68f:a993::1 dev wgc1 metric 1024 pref medium
fd7d:76ee:e68f:a993:d0c0:1334:273a:628b dev wgc1 proto kernel metric 256 pref medium
fd7d:76ee:e68f:a993:d0c0:1334:273a:628b dev wgc2 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth5 proto kernel metric 256 pref medium
fe80::/64 dev eth6 proto kernel metric 256 pref medium
fe80::/64 dev eth7 proto kernel metric 256 pref medium
fe80::/64 dev br0 proto kernel metric 256 pref medium
fe80::/64 dev bcmsw proto kernel metric 256 pref medium
fe80::/64 dev bcmswlpbk0 proto kernel metric 256 pref medium
fe80::/64 dev dpsta proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth2 proto kernel metric 256 pref medium
fe80::/64 dev eth3 proto kernel metric 256 pref medium
fe80::/64 dev eth4 proto kernel metric 256 pref medium
fe80::/64 dev ifb0 proto kernel metric 256 pref medium
fe80::/64 dev ifb1 proto kernel metric 256 pref medium
fe80::/64 dev imq0 proto kernel metric 256 pref medium
fe80::/64 dev imq1 proto kernel metric 256 pref medium
fe80::/64 dev imq2 proto kernel metric 256 pref medium
fe80::/64 dev ip6_vti0 proto kernel metric 256 pref medium
fe80::/64 dev ip6gre0 proto kernel metric 256 pref medium
fe80::/64 dev ip6tnl0 proto kernel metric 256 pref medium
fe80::/64 dev ip_vti0 proto kernel metric 256 pref medium
fe80::/64 dev sit0 proto kernel metric 256 pref medium
fe80::/64 dev spu_ds_dummy proto kernel metric 256 pref medium
fe80::/64 dev spu_us_dummy proto kernel metric 256 pref medium
fe80::/64 dev wl0.3 proto kernel metric 256 pref medium
fe80::/10 dev ppp0 metric 1 pref medium
fe80::/10 dev ppp0 proto kernel metric 256 pref medium
default via fe80::1 dev ppp0 proto ra metric 1024 expires 1514sec hoplimit 64 pref medium
juanantonio@RT-AX86U-6C38:/jffs/scripts#

If you were asking for the ip 4 route show command, anyway, here is the output:

juanantonio@RT-AX86U-6C38:/jffs/scripts#  ip route show table main
default via 10.0.20.131 dev ppp0
10.0.20.131 dev ppp0 proto kernel scope link
10.6.0.0/24 dev wgs1 proto kernel scope link src 10.6.0.1
10.6.0.2 dev wgs1 scope link
10.6.0.3 dev wgs1 scope link
10.6.0.4 dev wgs1 scope link
10.6.0.5 dev wgs1 scope link
10.6.0.6 dev wgs1 scope link
10.128.0.1 dev wgc1 scope link
100.90.1.1 via 10.0.20.131 dev ppp0
100.100.1.1 via 10.0.20.131 dev ppp0
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev vlan20 proto kernel scope link src 169.254.148.224
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
juanantonio@RT-AX86U-6C38:/jffs/scripts#

As you will see, I have some routes pointing to my wireguard clients through my wireguard server.

Greetings.

 

[ZebMcKayhan]

Well, I suppose you're asking the output od the ip -6 route show table. Here it is:

Yes, sorry, I was in a hurry.

Strange, there are no special routes in there.

How are you testing this? A webpage? Which one?

I did a test on my router:

admin@RT-AX86U_Pro:/tmp/home/root# ip -6 rule
0:      from all lookup local
10000:  from all lookup main suppress_prefixlength 0 
11230:  from 2001:0101:cfe:3d00::/64 lookup wgc1
32766:  from all lookup main
admin@RT-AX86U_Pro:/tmp/home/root# ip route get 2600:: from 2001:0101:cfe:3d00::1 iif br0 
2600:: dev wgc1 table wgc1 metric 1024 iif br0 pref medium
admin@RT-AX86U_Pro:/tmp/home/root# ip -6 route get 2a00:1450:400f:803::200e from 2001:0101:cfe:3d00::1 iif br0
2a00:1450:400f:803::200e dev wgc1 table wgc1 metric 1024 iif br0 pref medium
admin@RT-AX86U_Pro:/tmp/home/root# ip -6 route get fdab:1337:1337:186::1 from 2001:0101:cfe:3d00::1 iif br0
fdab:1337:1337:186::1 dev wgc2 proto kernel metric 256 iif br0 pref medium

So it works for me. Our route tables looks virtually the same. So, it boils back to how you are testing this.

 

[juanantonio]

Yes, sorry, I was in a hurry.

Strange, there are no special routes in there.

How are you testing this? A webpage? Which one?

I did a test on my router:

admin@RT-AX86U_Pro:/tmp/home/root# ip -6 rule
0:      from all lookup local
10000:  from all lookup main suppress_prefixlength 0
11230:  from 2001:0101:cfe:3d00::/64 lookup wgc1
32766:  from all lookup main
admin@RT-AX86U_Pro:/tmp/home/root# ip route get 2600:: from 2001:0101:cfe:3d00::1 iif br0
2600:: dev wgc1 table wgc1 metric 1024 iif br0 pref medium
admin@RT-AX86U_Pro:/tmp/home/root# ip -6 route get 2a00:1450:400f:803::200e from 2001:0101:cfe:3d00::1 iif br0
2a00:1450:400f:803::200e dev wgc1 table wgc1 metric 1024 iif br0 pref medium
admin@RT-AX86U_Pro:/tmp/home/root# ip -6 route get fdab:1337:1337:186::1 from 2001:0101:cfe:3d00::1 iif br0
fdab:1337:1337:186::1 dev wgc2 proto kernel metric 256 iif br0 pref medium

So it works for me. Our route tables looks virtually the same. So, it boils back to how you are testing this.

Well, I'm testing the thing using different sites, but one of them is ip.me, which is giving me the public IP of my VPN supplier.

Next thing I would like to do is routing wg server remote clients through this same wireguard client.

Thanks a lot!

 

[ZebMcKayhan]

Well, I'm testing the thing using different sites, but one of them is ip.me, which is giving me the public IP of my VPN supplier.

Ok, but when you add the 10000 rule it shows you WAN?

You should try to add the rule back because you have (probably) broken your ipv6 connection between lan and wg server without it.

If you add it back and then execute:

ip route flush cache

Does it change anything?

Next thing I would like to do is routing wg server remote clients through this same wireguard client.

That's easier since it's static, just

ip -6 rule add from 2a0c:5a80:4601:e00:1::/120 lookup wgc1 prio 11240

But I strongly suggest you try to add the suppress_prefixlength 0 rule before moving forward.

 

[juanantonio]

Ok, but when you add the 10000 rule it shows you WAN?

ip -6 rule add from all lookup main suppress_prefixlength 0 prio 10000

This is the command I use for adding that rule and immediatly public IP change, so instead going out through wgc1, traffic is using ppp0 (WAN).

The command:

ip route flush cache

Do nothing by itself. I am monitoring constantly mi public IP using a Mozilla Firefox Addon, named 'IP Address & Geolocation'.

Only by deleting the rule 'prio 10000' am I able to surf the web via VPN.

Greetins. Thanks for the advice refering to routing remote clients. Thanks.

 

[ZebMcKayhan]

This is the command I use for adding that rule and immediatly public IP change, so instead going out through wgc1, traffic is using ppp0 (WAN).

Alright. Altough I don't understand why.

"Lookup main suppress_prefixlength 0" should mean lookup route in main table but don't use default route. There are no routes pointing to any internet ip in your router table and it still finds a route...

What we are really after is to find routes to "known subnets" like br0 (lan) and wgs and possibly wgc endpoints. All these routes should have prefix 64 or higher. And according to ip manual:

suppress_prefixlength NUMBER
reject routing decisions that have a prefix length
of NUMBER or less.

So you could try:

ip -6 rule add from all lookup main suppress_prefixlength 63 prio 10000

Still work? If yes, try to replace the rule and use 30 instead. If it still works, 15. Then 7 et.c. when does it stop working?

If it does not work with 63 I really don't know what to do.

 

[juanantonio]

Alright. Altough I don't understand why.

"Lookup main suppress_prefixlength 0" should mean lookup route in main table but don't use default route. There are no routes pointing to any internet ip in your router table and it still finds a route...

What we are really after is to find routes to "known subnets" like br0 (lan) and wgs and possibly wgc endpoints. All these routes should have prefix 64 or higher. And according to ip manual:


So you could try:

ip -6 rule add from all lookup main suppress_prefixlength 63 prio 10000

Still work? If yes, try to replace the rule and use 30 instead. If it still works, 15. Then 7 et.c. when does it stop working?

If it does not work with 63 I really don't know what to do.

Morning.

I've tried, as you asked, the prefixlength rule, starting with 63, and continuing with 30, 15, 7, 3, 1 and 0, with the same result. At the moment I launch the command, my Firefox addon tell me that traffic is going through WAN. And this only change if I delete the rule.

Greetings.