Solved Cannot make ipv6 work with Wireguard, routing issue?

[Nyakov]

Solution:

Ok. So. Things are actually stupid.
And sad, considering how hard it was to find the answer.
Hoster do not route 64 prefix to me. So, I need to use ndproxy or something.
ndp - utility ended up completely not helpful.
ndproxy - is doing something, probably. Useless it seems for Wireguard.
REALLY strange that I cannot just mock neighbor solicitation responses for needed addresses.

So. Solution for now, make temp aliases on wan interface with desired IPs and ping internet so hoster router learn where to send packets.
🤣

I have vps.
Vps have 1 ipv4 addr and 64 ipv6 subnet(presumable)
I trying to setup Wireguard server so it will provide nated ipv4 and real ipv6 ips to clients.
No matter what I do I cannot make ipv6 work. ipv4 is working fine.
Trace route on WG client reaches only server WG interface ip.
On server i am using IPWF (I tried with firewall completely disabled, and don't see any blocked ipv6 packets when its enabled)

14.3-RELEASE FreeBSD 14.3-RELEASE releng/14.3-n271432-8c9ce319fef7 GENERIC amd64

rc.conf:

clear_tmp_enable="YES"
hostname="push-nyan"

ifconfig_vtnet0="inet xxx.xxx.25.180 netmask 255.255.255.0"
defaultrouter="xxx.xxx.25.1"

ifconfig_vtnet0_ipv6="inet6 2a0d:xxxx:xxxx:xxxx:200::1 prefixlen 72"
ipv6_static_routes="wan_net"
ipv6_route_wan_net="-net 2a0d:xxxx:xxxx::/48 -iface vtnet0"
ipv6_defaultrouter="2a0d:xxxx:xxxx::1"

sshd_enable="YES"
moused_nondefault_enable="NO"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
zfs_enable="YES"
qemu_guest_agent_enable="YES"
wireguard_enable="YES"
wireguard_interfaces="wg0"
gateway_enable="YES"
ipv6_gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_logging="YES"
firewall_script="/etc/nyan_ipfw.pur"

/usr/local/etc/wireguard/wg0.conf:

[Interface]
PrivateKey = xxxx7sLga+3gp193Q=
Address = 10.10.0.1/16
Address = 2a0d:xxxx:xxxx:xxxx:100::1/72
ListenPort = 41313
MTU=1400

[Peer]
PublicKey = xxxxKT1qcyFkBTiOocww1jq0js2Qg=
AllowedIPs = 10.10.0.2/32, 2a0d:xxxx:xxxx:xxxx:100::2/128

[Peer]
PublicKey = xxxxbiQyVf3EfYlx29EIdCs6AdX+WrS4=
AllowedIPs = 10.10.0.3/32, 2a0d:xxxx:xxxx:xxxx:100::3/128

wg_client.conf:

[Interface]
PrivateKey = xxxxxxx+PxNk8DO8ZcQg/fg/o3+wEHoACsgG8=
Address = 10.10.0.2/16, 2a0d:xxxx:xxxx:xxxx:100::2/72
DNS = 1.1.1.1, 8.8.8.8
MTU=1400

[Peer]
PublicKey = xxxxxjuF6pjDrVwuCL0NccfCZ9WqjGGfR8=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xxx.xxx.25.180:41313
PersistentKeepalive = 22

doas netstat -rn:

Internet:
Destination        Gateway            Flags         Netif Expire
default            93.113.25.1        UGS          vtnet0
10.10.0.0/16       link#3             U               wg0
10.10.0.1          link#2             UHS             lo0
10.10.0.2          link#3             UHS             wg0
10.10.0.3          link#3             UHS             wg0
xxx.xxx.25.0/24    link#1             U            vtnet0
xxx.xxx.25.180     link#2             UHS             lo0
127.0.0.1          link#2             UH              lo0

Internet6:
Destination                       Gateway                       Flags         Netif Expire
::/96                             link#2                        URS             lo0
default                           2a0d:8140:1fff::1             UGS          vtnet0
::1                               link#2                        UHS             lo0
::ffff:0.0.0.0/96                 link#2                        URS             lo0
2a0d:xxxx:xxxx::/48               link#1                        US           vtnet0
2a0d:xxxx:xxxx:xxxx:100::/72      link#3                        U               wg0
2a0d:xxxx:xxxx:xxxx:100::1        link#2                        UHS             lo0
2a0d:xxxx:xxxx:xxxx:200::/72      link#1                        U            vtnet0
2a0d:xxxx:xxxx:xxxx:200::1        link#2                        UHS             lo0
fe80::%lo0/10                     link#2                        URS             lo0
fe80::%vtnet0/64                  link#1                        U            vtnet0
fe80::be24:11ff:fe86:fbe%lo0      link#2                        UHS             lo0
fe80::%lo0/64                     link#2                        U               lo0
fe80::1%lo0                       link#2                        UHS             lo0
ff02::/16                         link#2                        URS             lo0

From client:
tracepath -6 www.google.com:

 1?: [LOCALHOST]                        0.050ms pmtu 1400
 1:  2a0d:xxxx:xxxx:xxxx:100::1                           34.739ms
 1:  2a0d:xxxx:xxxx:xxxx:100::1                           35.051ms
 2:  no reply
 3:  no reply
 ...

...

I am narrowing this down. For some reason.
ipv6 works ONLY for peer with ...xxx:200::2/72 address.
...xxx:200::3/72, ...xxx:200::30/72 etc - no ipv6 connectivity. Even if they the first and only one peer I add by hand.
Not using wg-quick.
Firewall is disabled.

 

[xibo]

If you run tcpdump(1) on the uplink interface of the wg "server" node, does it send/forward the ipv6 traffc of the wg clients?

 

[Nyakov]

If you run tcpdump(1) on the uplink interface of the wg "server" node, does it send/forward the ipv6 traffc of the wg clients?

I am sorry. I am not so good with this thigs.
This is what I get when I run traceroute -6 www.google.com on connected client:

Spoiler: log

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg0, link-type NULL (BSD loopback), snapshot length 262144 bytes
20:56:48.736027 IP 91.215.27.7.36360 > 10.10.0.2.36363: UDP, length 20
20:56:50.180344 IP 37-235-132-169.dynamic.customer.lanta.me.53177 > 10.10.0.2.36363: Flags [S], seq 613343797, win 65535, options [mss 1436,nop,wscale 8,nop,nop,sackOK], length 0
20:56:50.546863 IP 10.10.0.2.48237 > one.one.one.one.domain: 58810+ AAAA? www.google.com. (32)
20:56:50.547786 IP one.one.one.one.domain > 10.10.0.2.48237: 58810 1/0/0 AAAA 2a00:1450:400d:804::2004 (60)
20:56:50.584557 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44444: UDP, length 1352
20:56:50.584625 IP6 2a0d:xxxx:xxxx:xxxx:100::1 > 2a0d:xxxx:xxxx:xxxx:100::2: ICMP6, time exceeded in-transit for bud02s27-in-x04.1e100.net, length 1240
20:56:50.620631 IP 10.10.0.2.53557 > one.one.one.one.domain: 49214+ PTR? 1.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.e.7.8.3.f.f.f.1.0.4.1.8.d.0.a.2.ip6.arpa. (90)
20:56:50.625856 IP one.one.one.one.domain > 10.10.0.2.53557: 49214 NXDomain 0/1/0 (172)
20:56:50.662649 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44445: UDP, length 1352
20:56:50.662684 IP6 2a0d:xxxx:xxxx:xxxx:100::1 > 2a0d:xxxx:xxxx:xxxx:100::2: ICMP6, time exceeded in-transit for bud02s27-in-x04.1e100.net, length 1240
20:56:50.699144 IP 10.10.0.2.42257 > one.one.one.one.domain: 46745+ PTR? 1.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.e.7.8.3.f.f.f.1.0.4.1.8.d.0.a.2.ip6.arpa. (90)
20:56:50.704143 IP one.one.one.one.domain > 10.10.0.2.42257: 46745 NXDomain 0/1/0 (172)
20:56:50.740687 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44446: UDP, length 1352
20:56:51.756568 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44447: UDP, length 1352
20:56:52.055411 IP unn-169-150-223-240.datapacket.com.64014 > 10.10.0.2.36363: UDP, length 20
20:56:52.191641 IP 10.10.0.2 > unn-169-150-223-240.datapacket.com: ICMP 10.10.0.2 udp port 36363 unreachable, length 56
20:56:52.757733 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44448: UDP, length 1352
20:56:52.906223 IP 95.139.93.201.51032 > 10.10.0.2.36363: Flags [S], seq 3684736466, win 65535, options [mss 1436,nop,wscale 8,nop,nop,sackOK], length 0
20:56:52.941680 IP 10.10.0.2.36363 > 95.139.93.201.51032: Flags [R.], seq 0, ack 3684736467, win 0, length 0
20:56:53.526360 IP 95.139.93.201.51032 > 10.10.0.2.36363: Flags [S], seq 3684736466, win 65535, options [mss 1436,nop,wscale 8,nop,nop,sackOK], length 0
20:56:53.625187 IP 10.10.0.2.36363 > 95.139.93.201.51032: Flags [R.], seq 0, ack 1, win 0, length 0
20:56:53.743616 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44449: UDP, length 1352
20:56:54.212171 IP 95.139.93.201.51032 > 10.10.0.2.36363: Flags [S], seq 3684736466, win 65535, options [mss 1436,nop,wscale 8,nop,nop,sackOK], length 0
20:56:54.443828 IP 10.10.0.2.36363 > 95.139.93.201.51032: Flags [R.], seq 0, ack 1, win 0, length 0
20:56:54.744808 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44450: UDP, length 1352
20:56:55.042191 IP 95.139.93.201.51032 > 10.10.0.2.36363: Flags [S], seq 3684736466, win 65535, options [mss 1436,nop,wscale 8,nop,nop,sackOK], length 0
20:56:55.160383 IP 10.10.0.2.36363 > 95.139.93.201.51032: Flags [R.], seq 0, ack 1, win 0, length 0
20:56:55.745753 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44451: UDP, length 1352
20:56:55.750588 IP 95.139.93.201.51032 > 10.10.0.2.36363: Flags [S], seq 3684736466, win 65535, options [mss 1436,nop,wscale 8,nop,nop,sackOK], length 0
20:56:55.785868 IP 10.10.0.2.36363 > 95.139.93.201.51032: Flags [R.], seq 0, ack 1, win 0, length 0
20:56:56.747106 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44452: UDP, length 1352
20:56:57.748294 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44453: UDP, length 1352
20:56:58.765865 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44454: UDP, length 1352
20:56:59.725222 IP 185.253.183.98.13571 > 10.10.0.2.36363: UDP, length 20
20:56:59.751223 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44455: UDP, length 1352
20:56:59.760428 IP 10.10.0.2 > 185.253.183.98: ICMP 10.10.0.2 udp port 36363 unreachable, length 56
20:57:00.766691 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44456: UDP, length 1352
20:57:01.756889 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44457: UDP, length 1352
20:57:02.611247 IP 46.38.107.93.63443 > 10.10.0.2.36363: UDP, length 20
20:57:02.739421 IP 10.10.0.2 > 46.38.107.93: ICMP 10.10.0.2 udp port 36363 unreachable, length 56
20:57:02.754584 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44458: UDP, length 1352
20:57:03.770043 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44459: UDP, length 1352
20:57:04.756912 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44460: UDP, length 1352
20:57:05.772918 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44461: UDP, length 1352
20:57:06.774619 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44462: UDP, length 1352
....

 

[xibo]

The lines like

20:57:05.772918 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44461: UDP, length 1352

mean that and UDP packet was emitted with source address 2a0d:xxxx:xxxx:xxxx:100::2.38786 towards bud02s27-in-x04.1e100.net.44461 .

There is no line that looks like

HH:MM:SS.zzzzzz IP6 bud02s27-in-x04.1e100.net.44461 > 2a0d:xxxx:xxxx:xxxx:100::2.38786: UDP, length 1352

which indicates that no responses has been received. Something striking is these two lines at the beginning of the output:

20:56:50.584557 IP6 2a0d:xxxx:xxxx:xxxx:100::2.38786 > bud02s27-in-x04.1e100.net.44444: UDP, length 1352
20:56:50.584625 IP6 2a0d:xxxx:xxxx:xxxx:100::1 > 2a0d:xxxx:xxxx:xxxx:100::2: ICMP6, time exceeded in-transit for bud02s27-in-x04.1e100.net, length 1240

The first line is the ping, while the second is the notification of the timeout to the peer. The timeout isn't unexpected, but the timing is: it timed out after not even 1/1000th of a second of the ping forward, which is quite unusually fast.

Is the /etc/rc.conf stuff correct? Notoriously, the ifconfig_vtnet0_ipv6="inet6 2a0d:xxxx:xxxx:xxxx:200::1 prefixlen 72" line has a 72 bit network prefix, but the ipv6_route_wan_net="-net 2a0d:xxxx:xxxx::/48 -iface vtnet0" line seems to specify special handling for a 48 bit prefix. Also, the ipv6_defaultrouter="2a0d:xxxx:xxxx::1" indicates that your defaultrouter is not within the local network you specified in the ifconfig line.

Can you confirm the settings are correct for ipv6 routing, i.e. can the VPS itself ping6 your reference system?

EDIT:

Vps have 1 ipv4 addr and 64 ipv6 subnet(presumable)

The ifconfig line should have a 64 bit prefix then, and the router "should" be inside the same network, i.e. a block of xxxx is missing in the default router definition.

 

[Nyakov]

Can you confirm the settings are correct for ipv6 routing, i.e. can the VPS itself ping6 your reference system?d

I can ping 2a0d:xxxx:xxxx:xxxx:200::1 from my local machine.
ipv6 also works fine on remote server in question.

I did a little weird thing in setup to slice 64 subnet given by provider to smaller ones.
Originally what provider gives me is:
ifconfig_vtnet0_ipv6="inet6 2a0d:xxxx:xxxx:xxxx::1/48" - its my server
ipv6_defaultrouter="2a0d:xxxx:xxxx::1"
Its working (wg still not working), but if I use 64 subnet for server ip, or any other smaller subnet, server unable to find provider gateway because its on 48 subnet.

I can try to change this to default...

It seems to me that packets coming from wg0 interface just dont get routed at all...

 

[Nyakov]

I checked this: https://forums.freebsd.org/threads/ipv6-gateway-and-subnet-issue-on-vps-server.93750/ thread.
But I can ping google from my host from any alias address.
So I dont think this is the problem.

 

[Nyakov]

Ok. I solved this crazy puzzle.
rc.conf:

ifconfig_vtnet0_ipv6="inet6 2a0d:xxxx:xxxx:xxxx:100::1 prefixlen 72"
ipv6_static_routes="isp"
ipv6_route_isp="2a0d:xxxx:xxxx::1 -iface vtnet0"
ipv6_defaultrouter="2a0d:xxxx:xxxx::1"

wg0.conf:

[Interface]
PrivateKey = __
Address = 10.10.0.1/16
Address = 2a0d:xxxx:xxxx:xxxx:200::1/72
ListenPort = 31313
MTU=1400

[Peer]
PublicKey = __
AllowedIPs = 10.10.0.2/32, 2a0d:xxxx:xxxx:xxxx:200::2/128

Issue probably was that server routed incoming from wan packets to its default router or vnet0 -> back to wan, instead of wg0 interface.

 

[Nyakov]

Bloody hell. No.
Not solved.
Only one peer getting ipv6 working. Second peer is not!!!!
What is this even?

 

[xibo]

What's your goal btw? Tunneling IPv6 into another region to bypass some access restriction? Or do you want to host globally accessible services at home w/o having a globally accessible network address?

 

[Nyakov]

What's your goal btw? Tunneling IPv6 into another region to bypass some access restriction? Or do you want to host globally accessible services at home w/o having a globally accessible network address?

Last one is closest to what I want.
Restrictions is not a goal for this setup. I just want this public ipv6 ips routed thru VPN.

 

[xibo]

In that case, it would be advantageous to install a reverse proxy, such as www/nginx on the VPS, and have it provide access to http / tcp / udp services on your wg nodes, as it provides an additional layer of defense, and, just as importantly, can be monitored and diagnosed much better then firewalls.

 

[Nyakov]

In that case, it would be advantageous to install a reverse proxy, such as www/nginx on the VPS, and have it provide access to http / tcp / udp services on your wg nodes, as it provides an additional layer of defense, and, just as importantly, can be monitored and diagnosed much better then firewalls.

Thank you for advice. But I still want to make VPN work.

I just bring WG interface on server by hand, and have same axact problem.
Peer1 gets ipv6 working without problems 200::2/72
Peer2 (200::3/72) - not. wg show - showing that no packets sent to Peer 2 while it tryes to reach internet.

 

[Nyakov]

I am narrowing this down. For some reason.
ipv6 works ONLY for peer with ...xxx:200::2/72 address.
...xxx:200::3/72, ...xxx:200::30/72 etc - no ipv6 connectivity.

 

[Nyakov]

Ok. So. Things are actually stupid.
And sad, considering how hard it was to find the answer.
Hoster do not route 64 prefix to me. So, I need to use ndproxy or something.
ndp - utility ended up completely not helpful.
ndproxy - is doing something, probably. Useless it seems for Wireguard.
REALLY strange that I cannot just mock neighbor solicitation responses for needed addresses.

So. Solution for now, make temp aliases on wan interface with desired IPs and ping internet so hoster router learn where to send packets.

 

[mumu]

ndproxy is probably what you want if your provider has configured an on-link /64 to you which many providers do sadly.

 

[Nyakov]

ndproxy is probably what you want if your provider has configured an on-link /64 to you which many providers do sadly.

Yes. Probably, but, I was unable to make it do what I want. Like answer for any addr from subnet that this is its mac.

 

[mumu]

Yes. Probably, but, I was unable to make it do what I want. Like answer for any addr from subnet that this is its mac.

how does your ndproxy configuration look like in /etc/rc.conf ?

 

[Nyakov]

how does your ndproxy configuration look like in /etc/rc.conf ?

If I understand correctly, ndproxy only proxying ndp requests, and have no means for mocking them?
Problem is, WireGuard is layer 3 only protocol, it interfaces do not expose mac addresses. If I understand this correctly.

 

[mumu]

If I understand correctly, ndproxy only proxying ndp requests, and have no means for mocking them?
Problem is, WireGuard is layer 3 only protocol, it interfaces do not expose mac addresses. If I understand this correctly.

Try this..

pkg install ndproxy-3.2.1403000_1

cat /etc/rc.conf.local
ndproxy_enable="YES"
ndproxy_uplink_interface="vtnet0" # host primary interface
ndproxy_downlink_mac_address="00:00:11:xx:yy:xx" # host 'vtnet0' MAC address
ndproxy_uplink_ipv6_addresses="fe80::1;::" # host gateway(s), link-local address(es)

service ndproxy start