0

I have ipv6 connectivity over wg0 (a WireGuard interface), and my LAN has a local ipv6 network.

From a desktop (Ubuntu 20.04.1) connected to the router (Ubuntu 20.04.1) with the LAN and wg0 (WireGuard) interfaces, I do:

mtr --show-ips google.com

and get:

Host
1. 10.0.0.1 <- LAN gateway
2. 10.49.0.1 <- wg0 gateway
3. ...
4. ...

If I now do:

mtr -6 --show-ips google.com

I now get:

Host
1. fdb1:3d0e:7458:1f46:20e:c4ff:fece:e984 (fdb1:3d0e:7458:1f46:20e:c4ff:fece:e984) <- LAN gateway
2. (waiting for reply)

I have both iptables and ip6tables running with identical instructions in both. I don't understand why my ipv6 LAN can't connect to the wg0 gateway, while my ipv4 LAN can. Can anybody please give me some pointers as to what might be going wrong?

Shunyata Kharg
  • 99
  • 2

1 Answers1

-1

I was missing the *nat section from my ip6tables - adding the following made it work:

*nat

# Base policy
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
    
# wg0 is VPN interface
-A POSTROUTING -o wg0 -j MASQUERADE
    
COMMIT
Shunyata Kharg
  • 99
  • 2
  • 1
    Don't do NAT with IPv6. That eliminates much of the advantages for using IPv6. Use one of your global subnets instead. – Michael Hampton Nov 10 '20 at 19:19
  • My present ISP does not implement IPv6, and so I have no access to global subnets. My WireGuard interface does implement IPv6, but WireGuard does not provide IPv6 subnets either. – Shunyata Kharg Nov 11 '20 at 21:34
  • Even if you are just using IPv6 in your own organization, NAT is not necessary and is even more undesirable. – Michael Hampton Nov 11 '20 at 21:36
  • I'm not sure if I've explained my situation correctly. I have no way of obtaining IPv6 GUA subnets, either from my ISP nor from WireGuard. – Shunyata Kharg Nov 11 '20 at 21:39
  • It doesn't matter. NAT is not necessary or desirable with IPv6. – Michael Hampton Nov 11 '20 at 21:44
  • How would you connect a ULA to a GUA without NAT? – Shunyata Kharg Nov 11 '20 at 21:44
  • You get global addresses. But you said you weren't connecting to the Internet. – Michael Hampton Nov 11 '20 at 21:51
  • It costs a not insignificant amount of money to obtain GUAs. ULAs are free, and so is Linux (which implements IPv6 NAT). I didn't have IPv6 connectivity to the internet from a client connected to the router, but with the NAT command in ip6tables I now do :) – Shunyata Kharg Nov 11 '20 at 21:55
  • I can't think of anywhere on the planet where IPv6 subnets have a significant cost. Typically they are free. And now you only have partial connectivity and are stuck with NAT. – Michael Hampton Nov 11 '20 at 21:56
  • I'm not stuck with anything. My present situation is very similar to this one https://blog.apnic.net/2018/02/02/nat66-good-bad-ugly/ in that I only have one IPv6 GUA (or rather, not all my devices can run a WireGuard client). When I change my ISP for one that gives me a /64 I will reconsider my setup, although if not all my devices can run a WireGuard client then I won't want them connected through a GUA to the internet knowing that my ISP could log their every move. – Shunyata Kharg Nov 11 '20 at 22:30
  • Ahh, your ISP is horrible! One address?! That's absurd, especially for business service! You can quote chapter and verse from [RFC 6177](https://tools.ietf.org/html/rfc6177) at them if you think it might help them improve. – Michael Hampton Nov 11 '20 at 22:52