0

I rented a VDS in order to set up WireGuard VPN on it and distribute all VPN clients /64 IPv6 subnets. From the hosting I originally got the address 2a0c:xxx:yyy::1/32. Here are the configurations of the network interfaces that I set up:

❯ ip a
2: wan0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 ...
    inet6 2a0c:xxx:yyy:1001::1/32 scope global
        valid_lft forever preferred_lft forever
    inet6 fe80::****:**:****:****/64 scope link
        valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue ....
    inet 172.22.9.1/24 brd 172.22.9.255 scope global wg0
        valid_lft forever preferred_lft forever
    inet6 fd4d:56d8:31d4:2001::1/56 scope global
        valid_lft forever preferred_lft forever

❯ ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2a0c:xxx:yyy:2000::/56 dev wg0 proto static metric 20 pref medium
2a0c:xxx::/32 dev wan0 proto kernel metric 256 pref medium
2a0c:xxx::/32 dev wan0 proto ra metric 1024 expires 2591851sec pref medium
fd4d:56d8:31d4:2000::/56 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev wan0 proto kernel metric 256 pref medium
default proto static metric 1024 pref medium
        nexthop via 2a0c:xxx::1 dev wan0 weight 1
        nexthop via fe80::****:****:****:**** dev wan0 weight 1

❯ sudo sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1

❯ cat /etc/ndppd.conf
proxy wan0 {
    rule 2a0c:xxx:yyy:2000::/56 {
        static
    }
}

# --- check routing to dns.google from one of the VPN clients ---
❯ ip -6 r get to 2001:4860:4860::8844 from 2a0c:xxx:yyy:2005::****:*
2001:4860:4860::8844 from 2a0c:xxx:yyy:2005::****:* via fe80::****:****:****:**** dev wan0 proto ra src 2a0c:xxx:yyy:1001::1 metric 1024 mtu 1500 pref medium

I give all VPN clients fd4d:56d8:31d4:20zz::/64 and 2a0c:xxx:yyy:20zz::/64 subnets (zz are different for each client). When I set it up the first time, everything worked and clients could access the Internet via IPv6. However, after I rebooted the VDS this configuration was no longer working.

When I tried to ping a VPN client with address 2a0c:xxx:yyyy:2005::****:* from another host that is not connected to a VPN, I received multiple neighbor solicitation packets (who has 2a0c:xxx:yyy:2005::****:*) to wan0 from the upstream router, to which the VDS would periodically respond with neighbor advertisement packets. However, the echo-request to neither wan0 nor wg0 never came.

What is wrong with my configuration? Why does IPv6 over WireGuard stop working after a VDS reboot?

Thanks in advance.

99-wg0.netdev

[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
PrivateKey=kH9-----------------------86u/Uw=
ListenPort=1194

[WireGuardPeer]
PublicKey=oXPdkrbDL---------------oKLW2HEEM=
PresharedKey=L9P------------------------jSiM=
AllowedIPs=2a0c:xxx:yyy:2005::/64
AllowedIPs=172.22.9.5/32

99-wg0.network:

[Match]
Name=wg0

[Network]
Address=172.22.9.1/24

[Route]
Destination=2a0c:xxx:yyy:2000::/56
Metric=20
async await
  • 1
  • 2
  • You should add the content of `wg0.conf` (or equivalent config) and the output of `wg-quick up wg0` so all information is available in the question. – A.B Apr 04 '22 at 08:44
  • @A.B I solved the issue by changing the hosting where I rented the virtual machine. By repeating all the settings on the new virtual machine (with different IPv6 addresses, of course), I got a working IPv6 connection for all VPN clients. I assume that on the old hosting, the clients' IPv6 was not working because the upstream router was ignoring the neighbor advertisment from the virtual machine in response to its neighbor solicitation. Also, I was able to successfully distribute /64 subnets to clients via a tunnel broker, which further confirms my assumptions about problems on the hosting side – async await Apr 04 '22 at 22:54
  • @A.B I configured the wg0 interface with systemd-networkd, all the settings I set there (interface address and route for /56 clients subnet) are shown in the output of `ip a` and `ip -6 r` commands. – async await Apr 04 '22 at 23:04
  • @A.B Regarding the second question: I tried to be more specific in the hope that it would attract more people who know about the issue. – async await Apr 04 '22 at 23:12
  • @A.B I added the contents of 99-wg0.netdev and 99-wg0.network to the question. All wg0 configuration is done only through them, I don't use wg-quick. – async await Apr 04 '22 at 23:24
  • Ah never mind indeed there wouldn't be such rules if not run by wg-quick, I didn't get it wasn't in same format. And I just don't know why there's a problem in the other question. – A.B Apr 04 '22 at 23:26

0 Answers0