How to properly setup IPV6 with a VPN?

Blobbie01 · December 23, 2022, 7:31am

Hey there,

I keep running into the issue of IPV6 not working when using wireguard on the Flint AX1800.

My VPN provider is Mullvad, and they support IPV6, you can see here it’s also connected:

Without wireguard client activated, IPV6 works just fine. Once connected, it doesn’t work at all.

I’ve tried multiple things, all on a clean reset firmware:

Main router in bridge mode, flint connected behind it. No luck.
Main router in normal mode, DHCP set to static IPV6, no luck.
Main router in normal mode, DHCP set to DHCPv6, no luck.
Flint set no NAT6, no luck
Flint set to Native, no luck
Flint set to static, no luck.

Tried all the combo’s, IPV6 works without VPN activated. The config is valid & ipv6 works on other devices using the same config.

I hope this can be solved, because I am currently out of ideas.

Blobbie01 · December 23, 2022, 11:19am

cat << EOF > /etc/firewall.nat6
iptables-save --table=“nat”
| sed -e “/\s[DS]NAT\s/d”
| ip6tables-restore --table=“nat”
EOF
uci commit firewall
service firewall restart

Video: IMG_2306.MOV | Storj

I’m not sure why sometimes running this script works, and other times it wont.

@hilll @alzhao could you please look into this? It’s great when it works, but very annoying having to run it every time.

alzhao · December 23, 2022, 11:21am

Hilll is not working in GL.iNet.

@hansome will have a check.

Blobbie01 · December 26, 2022, 12:28pm

@hansome First off, hope you had a very merry Christmas!

Was wondering when you’d have the time to look into this. Would be great to finally have fully native integrated IPV6 support for VPN😄

hansome · December 26, 2022, 3:19pm

Thank you, I’ll look into this tomorrow.

hansome · December 28, 2022, 3:27pm

This is sort of complicated, I’m still doing some debugging.
By the way,

Does this have some typo, I failed to run this. Maybe write it in a code block plz.
Could you share more of you setting?

Blobbie01 · December 28, 2022, 3:41pm

cat << EOF > /etc/firewall.nat6
iptables-save --table="nat" \
| sed -e "/\s[DS]NAT\s/d" \
| ip6tables-restore --table="nat"
EOF
uci commit firewall
service firewall restart

What settings do you need?

Blobbie01 · December 29, 2022, 1:14pm

Just to add onto this, it’s not limited to the Flint. Ordered a Slate AXT1800 & it has the same issue with IPV6 not working when connected to the VPN.

Let me know what info you need @hansome , happy to provide whatever info u need to get it working

hansome · December 30, 2022, 2:03am

Hi Blobbie01,

I managed to setup nat6 with mullvad wireguard client. I’m using firmware 4.2.0 beta2.
Just enable ipv6, then start mullvad, and it works!!!
This is my test result on a flint LAN client device.

After debug /etc/firewall.nat6 and I found

-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE

is the critical rule in ip6tables-save.

If your setup still not work, please copy and run following command

cd /tmp
ip6tables-save >ipt6
ip -6 rule >ipr6
ip -6 route show >>ipr6

tar cf ipt.tar ipt6 ipr6
mv ipt.tar /www/ipt6.zip

and get debug info collection file at http://192.168.8.1/ipt6.zip
then upload it for analysis.

Blobbie01 · December 30, 2022, 8:16am

Still didn’t work for me🤔

ipt6.zip (22 KB)

hansome · December 30, 2022, 11:57am

I checked the ipv6 route table and found that there are some extra default routes added by upstream gateway.
I think lowing the wgclient route item metric will do the trick.

Uploaded modified script that changes wgclient route metric to 511, you can upload it, and restart wg client to have a check.
The script is located at:
wgclient-route-update.zip (1.3 KB)

/etc/wireguard/scripts/wgclient-route-update.sh

Blobbie01 · December 30, 2022, 12:21pm

Still no luck, did a full restart of the modem.

Here is the latest log. Mind you, I haven’t run the script I posted on my slate AX, not sure if I was supposed to?

ipt6 2.zip (21.5 KB)

groentjuh · December 30, 2022, 12:53pm

For AzireVPN I know it provides an IPv6-PD range, which you can setup as VPN6 interface (@alias of VPN-interface with static IPv6-PD range as IP-setting). Change the LAN to receive/track IPv6 range from the VPN6 interface.

Then I believe you also need IPv6 mwan3 policies setup and then you should have everything working. I do not know if Mullvad does supply 1 IPv6 or a /64?

hansome · January 3, 2023, 8:39am

Hi Blobbie01,

Finally, I found that mwan3 impacts wg client & ipv6.
More effort is needed to construct a suitable rule for this situation. To temporarily make it work, use changed wgclient-route-update.sh and disable mwan3, your previous script should not be run.

/etc/init.d/mwan3 disable
uci set mwan3.globals.enabled='0'
uci commit mwan3
reboot

hansome · January 3, 2023, 8:46am

In my test configuration, Mullvad supplies 1 IPv6 address to wgclient interface like: fc00:bbbb…

Blobbie01 · January 3, 2023, 2:21pm

Thank you very much! I’ll be trying this when I get home & let you know🙏

Blobbie01 · January 3, 2023, 4:40pm

Works perfectly. Thank you so much!

On the GL.iNet interface it does now show “ The interface is connected, but the Internet can’t be accessed with IPv4 protocol.”, but there are no connectivity issues, internet is fully accessible on IPV6.

Thanks again, this is amazing💖

hansome · January 3, 2023, 5:03pm

This is indeed not good, gonna try to solve it later by making mwan3 and wg ipv6 both work, that’s kinda complicated.

rensva · January 22, 2023, 4:04pm

Any update about this?

Blobbie01 · February 6, 2023, 1:06am

Setting Multi-WAN to IPV6 makes the errors disappear.

For me it’s still working perfectly, I am using Mullvad VPN & set it to connect over IPV6, but support both protocols.