How to properly setup IPV6 with a VPN?

admon · September 30, 2023, 2:11pm

I stumbled across this thread while trying to get Mullvad IPv4 + IPv6 Dual Stack working on my AX1800. Currently, no way to get it work

I’m on 4.4.6 release1 and tried the script + disabling mwan3 - no solution.

Anyone some more idea how to troubleshoot this issue?

Edit: It feels interesting that as soon as the VPN connects, the whole router will get unresponsive until reboot. Even SSH was terrible slow then. After a reboot and disabling IPv6 all is working again.

hansome · October 4, 2023, 4:46pm

I tried firmware 4.4.6 with mullvad & ipv6. The only thing I do is to enable ipv6, disable mwan3, and then connect mullvad.

I didn’t reproduce the unresponsive issue. I guess that may be caused by a network loop in your network.
I encountered a case where my lan&wan cable was under the same switch and I saw a similar issue as you reported.

admon · October 7, 2023, 10:05am

Apologies for my delayed response, did not find time to test it earlier.

These are the steps I tried on my AX1800 with firmware 4.4.6 r1:

Disabling VPN as it’s connected all the time
Enabling IPv6
Disabling mwan3 by using the commands from above
Rebooting
Connecting Mullvad again (server Germany_de-fra-wg-003)

While testing, it seems that all connections are IPv4 routed only.
IPv6 only works without VPN at this time.

Since my router is the PPPoE endpoint, there is no other device which could cause trouble here.

VPN Log

Sat Oct  7 11:51:45 2023 daemon.notice procd: /etc/rc.d/S13gl_ipv6: Warning: Option 'wgclient'.masq6 is unknown
Sat Oct  7 11:51:58 2023 daemon.notice procd: /etc/rc.d/S99adguardhome: Warning: Option 'wgclient'.masq6 is unknown
Sat Oct  7 11:52:46 2023 daemon.notice netifd: Interface 'wgclient' is setting up now
Sat Oct  7 11:52:46 2023 daemon.notice netifd: Network device 'wgclient' link is up
Sat Oct  7 11:52:46 2023 daemon.notice netifd: Interface 'wgclient' is now up
Sat Oct  7 11:52:47 2023 user.notice firewall: Reloading firewall due to ifup of wgclient (wgclient)
Sat Oct  7 11:52:47 2023 user.notice wgclient-up: env value:T_J_V_ifname=string J_V_address_external=1 USER=root ifname=wgclient ACTION=KEYPAIR-CREATED N_J_V_address_external=address-external SHLVL=3 J_V_keep=1 HOME=/ HOTPLUG_TYPE=wireguard T_J_V_interface=string CONFIG_lan_ip6class= J_V_ifname=wgclient T_J_V_link_up=boolean LOGNAME=root DEVICENAME= T_J_V_action=int TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin CONFIG_LIST_STATE= J_V_interface=wgclient K_J_V= action ifname link_up address_external keep interface J_V_link_up=1 J_V_action=0 T_J_V_address_external=boolean N_J_V_link_up=link-up T_J_V_keep=boolean PWD=/ JSON_CUR=J_V CONFIG_SECTIONS=global AzireVPN Mullvad FromApp group_8259 group_1226 group_4192 peer_2010 peer_2011 peer_2013 peer_2017 peer_2001 peer_2002 peer_2003 peer_2004 peer_2005 peer_2006 peer_2007 peer_2008 peer_2009 peer_2012 peer_2014 peer_2015 peer_2016 peer_2018 peer_2019 peer_2020 peer_2021 peer_2022 peer_2023 peer_2024 peer_2025 peer_2026 peer_2027 peer_2028 peer_2029 peer_2030 gro

ip a

 16: wgclient: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1380 qdisc noqueue state UNKNOWN group default qlen 1
    link/none
    inet 10.65.199.255/32 scope global wgclient
       valid_lft forever preferred_lft forever
    inet6 fc00:bbbb:bbbb:bb01::2:c7fe/128 scope global
       valid_lft forever preferred_lft forever

ip -6 route

root@Robbenrouter:~# ip -6 route
default from 2003:c8:9f3d:9b00::/56 via fe80::2a8a:1cff:fe64:2392 dev pppoe-wan proto static metric 512 pref medium
default from 2003:c8:9fff:74e::/64 via fe80::2a8a:1cff:fe64:2392 dev pppoe-wan proto static metric 512 pref medium
2003:c8:9f3d:9b00::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2003:c8:9f3d:9b00::/56 dev lo proto static metric 2147483647 error 4294967183 pref medium
2003:c8:9fff:74e::/64 dev pppoe-wan proto kernel metric 256 expires 14296sec pref medium
unreachable 2003:c8:9fff:74e::/64 dev lo proto static metric 2147483647 error 4294967183 pref medium
::/1 dev wgclient metric 1024 pref medium
fc00:bbbb:bbbb:bb01::2:c7fe dev wgclient proto kernel metric 256 pref medium
unreachable fd4d:92bd:3a76::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::2a8a:1cff:fe64:2392 dev pppoe-wan metric 1 pref medium
fe80::ec05:a5dd:d451:69fc dev pppoe-wan proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.7 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
8000::/1 dev wgclient metric 1024 pref medium
default via fe80::2a8a:1cff:fe64:2392 dev pppoe-wan proto ra metric 1024 expires 1696sec hoplimit 64 pref medium

Are there any other log files you need for troubleshooting?

hansome · October 9, 2023, 4:10pm

Please check a route to a certain ipv6 address:

ip -6 route get 240c::6666

admon · October 11, 2023, 8:37am

Result is:

240c::6666 from :: dev wgclient src fc00:bbbb:bbbb:bb01::2:c7fe metric 1024 pref medium

I dug deeper into it to find the following:
IPv6 works fine on the router itself. But from any network device it doesn’t while Mullvad is connected.

While Mullvad

On router

root@Robbenrouter:~# traceroute6 youtube.com
traceroute to youtube.com (2a00:1450:400e:805::200e), 30 hops max, 64 byte packets
 1  fc00:bbbb:bbbb:bb01::1 (fc00:bbbb:bbbb:bb01::1)  9.384 ms  9.573 ms  9.642 ms
 2  2a03:1b20:6:f011::1 (2a03:1b20:6:f011::1)  9.708 ms  12.315 ms  9.607 ms
 3  2a03:1b20:3:fe03::1 (2a03:1b20:3:fe03::1)  17.420 ms  16.761 ms  17.312 ms
 4  2a03:1b20:3:fe06::2 (2a03:1b20:3:fe06::2)  17.426 ms  17.915 ms  17.310 ms
 5  2a00:1450:8095::1 (2a00:1450:8095::1)  18.075 ms  17.845 ms  2a00:1450:805d::1 (2a00:1450:805d::1)  17.380 ms
 6  2001:4860:0:1::e34 (2001:4860:0:1::e34)  17.335 ms  ams16s37-in-x0e.1e100.net (2a00:1450:400e:805::200e)  17.261 ms  2001:4860:0:1::1484 (2001:4860:0:1::1484)  18.664 ms

On any network device:

C:\Users\Username>tracert youtube.com

Tracert to youtube.com [2a00:1450:400f:805::200e]
via max 30 hops

  1     5 ms     4 ms     4 ms  <redacted>.dip0.t-ipconnect.de [2003:c8:9f17:6400::1]
  2     *        *        *     Timeout
  3     *        *        *     Timeout

The first hop is my internet gateway itself, so the route seems not to apply to traffic from my network but router? It shouldn’t be like that, I guess. Doesn’t matter if I use Global Proxy or Based on the Target Domain or IP in my VPN policy.

admon · October 18, 2023, 8:35am

Sorry for the ping, but any idea, @hansome how to troubleshoot this further?

admon · October 19, 2023, 6:04pm

Issue continues to occur in 4.5.0r2

hansome · October 20, 2023, 8:03am

The issue is related to dual-stack network dailing VPN. I’m working on this.

admon · October 20, 2023, 8:14am

Thanks for the update!

hansome · October 23, 2023, 2:01am

I’ve fixed this issue for v4.5. That will be updated in later snapshot firmware.

It’s /etc/firewall.nat6 bug causing missing of masquerade rule of wgclient zone.
You can do a quick test by enabling wiregurad server which happens to avoid that bug.

Blobbie01 · October 24, 2023, 7:28am

Awesome, thank you so much😄

Hopefully this fix will be applied to all devices. Just pre-ordered the Flint 2❤️